Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Komodia rootkit findings by @TheWack0lian

First off: this is the first time I "seriously" reversed a kernel-mode NT driver, so keep that in mind when you read this..

The Komodia rootkit config is located in a certain registry entry that's hardcoded in the driver. For Qustodio, it's HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qwd\Data.

The config structure is simple enough. An array of the following structure:

DWORD type;
BYTE unknown[32]; // I don't see anywhere that the driver actually *reads* any of this part,
                  // at least, not after writing to it first.
char *path;

type can be 1, 2 or 3, where 1 = protect registry, 2 = protect process, and 3 I'm not sure of, probably protect file if the installed driver(s) support that.

Naturally, with this kind of config, it would be easy to abuse by malware that can escalate privileges by whatever means. Frankly, the rootkit drivers better start to be detected.
https://www.virustotal.com/en/file/b64b4f53fa722774cd54bea59e40a1f3d08817e394495737195aa83507878caa/analysis/1424467067/ - x86 driver
https://www.virustotal.com/en/file/93f8cdef02c711b39b49fa0df55f2b7ddd260a9d327205e3b6039c0aba4c5e32/analysis/1424467119/ - x64 file protection driver
https://www.virustotal.com/en/file/7127739aebbd4e62f5f37fa6362d41d2855c1c0558cac76bdf13f035e2eb28d3/analysis/1424467156/ - x64 registry/process protection driver

By default the config (in qustodio) protects the following:

C:\Program Files\Qustodio\qapp\QAppTray.exe
C:\Program Files\Qustodio\qapp\QUpdateService.exe
C:\Program Files\Qustodio\qproxy\qengine.exe
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\SafeBoot\*\qwd
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\SafeBoot\*\qwd\*
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\qwd
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\qwd\*
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\SafeBoot\*\qwdr64
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\SafeBoot\*\qwdr64\*
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\qwdr64
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\qwdr64\*
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\SafeBoot\*\qwdf64
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\SafeBoot\*\qwdf64\*
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\qwdf64
HKEY_LOCAL_MACHINE\SYSTEM\*\Services\qwdf64\*
HKEY_LOCAL_MACHINE\SOFTWARE\Qustodio
HKEY_LOCAL_MACHINE\SOFTWARE\Qustodio\*
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Qustodio
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Qustodio\*
HKEY_CURRENT_USER\SOFTWARE\Qustodio
HKEY_CURRENT_USER\SOFTWARE\Qustodio\*
HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Qustodio
HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Qustodio\*
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\TimeZoneInformation
HKEY_LOCAL_MACHINE\SYSTEM\*\Control\TimeZoneInformation\*

If anyone wants to independently confirm my findings, go install Qustodio in a VM, make sure you tick the "Hide Qustodio on this device" box as that installs the ring-0 rootkit. Reboot into Hirens or some other winpe, change one of the registry strings in the config to your own wildcard string. Reboot and watch as the rootkit protects your own registry keys/values!

UPDATE: The PUP Sendori also bundles Komodia Watchdog (but 32bit driver only). This one additionally hooks ZwCreateFile, ZwOpenFile, ZwQueryDirectoryFile, ZwSetInformationFile and ZwDeleteFile. It stores its config in HKLM\SYSTEM\CurrentControlSet\Services\sendori32\data. This one, however, is actually detected somewhat, if only because it's part of a PUP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment