[kmd]

i've read from gddata post why they call it uroburos, so why it turla?
another question: how it survives reboot? is there system files infection?

tia

[EP_X0FF]

i've read from gddata post why they call it uroburos, so why it turla?
another question: how it survives reboot? is there system files infection?

tia

It survives reboot by setting it's dropper as service.

e.g.
HKLM\System\CurrentControlSet\Services
Ultra3
c:\windows\$ntuninstallq923283$\fdisk_mon.exe

Turla name if I remember correctly comes exactly from service name as it anagram.

[EP_X0FF]

Decrypted Turla Sengoku x64 driver attached. Enjoy reversing.
Driver compilation time 08 Feb 2013. When running malware specially zeroes MZ PE signatures in kernel memory to bypass memory scanning detection methods.

[rinn]

great analysis guys,

patchguard does not detect this kind of hook?

Hello.

win32k.sys not protected by PG prior to NT 6.2.
ntoskrnl and IDT modifications triggered by PG but this malware bypasses it with help of additional kernel mode splicing http://www.uninformed.org/?v=3&a=3 and http://www.codeproject.com/Articles/283 ... PatchGuard
as already mentioned by EP_X0FF :)

Best Regards,
-rin

[r3shl4k1sh]

Uroburos – Deeper travel into kernel protection mitigation

http://blog.gdatasoftware.com/blog/arti ... ation.html

First of all, we would like to send regards and thanks to the people being active on the kernelmode.info forum , in particular, R136a1 and EP_X0FF. They provided a proficient analysis of the Driver Signature Enforcement bypass which enriches the overall understanding of the case.

[EP_X0FF]

As for Patch Guard bypass it is quite not so obvious like in GData post.

Depending on PatchGuard version there are different approaches for it bypass. On a newer PatchGuard versions KeBugCheckEx is not used by PG directly but used from a "clean" copy - it was done exactly to defeat older PG bypass methods. However in this case PG can be bypassed (again) by setting a deeper inline hook on one of the routines KeBugCheckEx uses. This routine is RtlCaptureContext (it is exported and called in the beginning of KeBugCheckEx).

Below is example of hook Turla sets on Windows 7 SP1 X64.

KeBugCheckEx function prologue.

Code: Select all

nt!KeBugCheckEx:
fffff800`02687640 48894c2408      mov     qword ptr [rsp+8],rcx
fffff800`02687645 4889542410      mov     qword ptr [rsp+10h],rdx
fffff800`0268764a 4c89442418      mov     qword ptr [rsp+18h],r8
fffff800`0268764f 4c894c2420      mov     qword ptr [rsp+20h],r9
fffff800`02687654 9c              pushfq
fffff800`02687655 4883ec30        sub     rsp,30h
fffff800`02687659 fa              cli
fffff800`0268765a 65488b0c2520000000 mov   rcx,qword ptr gs:[20h]
fffff800`02687663 4881c120010000  add     rcx,120h
fffff800`0268766a e861060000      call    nt!RtlCaptureContext (fffff800`02687cd0)
fffff800`0268766f 65488b0c2520000000 mov   rcx,qword ptr gs:[20h]
fffff800`02687678 4883c140        add     rcx,40h
fffff800`0268767c e8ef020000      call    nt!KiSaveProcessorControlState (fffff800`02687970)
fffff800`02687681 654c8b142520000000 mov   r10,qword ptr gs:[20h]
fffff800`0268768a 4981c220010000  add     r10,120h
fffff800`02687691 488b442440      mov     rax,qword ptr [rsp+40h]

Turla hook

Code: Select all

lkd> u nt!RtlCaptureContext
nt!RtlCaptureContext:
fffff800`02687cd0 6a01            push    1
fffff800`02687cd2 cdc3            int     0C3h
fffff800`02687cd4 90              nop
fffff800`02687cd5 8c593a          mov     word ptr [rcx+3Ah],ds
fffff800`02687cd8 8c413c          mov     word ptr [rcx+3Ch],es
fffff800`02687cdb 8c5142          mov     word ptr [rcx+42h],ss
fffff800`02687cde 8c613e          mov     word ptr [rcx+3Eh],fs
fffff800`02687ce1 8c6940          mov     word ptr [rcx+40h],gs

[t4L]

This will work only for ntos < 9200.

[R136a1]

Impressive report from BAE systems with interesting information:

http://info.baesystemsdetica.com/rs/bae ... epaper.pdf

[EP_X0FF]

Impressive report from BAE systems with interesting information:

http://info.baesystemsdetica.com/rs/bae ... epaper.pdf

Excellent write-up indeed :) Also to not bother with Turla virtual disk decryption you can dump it while infected system online by something like this

RawDisk1 NTFS
RawDisk2 FAT16 (probably cache or reserved container)

Code: Select all

	hFile = CreateFile(TEXT("C:\\dump_RawDisk1.dmp"), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
	if (hFile == INVALID_HANDLE_VALUE) return 0;
	
	RtlInitUnicodeString(&DeviceName, L"\\Device\\RawDisk1");
	InitializeObjectAttributes(&obja, &DeviceName, OBJ_CASE_INSENSITIVE, NULL, NULL);

