First off: this is the first time I "seriously" reversed a kernel-mode NT driver, so keep that in mind when you read this..
The Komodia rootkit config is located in a certain registry entry that's hardcoded in the driver. For Qustodio, it's HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qwd\Data.
The config structure is simple enough. An array of the following structure:
DWORD type;
BYTE unknown[32]; // I don't see anywhere that the driver actually *reads* any of this part,
// at least, not after writing to it first.
char *path;
type can be 1, 2 or 3, where 1 = protect registry, 2 = protect process, and 3 I'm not sure of, probably protect file if the installed driver(s) support that.
Naturally, with this kind of config, it would be easy to abuse by malware that can escalate privileges by whatever means. Frankly, the rootkit drivers better start to be detected.
https://www.virustotal.com/en/file/b64b4f53fa722774cd54bea59e40a1f3d08817e394495737195aa83507878caa/analysis/1424467067/ - x86 driver
https://www.virustotal.com/en/file/93f8cdef02c711b39b49fa0df55f2b7ddd260a9d327205e3b6039c0aba4c5e32/analysis/1424467119/ - x64 file protection driver
https://www.virustotal.com/en/file/7127739aebbd4e62f5f37fa6362d41d2855c1c0558cac76bdf13f035e2eb28d3/analysis/1424467156/ - x64 registry/process protection driver
By default the config (in qustodio) protects the following:
C:\Program Files\Qustodio\qapp\QAppTray.exe
C:\Program Files\Qustodio\qapp\QUpdateService.exe
C:\Program Files\Qustodio\qproxy\qengine.exe
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\SafeBoot\*\qwd
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\SafeBoot\*\qwd\*
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\qwd
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\qwd\*
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\SafeBoot\*\qwdr64
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\SafeBoot\*\qwdr64\*
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\qwdr64
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\qwdr64\*
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\SafeBoot\*\qwdf64
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\SafeBoot\*\qwdf64\*
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\qwdf64
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\qwdf64\*
HKEY_LOCAL_MACHINE\SOFTWARE\Qustodio
HKEY_LOCAL_MACHINE\SOFTWARE\Qustodio\*
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Qustodio
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Qustodio\*
HKEY_CURRENT_USER\SOFTWARE\Qustodio
HKEY_CURRENT_USER\SOFTWARE\Qustodio\*
HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Qustodio
HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Qustodio\*
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\TimeZoneInformation
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\TimeZoneInformation\*
If anyone wants to independently confirm my findings, go install Qustodio in a VM, make sure you tick the "Hide Qustodio on this device" box as that installs the ring-0 rootkit. Reboot into Hirens or some other winpe, change one of the registry strings in the config to your own wildcard string. Reboot and watch as the rootkit protects your own registry keys/values!
'malware ' 카테고리의 다른 글
| RIG Exploit Kit – Diving Deeper into the Infrastructure (0) | 2015.02.24 |
|---|---|
| Deploying a Smart Sandbox for Unknown Threats and Zero-Day Attacks (0) | 2015.02.23 |
| x86obf code virtualizer released for free (0) | 2015.02.21 |
| The analysis of SuperFish adware (0) | 2015.02.21 |
| Just another day at the office: A ZDI analyst’s perspective on ZDI-15-030 (0) | 2015.02.21 |