Evil Core – Bootkit with Attitude

If you haven’t done so already, you need to check out Evil Core. Evil Core is an interesting evolution in bootkit malware. Existing bootkits such as Kon-boot and Stoned Vienna modify the Operating System during the boot process by hooking the BIOS interrupt responsible for reading the OS Kernel from the disk. The kernel is modified as it is loaded into memory and the attacker’s new evil kernel runs.
Evil Core takes a different approach. First, Evil Core disables Symmetric Multi Processing limiting the number of processor cores available to the Operating System. Then, as the Operating system is booting up on the available processor core, it modifies the boot parameters telling the operating system that less memory is available than there actually is. Then, Evil core puts it’s code at what the OS thinks is the end of physical memory where it can live in peace without any fear of the OS modifying it or even seeing that it exists. Last, Evil core runs its code sitting on top of physical memory on the unused processor core. This gives the attacker a tremendous amount of flexibility. The malware has full access to all of user and kernel memory space. It is in Ring Zero and it is invisible to the OS! As far as the OS is concerned it may as well be running on a different computer.
In the demonstration given by Evil Core authors Wolfgang Ettlinger and Stefan Vienbock, they demonstrated just how powerful that level of access can be. Evil Core demonstrates that they can grab the password for a TrueCrypt encrypted volume password out of memory. Like Kon-boot, they can remove the password requirement from the login process. They can hijack the sticky key accessibility functions to implement their own custom code such as a command prompt with SYSTEM privileges. The research is very interesting and I look forward to seeing more as details emerge on this project.
Read more about the project here.

EvilCore Bootkit – pwning multiprocessor systems – demo from Stefan Viehboeck on Vimeo.

Join me for SANS 560 Network Penetration Testing and Ethical Hacking vLIve! Class begins September 12, 2011. For a limited time attendees will receive an IPAD2! Register today for a FREE IPAD2!!
Mark Baggett

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.