TDL4 "bypassing" Patchguard

I first came across this thread: http://www.sandboxie.com/phpbb/viewtopic.php?t=8953&postdays=0&postorder=asc&start=0 in the Sandboxie forums and then decided to find out how such a rootkit like Alureon managed to survive on x64 windows. Apparently it doesn't attempt to patch the kernel but instead it goes for another kernel drive which by design is not protected by patchguard. Thats how the rootkit survived without BSOD looping.

http://www.wilderssecurity.com/showpost.php?p=1774012&postcount=53

Therefore suggesting Sandboxie do the same thing in order to increase protection, is a mistaken assumption based on the wrong info concerning TDL's abilities. Sandboxie needs to patch the kernel in some situations in x64 where KPP API'S dont cut it.

Side note: TDL bypasses PatchGuard in more than one way. Some history about the development of this ingenious rootkit:
http://www.securelist.com/en/analysis/204792131/TDSS

The one that uses MBR (fix mbr is not an option to cure) is analyzed here:
http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4

Contemporary anti-virus and (In)Security Suite solutions are pretty useless against this kind of violence. Even the most aggressive HIPS are bypassed. For now, SRP + limited user rights seems to be the way to go. That is: until the creators start exploiting all the holes we've already covered in those solutions, which is do-able if you ask me.
P.S.1: Backup and restore (from a HEALTHY restore point, of course) is only an option if you KNOW that you've been infected and WHEN the infection occurred.
P.S.2: The outlook in general is not very pretty. The "Security" Industry lost the battle a long time ago, and the poor customer is blamed for that. Users will have to be VERY restrictive in where they go, how they go there, what they launch etc. If they can't handle their freedom themselves, the authorities (read: MS & "Friends") will do it for them with a disgusting kind of parental control, censorship and privacy infringement.

Paul

Thanks Paul for the links. I am pretty sure this stuff can't infect me becuase Sandboxie blocks drivers/ exe execution and even write access within the sandbox. I am interested however in the technique this critter uses.

Upon reading, I understood that it bypasses Patchguard by design since it doesn't do anything to the kernel, it instead goes for the MBR. Since its a unsigned driver it had to go through all that to load successfully.

That thread on Sandboxie, was a suggestion to use similar techniques in order to achieve the lost functionality that requires kernel patching. After what I've read, this seems extremely irrelevnt since Sandboxie is a signed driver and can therefore load. Also sbie would need to patch the kernel to achieve its desired isolation. In comparison TDSS avoided kernel patching (correct if I'm wrong) althogether in order to be able to load its unsigned components and not to be able to patch the kernel.

Rico wrote:That thread on Sandboxie, was a suggestion to use similar techniques in order to achieve the lost functionality that requires kernel patching.

Sitting in the MBR gives you the advantage of loading before anything else, but that doesn't guarantee you can't be killed yourself. I used to have Norton GoBack (disk utility for system roll-back) for some time on XP which replaced the MBR and the partition table with a single partition, but since it was an honest program, it was still not too difficult to kill the system and make system restore totally impossible. The danger with rootkits, of course, is that, as a rule, they lie to the system, filter all events and effectively hamper protection, since security programs rely on the system to tell the truth. Sandboxie in the MBR would cause a lot of noise from the AV-industry, I think, even if it's signed and well-known.

Paul

Sandboxie, actually makes sure that isolated programs can't kill it, by forcing them to operate in lower priviledged environments. Driver installation is a big no-no which makes it able to stay in charge.

A great article for mechnism explaination of TDL is:
https://apokalypsys.wordpress.com/2010/11/17/tdl4-rootkit-bypasses-windows-code-signing-protection/

“The rootkit also disables debuggers by NOP’ing debugger activation functions as described below. This makes reverse engineering this rookit very difficult! The KdDebuggerInitialize1 function in infected kdcom.dll called during normal execution of the system installs the rootkit, which hooks the IRP dispatch functions of miniport driver below the disk to hide its malicious MBR.”

In fact, it doesn’t have to [bypass patchguard] because KPP doesn’t inspect all loaded drivers, only the code used by the kernel.

Bold - my emphasis

Sandboxie would need to patch kernel code rather than another driver in order to carryout its functions?