Introduction: The HIKIT Rookit Analysis
Malwares (virus, worm, rootkit, etc.) are among the most important elements, included in complicated attacks. “Malwares" are among the most irrevocable tools, used by the attacker, during attacks, especially called APT (Advanced Persistent Threat), in which many different vectors are used.
Mostly, organized crime rings get the people, having advanced knowledge on this issue, write Malwares. Malwares, written as target-driven, must overcome several security mechanisms to reach a specific purpose.
This case means techniques and structures, used in Malwares, are complicated. Accordingly; malicious code analysis, besides being a difficult and onerous work, it requires advanced technical knowledge.
APT and Target
Discovered by Mandiant, HIKIT is a sort of Malware that enables seizing the control of remote system. HIKIT is an intelligence gathering purposed software, an advanced Malware, that carries out its functionality on kernel level completely.
The interesting point is that “intelligence” purpose of this Malware completely gathers data, belonging to the contracted / contractor companies of United States of America -- Department of Defense. It carries out activities aimed at gathering several data about organizations, in which some companies that are also available in SBIR/STTR list.
We only have an object named “oci.dll” to perform technical analysis on HIKIT. We confirmed that the file named “oci.dll” was not subjected to any compression process. We observe that there are files with different names in the current executable file when we proceed via this object. Initially; an interesting "string" data, available in the Malware, draws our attention.
The abovementioned data is the file that contains “debug” symbols, belonging to the Malware, that are available in the computer of the individual that developed the Malware. We can observe that name given to the Malware by the developer is “RServer” and its location in the developer’s computer. After getting this information, phases related with development process of the Malware are as follows:
- As the first phase, the Malware installs the file named “oci.dll” via a “dropper”.
- DLL installs the signed (driver) module into the system at kernel level.
- The module, installed at kernel level, waits for a command from the attacker.
How the aforementioned phases realized are displayed in the figure. The Malware, transmitted to users through various ways, waits for communicating with the attacker that connects behind "proxy".
After all these processes, we can start carrying out analysis process with the data we obtain. First of all; we need the most basic information on the executable file. We can start analyzing the Malware, beginning from the most basic steps, to carry out all these issues.
As seen in the picture above, "oci.dll" file contains a file named "w2fw.sys". Thus; we can observe more clearly that the Malware contains a rootkit. Rootkit softwares operate at the kernel level and analysis process is harder when compared to the other (use-mode) Malwares.
Code Signing Mechanism
Before mentioning about the following activities, the issue that must be known is code signing logic. Microsoft uses a technique called code signing to determine if modules to be executed at kernel level are safe. This means is to state that the module, installed in the kernel, is a safe module and it's approved.
The interesting case that we encountered during analysis process is that *.inf extended files are signed due to GlobalSign certificates. GlobalSign became a current issue with a claim of "hacking" in 2011. It stopped its services for a while due to a doubt of certificates being stolen from its servers. The claims that suggested “GlobalSign was hacked” appeared in early September 2011 and when an analysis is carried out on "timestamp" information of the current file, October is pointed as the last date of edition.
We already stated that this Malware, analyzed in rootkit class, is executed in kernel level. As known, inf extended files contain the information on how to setup driver softwares. Now that we have the information that GlobalSign certificates are implemented on the malicious, we can observe that the Malware added itself to the system as signed to execute operations at kernel level.
The Malware contains a function, as seen above, to perform various registrations and modifications in Register book. As soon as this function is completed, other routines that belong to the infection processes start to be operated.
Malware & Attacker Communication
Other than this information, we obtain more interesting data when we open the malicious to analyze. For example; the Malware can make contact with the attacker for commands when the infection processes are completed.
“Disassembly” output, that can be seen above, belongs to the routine that is operated for the attacker to connect to the target system. We can see that several processes are operated for connection to be completed If there is a key word within packets when the connection is established, connection process of the attacker is completed.
More technically, the Malware installs itself to NDIS-Level to monitor the incoming packets and adds to the system as "cyber network adaptor". Thus; by listening the packets, received by the whole network, it searches for a specific pattern between the among packets.
During this connection process, the attacker connects with the target via ports numbered 80 and 443. Within the rules of Firewall, 80 (HTTP) and 443 (HTTPS) ports are among the permitted ports. This case means that the malicious has an access to the target by means of by-passing firewall software or devices.
The interesting point in this phase is that the Malware does not contact with any (command and control) server or the attacker's computer. Instead, HIKIT contacts with the attacker by monitoring the whole net on the machine that it infected, in case of any incoming key word.
We can acquire a visual result on which values the aforementioned routines gain and where they go. It's clearly seen in the following figure that which function goes to what result. Accordingly; the information about which routines are effective in making contact is available in this diagram.
The Malware permits several commands to be operated for remote access, when the contact is made. This definition is solely for the commands, operated by the malicious, and the commands to be operated by the attacker on the target are the commands that operating system defines. "Shell" command that we encountered among the commands to be operated after the contact is made, while proceeding within the machine code, enables creating a command line via remote machine.
This means that all the commands, which can be operated by a common or authorized user on operating system, can give command to the backdoor, installed by the attacker to be operated. In short; it can operate a command for his purpose on the system by opening a "command prompt" for the attacker.
As soon as the “file” command, that can be seen below, is executed, it is in contact with the driver. Thus, the attacker can carry out the operations of file reading, changing file permissions, creating index and index listing. As a result; the attacker can succeed an access to system with full-authority, when the malicious completes infection processes.
The aforementioned “disassembly” is related with the implementation of the operations that were mentioned previously. Another feature of the malicious is the attacker’s ability of making contact via SOXKS5, a proxy.
This feature, that attracted our attention while analyzing the malicious, is function which is embedded into the malicious by the attacker to make contact via proxy. As a result; it becomes harder to track the attacker as the contact is more uncertain.
"Strings” that belong to the below program are available. Some data, acquired in the beginning of the article, are available here. You can reach all "string" values, contained in the program, through analysis report.
That this software, published and determined by Mandiant, is a part of APT attack is almost definite. It was stated that its aim was to gather intelligence and information about companies, contracted with U.S.A. Department of Defense. HIKIT was programmed to remain permanent in the system in which it is infected and turn systems into the attacker's slaves during this period. Similar examples of APT attacks are increasing today. As mentioned before, it is quite difficult to determine a malicious on NDIS Driver level and APT attack that it serves.
The aforementioned technique that enables the attacker to make contact with the system via a specific pattern is quite old and hard to determine. Determining this sort of an attack is only possible with "network traffic analysis” in some cases. As observed during the analysis; softwares and devices such as Firewall and Anti-virus are inefficient against these kinds of attacks.
The organizations that suffer from such attacks and companies that develop security products are completely aware of the situation. Besides classic security products such as; Firewall, anti-virus, the establishments must pay attention for different solutions to determine APT attacks.
Attachment : The HIKIT Rootkit Analysis (Part1)