Tuesday, April 9, 2013

A peek inside the ‘Zerokit/0kit/ring0 bundle’ bootkit

- Start of *.exe, *.dll (*.dll is in a pre-alpha stage) and shellcodes in a context of the chosen process. 
- Start of files from a disk and from the memory* (start from memory is in a pre-alpha stage). 
- Start of files with specified privileges: CurrentUser and NT SYSTEM/AUTHORITY. 
- Granting the protected storehouse** for off-site (your) ring3-solutions for permanent existence in the system without need of crypt. 
- Survivability of the bundle, down to a reinstallation of the system. 
- All the components are stored outside of a file system and are invisible to OS. 
- Intuitively clear interface of admin-panel. 
- Protection against the abstraction of Admin Panel. 
- Impossibility of detection of the bundle in the working system by any of known AV/rootkit scanner, owing to the use of author’s technologies of concealment. The unique opportunity of detection exists only at loading with livecd or scanning of a disk from the other computer. Thus the opportunity of detection is also extremely improbable, as own algorithms of a mutation are used.
* Start of a file from the memory allows to bypass all modern proactive protection and AV-scanners, that is, there is no necessity to crypt a file. 
** Protected storehouse is the original ciphered file system in which the certain quantity of files which will be started from the memory at each start of the OS can be stored.

The bundle consists of: 
- Bootkit. It is responsible for the start of the basic modules at a stage of loading of OS. 
- Driver. It is responsible for all infrastructure and implements componential business-logic on the basis of so-called mod (functional unit). That is, the driver is not a legacy driver (monolithic), and consists of the set of mods that allows to operate the bundle with maximum of flexibility, and to protect (hard to reverse), update and expand it. 
- Dropper. At the current moment it brake out all machines with the patches till January, 8th, 2011, except for XP x32/x64 where reloading is initiated. If the systems distinct from XP have latest updates reloading is initiated as well. 
- User friendly Admin Panel.
Also I will give support to clients within the subscription fee. I provide them with: 
- Development of new functionality and 
- Development of new exploits for the dropper. 
- Perfection of algorithms of concealment and penetration of the system.
High scalability of zerokit allow to develop additional mods and to complicate business-logic of all infrastructure.
Zer0kit have flexible update subsystem and can live in system as long as possible. Also zerokit has considered and provable logic to prevent the lost of bots.
Supported OSes: 
– Windows XP SP1-SP3 (x32, x64) 
– Windows Vista SP1-SP2 (x32, x64) 
– Windows 7 SP0-SP1 (x32, x64)

No comments:

Post a Comment