Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Hello everyone! My name is Peter Sherman.
- My email address is peter.d.sherman@gmail.com
- Here is a series of notes I took in the past to
- attempt to remove an apparently particularly nasty
- piece of persistent Windows 7 stealth malware
- on my HP Pavilion
- (although, I'm pretty sure I didn't succeed...).
- The problem is apparently twofold:
- 1) This piece of malware is known by various names/variants
- 2) 99.9% of the articles on the web DO NOT CONTAIN most of
- the important information, in ONE PLACE.
- That is, you'll get a teensy bit of information here, a
- teensy bit of information there... and you'll typically
- get a whole bunch of opinions, many of which trivialize
- the depth or severity of the problem, and/or are just
- plain ill-informed.
- That is, most haven't done in-depth research.
- Advice: DO YOUR OWN IN-DEPTH RESEARCH AND AVOID THE SIMPLE
- OPINIONS!
- Take Mike Abrash's advice and DO NOT ASSUME!
- So, without further ado, I present the notes I've put
- together (thus far) on it:
- First off, some of the various things you can search for:
- LoJack / Strontium / Bluehat 18 / F78D2524 STOP (0xF78D2524, 0xC0000034, 0x00000000, 0x00000000)
- 2019-01-30
- * This video seems to be the best one I've seen
- thus far on how to remove LoJack:
- https://www.youtube.com/watch?v=VeoXT0nEcFU
- also:
- https://www.slideshare.net/MSbluehat/bluehat-v18-first-strontium-uefi-rootkit-unveiled
- Related Words/Terms For Further Google (Re)search:
- autochk.exe / autoche.exe <- (misspelling intentional)
- rpcnetp.exe
- search.namequery.com
- remotepx.net 103.41.177.43 (old)
- rdsnet.com 185.86.148.18 (new)
- \xd1\x35\x71\x17 -> 209.53.113.23
- Sednit old domains became Lojax domains)
- XAgent v3
- Xtunnel
- XAgent v4
- LoJack/LoJax
- Absolute Software
- Microsoft Security Response Center (MSRC)
- Jean-Ian Boutin, ESET
- Frédéric Vachon, ESET
- BlueHat v18
- Strontium
- ESET
- RtlInitUnicode(...) // sets unicode string
- NtOpenKey(...)
- NtSetValueKey(...) // sets registry key
- "Remote Procedure Call (RPC) Net"
- \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager
- "BootExecute"
- C:\\Windows\SysWOW64\\rpcnetp.exe
- C:\\Windows\System32\\rpcnetp.exe
- Also, it mentions several tools that seem to
- appear over and over again:
- RWEverything
- info_efi.exe
- ReWriter_read.exe ("The first tool that really put us on the right
- path was this one" -- Tool to dump SPI flash
- memory content found alongside LoJax sample)
- IOCTL Descr
- 0x22280c Writes to memory mapped I/O space
- 0x222808 Reads from memory mapped I/O space
- 0x222840 Reads a dword from given PCI configuration register
- 0x222834 Writes a byte to given PCI configuration register
- o Log information on BIOS_CNTL register
- o Locate BIOS region base address
- o Read UEFI firmware content and dump it to a file
- Reading SPI Flash
- -Write bytes to be read into HSFC (FDBC = size -1)
- -Set HSFC to the read command (FCYCLE = 0b00)
- -(3)Write the address to read in the HSFC (FADDR)
- -Write 1 to Flash Cycle Go (FGO)
- -Wait for SPI read cycle completion (HSFS->SCIP == 0)
- -Read data from FDATAX register
- LOOP to (3) above...
- ReWriter_binary.exe -- slide 51 -- according to authors,
- this adds the rootkit to the firmware
- (how exactly?), and writes it back
- to the SPI flash memory...
- Driver Execution Enivronment (DXE) Drivers
- o PE/COFF images
- o Abstract the hardware
- o Produce UEFI standard interface
- o Register new services (protocols)
- o Loaded during the DXE phase of the Platform
- initialization
- o Loaded by the DXE dispatcher (DXE Core)
- (PDS -- Why does this remind me of the movie "The Net"?)
- UEFI firmware layout
- o Located in the BIOS region of the SPI flash memory
- o Contains multiple volumes
- -Volumes contain files identified by GUIDs
- -File contains sections
- -One of these sections is the actual UEFI image
- -It's more complex than that but it suffices for our
- purpose
- UEFITool is recommended software:
- https://github.com/LongSoft/UEFITool
- "UEFITool is a cross-platform C++/Qt program for parsing,
- extracting and modifying UEFI firmware images. It supports
- parsing of full BIOS images starting with the flash
- descriptor or any binary files containing UEFI volumes.
