꿈 꾸는 사람

KL_Epic_Turla_Technical_Appendix_20140806.pdf

http://securelist.com/analysis/publications/65545/the-epic-turla-operation/

http://securelist.com/blog/research/67962/the-penquin-turla-2/

http://www.phenoelit.org/stuff/cd00r.c

http://www.cyphort.com/labs/blog/

http://kizzmyanthia.com/?p=104969

http://securelist.com/blog/incidents/57784/shamoon-the-wiper-further-details-part-ii/

인증서 도난 - 8DF46B5FDAC2EB3B4757F99866C199FF2B13427A

The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself. 

The driver is a signed component of RawDisk, a product from Eldos. In short, this software allows user-mode applications to operate with the file system in such cases when the operating system restricts the application. You can integrate your project with RawDisk in such a way that your software installs the driver that provides an access to the file system out from kernel-mode via created service ?ElRawDisk.

The Eldos driver

The fact that the Shamoon creators used legitimate signed drivers of Eldos-software RawDisk is rather confusiong

Shamoon 제작자가 합법적으로 서명된 Eldos 소프트웨어의 RawDisk를 사용하는 것은 다소 혼란 스럽게 만든다.

First, we thought that it was done for the purpose of getting the ability to rewrite MBR generally, for example, in Windows7, but it turned out that Windows7 gives access to that disk area even to user-mode applications running on behalf of the administrator.

첫 번째로, 우리는 MBR에 다시 쓸 수 있는 능력을 목적으로 사용한 것으로 생각했다. 예를 들어, Windows7은 Administrator 권한에서 user-mode의 동작하고 있는 application들의 디스크 영역에 접근할 수 있는 권한을 준다. 그래서 Shamoon은 무조건 administrator 권한으로 실행되어야 하고, 따라서 Shamoon을 만든 사람이 왜 합법적인 드라이버를 사용했는지에 대해서는 Open Question으로 남아 잇다.

You can download trial a package of Eldos- RawDisk which consists of header files, lib/dll-files and compiled in release/debug-modes x86 and x64 drivers. You can integrate that RawDisk blank with your project which could then use kernel-mode access to the file system via RawDisk driver. Nevertheless, the driver has an authenticating mechanism.

If we take a look at RawDisk API function ?Open:

HANDLE Open(IN LPCWSTR DeviceName, IN DWORD DesiredAccess, IN LPCWSTR LicenseKey)

...We-ll notice a parameter ?LicenseKey. Such a key has showed up in Shamoon. When the destructive module tries opening file descriptor on the ElRawDisk device, it adds to device name the string exactly looking like some key, for example:

\\?\ElRawDisk\Device\Harddisk0\Partition0#8F71FF7E2831A05D0B88FDAACFAC818E936FCAAA453404180419662BED76E9D70384F056F03ADF3C917CB8C3EE12832F7A7EC3E234BC7FBD0476CFC9F58AC1A1C248DA06E531D133A071

Such a key is easily obtained by making an order at Eldos- site during RawDisk installation routine:

You fill out a form to get an evaluation key and receive your code in the e-mail used during registration. Certainly you can use that key for a limited period of time. And the driver verifies whether the date of end of trial usage has already passed or not. This is why each time we see a date changing routine before opening an ElRawDisk device in Shamoon malware: the date is being set at any (random) day from 1st to 20th of August of 2012.

We also noticed that the Eldos driver exploited by Shamoon checks for the following values being passed in device name parameter and which could be located at the very start of the device name string:

\#{9A6DB7D2-FECF-41ff-9A92-6EDA696613DF}#

\#{8A6DB7D2-FECF-41ff-9A92-6EDA696613DE}#

These are control codes for the driver to define how to handle a request. But the Shamoon malware does not use these codes calling RawDisk open function.

In addition, the driver checks if the file name of program that works with the file system via driver is corresponding ?RawDiskSample.exe then driver ?considers that the call has been made from a trusted application and the check is gone successfully. This ruins all other verification attempts to block easy using the driver functionality by those who does not have permissions. For sure, it-s better to remove such a condition out from driver.