	Status = NtCreateFile(&hObject, GENERIC_READ | SYNCHRONIZE, &obja, &iost, NULL, 0,
		FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	if (NT_SUCCESS(Status)) {
		do {

			Status = ZwReadFile(hObject, NULL, NULL, NULL, &iost, TmpBuf, 0x1000, NULL, NULL);
			if (NT_SUCCESS(Status)) {
				WriteFile(hFile, TmpBuf, 0x1000, &bytesIO, NULL);
			} 
		} while (NT_SUCCESS(Status));
		NtClose(hObject);
	}
	CloseHandle(hFile);

[EP_X0FF]

Multiple Turla related files. http://tif.mcafee.com/threats/11655
Credits to 360Tencent

Depending on type (dropper, driver, payload dlls) it can be named differently (e.g. WinNT/Turla, WinNT/Booz)

Multipart RAR archive attached, pass: infected

SHA-1

Code: Select all

3bec726cf9e400d897e0571005a08f935336cc09
0657dfc4e1156a61bd40c818399572c39ddc97b0
06cbb830510a98e6db5dbb36384684385fe3024c
081a639ce51c5adc58054720ce3f47ed66180eab
0a9a662b50049ee2177eb296d4f9c96c13be3f38
0b9ddf8b221f38ad4f4a5b7b7448419562dac0bb
0f149dde3d23425d2a65f8771df43af0f0e49ffc
148f9bf1d036c0d73ef55d426e40aa599a545418
15a71ddf58bfb0b3e916e7f9cca06457cead8b11
15b27c859b9d003d60c90ebadb587945f86275d8
2084f4bcea59350f650c562759721d51585523e9
224e054fa704544e406eb5f651aa54896a8211fd
2364ad8b87777410674242813e2227f582d2cabf
25b56c78bea41ad8c42d0953f23bb35195e2a6be
26db4fdc1fc72bbbf83a9e655ea167b30699662b
2d6d9a3b607a4cb0acc5271f72e887bba016c9a0
325fb5e2b8027ec2199c3966e41b6417bdd0dd22
3b0ef601384048d0b3b3a02d6c50da45e3b1e5d5
3f696f6230ba69a1bf79aabf725100ba1593095a
4738e58e49dcf140f7a0f11931196be1e545c247
52c30e8f1c1a14b5380e706b43012736ebfe361d
560a9c2dfea9afd527f58b4810acd2c2cd93b952
562d79f5806e98f4c63c6d334c6cac5853855984
570d6eb95dd0991e8be3c623cd9f912e7c27b52f
659165adbd555da4f8f054c8dcb83f4aaead3918
6a59bcfb5f84de5a51d70307dbeba16e18878231
6e23aae168db7d6a4e3750d17f99b6964e0c7e4e
7123c1cf463460e73b52f272be29a1e5f3431cd0
7593b098089a7c81d54904745090d140476b6663
7618480ef74f65176682ff870dd4e4f2e5a71509
76e740dcbfd0d2f49b63b4d38948469a872948a6
78f4e2ef50fd509e77155077ce83d054694b8b86
8a7e2399a61ec025c15d06ecdd9b7b37d6245ec2
8bd08df69615098398f0430ebd59db6fabfdec54
8d422548c4f42937c827079cfbf5c973d38eddf4
8f2864e8c403496d96a2f3981adbb82776d1d53c
929257f7564ace6b141fa999fbef481e11494fa4
961092b5ed578ccddc2a90ed93ff4ac9ec3eec1a
a59454982432c0cf33b7c0fde8c42aa504ba89d4
a80f500361df7a2f862ee19bf8d4f645c62346b0
a9ccac359293611048cd3e639761678c8c2aaeba
afc77c48537a72533ad68df7baa12d03066edcd8
b24faec08f3ec818c0380145a333251284792995
b32ac0687545ef4397cd901363c24a71dea2c7b9
b786095110c10ca72b72cd2e136708c54ed109cc
bb16def9a374dd24a84f13d78d50981ee3add80c
beca0fb07f066c711d64903d2cb2ff3830cfac60
c268764a6b28ad16444243715cc97156a9430f33
caf5019e06421b94009c0a16f9bc1d9375ef63a6
cc32dad54bf17487e3c91e35aeebdb62b9c7da75
d39d9aacd9ddd4a2da8db2f68dcfb1fa42b6a12d
d9bf811c20c0a5d494844372584a533ca9700886
dc86b1d7e6adbab7a76a46c27b78a3d54acc58dc
dea48dae4ba2886acee21f30a79cce4c9ace680e
e4d3205945651df9c3e7d3dcae6cc4fb78a10362
eb447bc08f176c2c1f7d0363e36f5613ddf2f844
ec4f98d56a41290d98de70fdb4baea14fac43a7e
f1310c4ee6f437a807094282ec288560ff9a9924
f36026ca6d8a84ea0a0af3a7c135cf643e26a484
f9de3d39905cacc35c6a54fab30a92b4e30a695a