- Original development was started here at MDL forums as a
- cross-platform analog to PhoenixTool's structure mode with
- some additional features, but the program's engine was
- proven to be usefull for another projects like UEFIPatch,
- UBU and OZMTool."
- Apparently in UEFITool, we see that SPI flash memory
- has a BIOS region, and a ME Region.
- (I am not exactly sure what a "Region" is yet...)
- One region subtype is "FFSv2"... Google...
- FFSv2 seems to be equivalent to UFS2 (Unix File System 2).
- It's related to BSD/NetBSD, apparently FFS was created
- in 1983 for 4.2BSD.
- According to Wikipedia:
- "In UFS2, Kirk McKusick and Poul-Henning Kamp extended the
- FreeBSD FFS and UFS layers to add 64-bit block pointers
- (allowing volumes to grow up to 8 zebibytes),
- variable-sized blocks (similar to extents), extended flag
- fields, additional 'birthtime' stamps, extended attribute
- support and POSIX1.e ACLs. UFS2 became the default UFS
- version starting with FreeBSD 5.0. FreeBSD also introduced
- soft updates and the ability to make file system snapshots
- for both UFS1 and UFS2. These have since been ported to
- NetBSD, but eventually soft updates (called soft
- dependencies in NetBSD) was removed from NetBSD 6.0 in
- favor of the less complex file system journaling mechanism
- called WAPBL (also referred as logging), which was added
- to FFS in NetBSD 5.0. OpenBSD has supported soft updates
- since version 2.9[3] and has had UFS2 (FFS2) support
- (no ACLs) since version 4.2.[4] Since FreeBSD 7.0, UFS
- also supports filesystem journaling using the gjournal
- GEOM provider. FreeBSD 9.0 adds support for lightweight
- journaling on top of soft updates (SU+J), which greatly
- reduces the need for background fsck, and NFSv4 ACLs."
- (So, what's that BSD-ish thing doing on my PC?)
- What follows is copies of the notes from slides in
- the presentation, but after this there are some
- additional notes by me about my troubles with
- Windows XP...
- Slide 64:
- Parsing the firmware volumes
- o Parses all the firmware volumes of the UEFI firmware
- o Looks for 4 specific files:
- Ip4Dxe (81929601-2880-4659-b857-915a8901bdc8)
- NtfsDxe (768bedfd-7b4b-4c91-b2ff-6377e3387243)
- SmiFlash (bc327dbd-b982-4f55-9179-056ad7e987c5)
- DXE Core
- (Note these GUIDs were OCR'd and could be wrong by one
- by one or more values...)
- Slide 65:
- Ip4Dxe and DXE Core
- o Used to find the firmware volume to install the rootkit
- o DXE drivers are usually all in the same volume
- o DXE Core may be in a different volume
- o The chosen volume will be the one with enough free
- space available
- Slide 66:
- NtfsDxe and SmiFlash
- o NtfsDxe the AMI NTFS driver
- o Will be removed if found
- o SmiFlash metadata are not used
- o SmiFlash is a known-vulnerable DXE driver
- Slide 67:
- Adding the rootkit
- o Creates a FFS file header (EFI_FFS_FILE_HEADER)
- o Append the Rootkit file
- (See slide for screenshot)
- ((Note, there's a GUID here, starts with
- 682894B5...)
- o Write it at the end of the DXE drivers volume or the
- DXE Core volume
- o Checks if there's enough free space available
- Slide 68:
- Write the compromised firmware to the SPI Flash memory
- Slide 69
- BIOS Write Protection Mechanisms
- o Platform exposes write protection mechanisms
- o Need to be properly configured by the firmware
- o We'll only cover relevant protections to our research
- o Won't cover Protected Range Registers
- o Exposed via the BIOS Control Register (BIOS_CNTL)
- (See slides for Image)
- 13.1.33 BIOS_CNTL-BIOS Control Register
- (LPC I/F-D31:F0)
- Offset Address: DCh Attribute: R/WLO, R/W, RO
- Default Value: 20h Size: 8 bit
- Lockable: No Power Well: Core
- Slide 70-71
- BIOS Write Protection Mechanisms
- o To write to the BIOS region BIOS Write Enable
- (BIOSWE) must be set to 1
- o BIOS Lock Enable (BLE) allows to lock BIOSWE to 0
- BIOS Lock Enable (BLE) - R/WLO.
- 0 = Setting the BIOSWE will not cause SMI's.
- 1 = Enables setting the BIOSWE bit to cause SMI's.
