Press ROOT to continue: Detecting OSX and Windows bootkits with RDFU presented at BlackHatUSA 2013

by Mario Vuksan, Tomislav Pericin,

Summary : UEFI has recently become a very public target for rootkits and malware. Last year at Black Hat 2012, Snare’s insightful talk highlighted the real and very significant potential for developing UEFI rootkits that are very difficult, if not impossible, to detect and/or eradicate. Since then, a couple of practical bootkits have appeared.
To combat this new threat, we developed a Rootkit Detection Framework for UEFI (“RDFU”) that incorporates a unified set of tools that address this problem across a wide spectrum of UEFI implementations. We will demonstrate a sample bootkit for Apple OSX that was designed specifically for testing purposes. As a UEFI driver, it infects the OSX kernel utilizing a UEFI “rootkit” technique. The entire infection process executes in memory (by the UEFI driver itself). Therefore, the bootkit does not need to install any OSX kernel extension modules. The bootkit demonstrates the following functionality:
Sniffing FileVault passwords (sniffing keys while booting)
Privilege escalation (to root)
Hiding PIDs, files, and directories with selected patterns
Rootkit Detection Framework for UEFI was developed under DARPA CFT. Following this talk, we will publicly release the RDFU open source code along with whitepapers that outline a possible use case for this technology.