Coding Malware for Fun and Not for Profit (Because that would be illegal)

A while ago some of you may remember me saying that I was so bored of there being no decent malware to reverse, that I might as well write some. Well, I decided to give it a go and I’ve spent some of my free time developing a Windows XP 32-bit bootkit. Now, before you get on the phone to your friendly neighborhood FBI agent, I’d like to make clear a few thing: The bootkit is written as a proof of concept, it would be very difficult to weaponize, and there is no weaponized version to fall into the hands of criminals.

For those of you who don’t know, a bootkit is a type of rootkit that begins executing at boot time. By infecting the BIOS, Master Boot Record, Volume Boot Record or Initial Program Loader; Malware can begin execution early on in the operating system boot process, way before the OS is loaded. Most of the operating system’s security measures are initialized later on by the kernel, so code running during the early boot stage has unrestricted access to the system, which can be used to subvert or even disable OS security features. The aim of most bootkits is to load a kernel driver that will allow the malicious code to continue executing once the OS is fully loaded; On 64-bit operating systems where kernel mode code signing is enforced, a bootkit can be used to patch out routines responsible for verifying driver signatures, allowing unsigned drivers to be loaded.

The reason i chose XP 32-bit is because the bootkit is actually designed as a payload for a much cooler proof-of-concept I’m working on, I didn’t really have time to make a universal bootkit and I also didn’t want to risk making the code to appealing to criminals for legal reasons (I believe an overzealous Kaspersky tried to prosecute fellow researcher Peter Kleissner for his “stoned” bootkit). Although the main proof-of-concept (that this bootkit serves as a payload for) is not complete, I thought it might be nice to release this part of it for people to study and to mark the death of XP.

The bootkit is a mix of 16-bit and 32-bit real mode and protected mode ASM, which is assembled using flat-assembler, The payload driver is a template driver written in C using Visual Studio 2012. Although targeted at XP Service Pack 3, the code appears to work fine on SP1 & SP2, but not SP0. I’ve not yet been able to test the kit on a physical machine but have done testing with VMware and Bochs.

The code is well commented, but I’ve also created a PDF based documentation that explains the XP boot process and the bootkit.

Files: http://www.mediafire.com/download/99ip8eyk65uqvkp/TinyXPB.rar
Git: https://github.com/MalwareTech/TinyXPB
PDF: http://www.scribd.com/doc/217533462/TinyXPB-Windows-XP-32-Bit-Bootkit

Bootkit driver loaded
Hacking
2
MalwareTech SBK – A Bootkit Capable of Surviving Reformat

Since i got into firmware hacking, I’ve been working on a little project behind the scenes: A hard disk firmware based rootkit which allows malware to survive an operating system re-install or full disk format. Unfortunately I can’t post a proof of concept for many reasons (people have even contacted …

Hacking
14
Hard Disk Firmware Hacking (Final)

Core 2, I choose you. Less than 5 minutes after posting the last article, i discovered the final piece of my puzzle: a second CPU core. I was looking through my OpenOCD configuration when I realized it had a single tap definition hardcoded, so i decided to comment it out …

Hacking
Hard Disk Firmware Hacking (Part 5)

“Discovery requires experimentation” This weekend I made a pretty big breakthrough which lead to me making a few smaller breakthroughs and ultimately negating most of my previous research. I’ve also learned that “not reinventing the wheel” isn’t always the best option, especially when it comes to trusting other people’s research. …