- Once set, this bit can only be cleared by a
- PLTRST#
- PLTRST -- Apparently this is shorthand for
- "FULL PLATFORM RESET" (Google)
- slide 72
- o The implementation of BLE is vulnerable
- o When BIOSWE is set to 1, its value changes in BIOS_CNTL
- (for a very small amount of time, until SMI...)
- o A System Management Interrupt (SMI) is triggered
- o The SMI handler sets BIOSWE back to 0
- o The SMI handler must be implemented by the firmware
- slide 73
- "Speedracer" Paper Google
- o What if we write to the SPI flash memory before the SMI
- handler sets BIOSWE to 0?
- o Race condition vulnerability (Speed Racer)
- o A thread continuously sets BIOSWE to 1
- o Another thread tries to write data
- o Works on multicore processors and single-core
- processors with hyper-threading enabled
- slide 74-75
- Intel came up with a patch for this issue
- o Platform Controller Hub (2008) family of Intel chipsets
- introduces a fix for this issue, what they did:
- bitmap:
- SMM BIOS Write Protect Disable (SMM_BWP) - R/WLO
- This bit set defines when the BIOS region can be written by
- the host:
- 0 = BIOS region SMM protection is disabled. The BIOS Region
- is writable regardless of whether processors are in SMM or not.
- (set this field to 0 for legacy behavior)
- 1 = BIOS region SMM protection is enabled. The BIOS Region
- is not writable unless processors are in SMM.
- o The firmware must set this bit
- slide 76
- ReWriter_Binary.exe
- o ReWriter_Binary.exe checks these settings
- o Checks if the platform is properly configured
- o Implments the exploit for the race condition
- slide 77-80
- Writing process decision tree:
- BIOSWE is set?
- Yes: Write UEFI image. Done.
- No:
- BLE is set?:
- No: Set BIOSWE to 1 and write UEFI image. Done.
- Yes:
- SMM_BWP is set?
- Yes: FAIL.
- No: Exploit race condition...
- slide 81-85
- Writing to SPI Flash
- -Write bytes to be read into HSFC (FDBC = size -1)
- -Set HSFC to the write command (FCYCLE = 0b10)
- -(3)Write the address to write in the HSFC (FADDR)
- -Write the data chunk to write in the HSFC (FDATAX)
- -Write 1 to Flash Cycle Go (FGO)
- -Wait for SPI read cycle completion (HSFS->SCIP == 0)
- LOOP to (3) above...
- slide 86
- Let's take a step back
- o Software implementation to flash firmware remotely
- o Hacking Team UEFI rootkit needed physical access
- o We extracted the UEFI rootkit
- o Looked at ESET's UEFI scanner telemetry
- o And...
- 87-90 mostly empty
- slide 91
- UEFI Rootkit: SecDxe
- o DXE Driver loaded by the DXE Dispatcher
- o Unsigned (Secure Boot would catch if enabled...)
- o File GUID
- o 682894B5-6B70-4EBA-9E90-A607E5676297
- slide 92-94
- o This is a graphic. It shows workflow. Note that
- it has a lot of acronyms that should be transcribed/Googled.
- (I'll save that exercise for later...)
- EFI_EVENT_GROUP_READY_TO_BOOT
- ----
- Side Note: SecureBoot insures that everything that is
- loaded by the firmware is properly signed...
- ----
- slide 95
- UEFI RootKit: SecDxe
- o Notify function
- o InstallS NTFS driver (***** FS DEPENDENT!!! ******)
- (PDS: Would this happen with another
- file system, e.g., fat, ext2, ext3,
- esoteric file system, ?, Can I
- install Linux and be free? ?)
- o Drops autoche.exe and rpcnetp.exe
- o Patches a value in the Windows Registry
- slide 96
- NTFS driver
- o NTFS driver needed to get file-based access to
- Windows' partition
- o UEFI firmware don't need an NTFS driver
- o Only need to read the EFI system partition
- o Hacking Team's NTFS driver from HT's leak
- o NtfsDxe project from vector-edk
- slide 97
- Dropping files
- Graphic of source, but not that informative
- o Drops 2 files, rcpnetp.exe, autoche.exe
- slide 100
- (NOTE: A specific text pattern is searched for,
- *that's because it doesn't have the intelligence to
- open write and close windows registry keys*
- OR... because it's trying to avoid REGISTRY LOGGING,
- if Windows has REGISTRY LOGGING...
- FUTURE OS DESIGN: OS could do a hash check on raw registry
- file when OS is initialized for the first
- time and it would find this.
- Also... future OS should support a
- REGISTRY LOG of all REGISTRY CHANGES,
- AND check registry file against a
- hash which is updated in lock-step
- (also, log could be hashed in lock-step
- too...)
