I was interested in this "Kremlin cyberwarfare" so I looked on samples yestarday, especially interested in "highly complicated rootkit" inside. All samples from the above R136a1 post.
Turla 2006
KM
Rootkit.
Driver not hidden, name constant "atmarph".
Not crypted.
Dated back 23 March 2006.
Not hidden at disk or in registry.
Project C:\proj\drivers\fa\sys\objfre\i386\wd.pdb, where FA stands for name (conclusion based on device name driver uses next).
Autoload as SERVICE_KERNEL_DRIVER.
Hook SSDT NtQuerySystemInformation to hide user mode backdoor.
UM
Backdoor.
Hidden process wowmgr.exe
Packed by ASPack.
Runs as service.
Autoload as SERVICE_FILE_SYSTEM_DRIVER.
Service has complete network support (can upload, download) and set as whitelisted for Windows firewall.
Not hidden on disk or in registry.
Win9x compatible, in case if running inside W9x uses RegisterServiceProcess to hide itself.
Configuration params stored at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atmarph\Parameters
Communicates with driver by DeviceIoControl with symbolic link pointed to FaDevice1 device. For unknown reasons this device name is xor'ed with 0x55 key in both driver and application. Driver decrypts this string before creating symbolic link and device object. Application each time when passes something to driver decrypt string and open this device again.
Complicated and sophisticated? [Sarcasm]Very.[/Sarcasm] Just to FYI. In the same 2006 year were available such not *sophisticated* rootkits like for example Rustock A/B with it millions in the botnet, DKOM, DKOH, ADS and splicing.
[Irony]Contains numerous english words (set as debug output) and english resource section pointing it was created by U.S. Government and NSA directly. [/Irony]
Turla 2009-2010
Dropper packed with ASPack.
KM
Evolution of previous Turla driver. Same device, same code parts.
Rootkit.
Injector.
Sets IDT hook (see below)
Sets splicing hooks (see below)
Sets notification routine for injection purposes.
Detects VMware by VMX backdoor.
Includes disassembler (with string mnemonics decoding).
Project C:\proj\drivers\fa_2009\objfre\i386\atmarpd.pdb.
Used randomized filename.
Dated back 10 Nov 2009.
Autoload as SERVICE_KERNEL_DRIVER.
To prevent removal rootkit runs scheduled check (via system thread) of it own registry key and files and restores them if not found.
Turla hooking model:
IDT 0x55 entry set to point to the Turla handler.
The following SSDT entries:
NtClose
NtTerminateProcess
NtCreateThread
NtShutdownSystem
NtQuerySystemInformation
patched by inline modification in the following way
e.g.
Code: Select allnt!NtQuerySystemInformation:
8057bc36 b000 mov al,0
8057bc38 cd55 int 55h
8057bc3a c3 ret
nt!NtClose:
805678dd b001 mov al,1
805678df cd55 int 55h
805678e1 c3 ret
nt!NtTerminateProcess:
805822e0 b002 mov al,2
805822e2 cd55 int 55h
805822e4 c3 ret
nt!NtShutdownSystem:
8064716b b00d mov al,0Dh
8064716d cd55 int 55h
8064716f c3 ret
lkd> !chkimg nt -d
805678dd-805678e1 5 bytes - nt!NtClose
[ 8b ff 55 8b ec:b0 01 cd 55 c3 ]
8057bc36-8057bc3a 5 bytes - nt!NtQuerySystemInformation (+0x14359)
[ 68 10 02 00 00:b0 00 cd 55 c3 ]
805822e0-805822e4 5 bytes - nt!NtTerminateProcess (+0x66aa)
[ 8b ff 55 8b ec:b0 02 cd 55 c3 ]
8058e63f-8058e643 5 bytes - nt!NtCreateThread (+0xc35f)
[ 6a 28 68 70 8c:b0 0c cd 55 c3 ]
8064716b-8064716f 5 bytes - nt!NtShutdownSystem (+0xb8b2c)
[ 8b ff 55 8b ec:b0 0d cd 55 c3 ]
Why? To not allow recognize handler of the hook by antirootkits.
UM
Payload mapped to chrome.exe firefox.exe opera.exe iexplore.exe services.exe explorer.exe by Turla driver.
Internal name IexploreDll.dll, msidfn32.dll, C:\tmp\objfre_w2K_x86\i386\msidfn32.pdb
High usage of 3rd party components in code, thus greatly increasing payload size.
Turla 2013
The only sophisticated from all series.
In addition to Frank analysis:
KM part is updated Turla from 2009. Same hooking model.
IDT 0xC3 set.
Turla IDT entry turla1.png (34.83 KiB) Viewed 1168 times
Hook the following API's (mostly to avoid detection).
IofCallDriver
NtClose
ObOpenObjectByName
NtCreateKey
NtQueryKey
NtEnumerateKey
NtReadFile
NtQuerySystemInformation
NtTerminateProcess
NtCreateThread
IoCreateDevice
NtShutdownSystem
NtSaveKey
NtUserPeekMessage
NtUserGetMessage
Code: Select alllkd> !chkimg nt -d
804e37c5-804e37ca 6 bytes - nt!IofCallDriver
[ ff 25 80 34 55 80:6a 00 cd c3 90 90 ]
805678dd-805678e1 5 bytes - nt!NtClose
[ 8b ff 55 8b ec:6a 08 cd c3 90 ]
805683ff-80568403 5 bytes - nt!ObOpenObjectByName (+0xb22)
[ 8b ff 55 8b ec:6a 0a cd c3 90 ]
8057065d-80570661 5 bytes - nt!NtCreateKey (+0x825e)
[ 68 c4 00 00 00:6a 04 cd c3 90 ]
80570a6e-80570a73 6 bytes - nt!NtQueryKey+1 (+0x411)
[ 60 68 10 c8 4e 80:02 cd c3 90 90 90 ]
80570d65-80570d6a 6 bytes - nt!NtEnumerateKey+1 (+0x2f7)
[ 54 68 50 c8 4e 80:03 cd c3 90 90 90 ]
80574118-8057411d 6 bytes - nt!NtReadFile+1 (+0x33b3)
[ 68 68 10 13 4f 80:06 cd c3 90 90 90 ]
8057bc36-8057bc3a 5 bytes - nt!NtQuerySystemInformation (+0x7b1e)
[ 68 10 02 00 00:6a 07 cd c3 90 ]
805822e0-805822e4 5 bytes - nt!NtTerminateProcess (+0x66aa)
[ 8b ff 55 8b ec:6a 09 cd c3 90 ]
8058e640-8058e645 6 bytes - nt!NtCreateThread+1 (+0xc360)
[ 28 68 70 8c 4f 80:0b cd c3 90 90 90 ]
8059fa51-8059fa55 5 bytes - nt!IoCreateDevice (+0x11411)
[ 8b ff 55 8b ec:6a 01 cd c3 90 ]
8064716b-8064716f 5 bytes - nt!NtShutdownSystem (+0xa771a)
[ 8b ff 55 8b ec:6a 0c cd c3 90 ]
8064ed92-8064ed96 5 bytes - nt!NtSaveKey (+0x7c27)
[ 8b ff 55 8b ec:6a 05 cd c3 90 ]
Blocked from access service turla2.png (19.53 KiB) Viewed 1168 times
Files and registry keys are not really hidden. They are blocked from access with help of above hooks.
Contains several exploits (known Windows and VirtualBox).
All extracted components of Turla family in attach.