Thursday, February 23, 2017

Analysis of Rovnix Dropper 5/5 - Driver and Bootkit Installation

In the final post on the my analysis of the Rovnix dropper, I will document how the sample install drivers and bootkits.

After achieving HIGH integrity as documented in the previous post, the sample will first terminate its parent process which is likely to be the sysprep.exe process.

Next, the sample check for the use of volume encryption application such as Bitlocker and Truecrypt.

Then the sample checks if it has sufficient privileges (SeLoadDriverPrivilege and SeShutdownPrevilege)

With sufficient previleges, the sample will now load and install the driver as a service. The service name is created with the string "BS" concat with the volume ID of the HDD of the victim machine.

After installing the NotMyFault driver, the bootkit will be injected next.

A x64 driver payload would be decrypted first.
Next, the modified Initial Program Loader (IPL) in the Volume Boot Record (VBR) would be decrypted
Then both these payloads would be injected into the HDD sectors

The driver payload would be written into sector 0x1600 (5632)

The IPL of the VBR is overwritten.

The driver payload and the IPL modification is now completed! The Rovnix dropped will cause a BSOD via the NotMyFault driver.

This concludes the long over due blog posts on my analysis of the Rovix dropper. I hope to document how the dynamic analysis from the execution of the modified IPL to the loading of the driver payload.

No comments:

Post a Comment