- )
- o Modifies Windows Registry via
- %WINDIR%\System32\config\SYSTEM
- o Changes "autocheck autochk *" to
- "autocheck autoche *"
- o HKLM\SYSTEM\CurrentControlSet\Control Session Manager\BootExecute
- slide 103
- Prevention
- o Enable Secure Boot
- o Keep your UEFI firmware up-to-date
- o Make sure you have modern chipsets (PCH)
- o Hope that your firmware configures security
- mechanisms properly
- o Firmware security assessments can be done
- with CHIPSEC (Open Source)
- (Will check for all things discussed in this slide show)
- slide 104
- o You need to reflash your UEFI firmware
- o If it's not an option for you then...
- slide 107
- White paper available at welivesecurity.com
- @jiboutin
- @Freddrickk_
- 2018-05-15
- * Now this is weird. I reformat my laptop's hard drive, and decide to try installing
- first Windows 2000, then Windows XP.
- Windows 2000 won't install... period.
- Windows XP gives the Blue Screen Of Death with the text:
- "A problem has been detected and Windows has been shut down..."
- (There was some other probably-not-helpful-in-diagnosing-the-problem text in the message,
- but for brevity, that's the start of the text...)
- The relevant text is this:
- STOP (0xF78D2524, 0xC0000034, 0x00000000, 0x00000000)
- But... that's not where the story ends...
- Googling for F78D2524 does something strange.
- It yields only *ONE HIT*.
- Like think about this for a second, Google, king of search engines, which usually
- returns thousands if not millions of search results, for this one hexadecimal number
- yields only ONE result...
- That result is:
- http://www.digitaltechglobal.com/a-problem-has-been-detected-windows-xp-pro-re-install.html
- (2016-05-16 Update:
- That web page, above, matches this one (minus the froofy Javascript animations, especially
- the "person x has solved computer problem y" continuous pop-up)
- http://postthreads.org/support/3824359/STOP-0x0000007B-0xF78D2524-0xC0000034.html
- This one was found on Bing incidentally...
- So the question is, which web page cloned which other web page, and why?
- )
- Which is a very wierd web page, which seems very intent on getting the visitor (me), to
- download some kind of dubious .EXE "PC Repair Tool".
- What's even more wierd is that it has this little pop-up on the bottom left, which pops
- up messages like "Bob in Scranton fixed his <xyz> computer problem" or
- "Joe in Dallas fixed his <xyz> computer problem" (not exactly -- but you get the idea).
- Now... here's where things get like "super-dubious"...
- I go to BING (Which is a Microsoft Property) and I type in F78D2524.
- There's a whole bunch of results.
- (Side note: Ask.com yields zero results, but that's a side note).
- So now we have two search engines, usually neck-in-neck for search results, one
- yields one highly dubious search result, while BING yields a much better result
- set...
- So here's the thing.
- I'm not willing or ready to point my finger at Google just yet; but if it's not
- Google's fault, then either
- a) For some reason Google is limiting the results...(?)
- b) My upstream provider is modifying Google's results (but, this is through
- Chrome's https... likely? Hmmm...)
- c) Something locally is causing Chrome to abridge their result set...
- So...
- I don't know what the exact answer there -- is at this juncture...
- The plot thickens! Stay tuned!!! <g>
- UPDATE:
- Even more weird!
- I went back to Google and tried it again...
- Now there were approximately 262 results. (Note that BING lists over 10,000)
- So how do I put this, but,
- Whaddup Google?
- ?
- The plot thickens some more...
- 2018-05-15
- o Oh, first part of this story: I reformatted my laptop's hard drive, and decided
- to install Windows 7 x64 SP1 -- but I installed with UEFI secure boot set on:
- Result:
- "Selected boot image did not Authenticate. Press <Enter> to Continue."
- Yup... Windows 7 will not install with UEFI secure (non Legacy) boot on...
- 2018-10-07
- My computer has a rootkit on it. I'm running Windows 7 and I've run every virus checker and rootkit
- remover on it, to no avail. The one clue, the ONE CLUE that I have about it is that Windows XP will
- not install. Windows XP installation fails with a blue screen STOP error, along which one of the
- codes passed back is F78D2524.
- Now... I'm not asking for any help in removing this rootkit. Instead, I've observed some
- VERY STRANGE BEHAVIOR FROM SEARCH ENGINES when you enter this number.
- For example, you would think that Google and Bing would have roughly the same number of entries for
- something like this. But apparently not!
- What is going on?
- Well... that's all I know... good luck in your quest to figure out
- what is going on!
Add Comment
Please, Sign In to add comment