CyberArk: Windows 10 Vulnerable To Rootkits Via Intel's Processor Trace Functionality

CyberArk, a security company that specializes in stopping targeted attacks against other companies, has found a hooking technique that can bypass the Windows 10 “PatchGuard” kernel protection using hardware functionality found on Intel processors. The technique can be used to create persistent malware after a computer has already been infected.

GhostHook

A hooking technique gives an attacker control over how an operating system or piece of software operates. The type of software that uses operating system hooks includes software security tools, system utilities, debugging tools, and malicious software.

According to CyberArk, the hooking technique is not a way to exploit a piece of software or to elevate privileges. Those would have to be achieved through other means by the attacker. A rootkit is installed on a computer after the malware has already infected it, for example, in order to gain persistence.

CyberArk named the hooking technique that could be used by malicious actors to bypass Microsoft’s PatchGuard kernel protection “GhostHook.” According to the company, this technique allows an attacker to hook almost any piece of code running on a computer.

Intel PT At Fault

The issue seems to be created by the Intel Processor Trace (IPT), which is an extension of the Intel architecture that captures information about software execution using dedicated hardware. The information is collected in data packets, which can be processed by a software decoder.

The packets include information such as: timing, program flow information (e.g. branch targets, branch taken/not taken indications) and program-induced mode related information (e.g. Intel TSX state transitions). The packets may first be buffered internally before they are transmitted to the memory subsystem or another output mechanism. Then, the debugging software can process the data and reconstruct the program flow.

Intel PT, which was introduced on the Broadwell generation of chips and expanded on Skylake, can trace any software that runs on the CPU, except for SGX-protected containers. The technology is used mainly for performance monitoring, code diagnostic, debugging, fuzzing, and malware analysis and detection.

However, an attacker can also exploit this technology to take control of a thread’s execution. The idea is to make the CPU branch to the malicious piece of code. One way to do this is to allocate extremely small buffers to the Intel PT packets. When the CPU runs out of buffer space, it will jump to the malicious piece of code that will create the “hook.”

No Short-Term Fix

Because this operation is executed in hardware, below the Windows operating system, CyberArk said that it would be “extremely difficult for Microsoft to detect and defeat this technique.”

In a reply to CyberArk, Microsoft stated:

“The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this doesn’t meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I’ve closed this case.”

Microsoft may have realized that it can’t easily fix this with a simple update, as CyberArk also said. Therefore, it may have postponed the fix until either it creates a more advanced kernel protection architecture in a future version of Windows or until Intel finds a way to stop this type of attack in future chip generations. Until then, Windows 10 will likely continue to be vulnerable to rootkits enabled by malware that has already bypassed Windows Defender or other Windows protections.

GhostHook wouldn’t be the first time an Intel processor functionality has been used to bypass software security. Researchers have recently also discovered that Intel’s ME processor and AMT technology could be used to remotely install malware on enterprise computers.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • shrapnel_indie
    Microsoft may have realized that it can’t easily fix this with a simple update, as CyberArk also said. Therefore, it may have postponed the fix until either it creates a more advanced kernel protection architecture in a future version of Windows or until Intel finds a way to stop this type of attack in future chip generations. Until then, Windows 10 will likely continue to be vulnerable to rootkits enabled by malware that has already bypassed Windows Defender or other Windows protections.
    Or until this becomes such a huge problem they can't just shove it on the back-burner any longer. (I hope it never does.)
    Reply
  • It appears that it is never Microsoft fault...guess what Windows sucks and it did always suck.
    Reply
  • vdorta
    Why it's Microsoft fault if it is a hardware issue?
    Reply
  • iPanda
    has amd run into any issues like this?
    Reply
  • kinggremlin
    19855193 said:
    Microsoft may have realized that it can’t easily fix this with a simple update, as CyberArk also said. Therefore, it may have postponed the fix until either it creates a more advanced kernel protection architecture in a future version of Windows or until Intel finds a way to stop this type of attack in future chip generations. Until then, Windows 10 will likely continue to be vulnerable to rootkits enabled by malware that has already bypassed Windows Defender or other Windows protections.
    Or until this becomes such a huge problem they can't just shove it on the back-burner any longer. (I hope it never does.)

    The way MS described the exploit, it doesn't sound like it would make any sense for them to try and patch. If the attacker has to already have access to the kernal, addressing this vulnerability would be like stressing that your bedroom door doesn't have a secure enough lock on it for preventing robbers from getting in it. If robbers are trying to get into your bedroom, it means they have already gotten into your home which is the much bigger issue that needs to be addressed.
    Reply
  • plattyaj
    This is down deep in the kernel, so couldn't somebody do exactly the same on Linux/x86 or OSX. There wasn't enough in the article to explain why this would be specific to Windows, more that it can defeat something that they tried to prevent happening.
    Reply
  • chicofehr
    Microsoft and Intel should work together so the current generation can be fixed before its exploited. Maybe a bios update plus software update or something.
    Reply
  • alextheblue
    19855382 said:
    Why it's Microsoft fault if it is a hardware issue?
    Freak is a known anti-MS troll. He regularly "contributes" to any article with the keywords "Microsoft" and/or "Windows" by sharing his errm, "constructive and valuable criticism".

    19856064 said:
    Microsoft and Intel should work together so the current generation can be fixed before its exploited. Maybe a bios update plus software update or something.
    Perhaps they can add a toggle for the feature in the BIOS - preferably defaulting to "off".

    Reply
  • spectrewind
    This sounds like a RING -1 on-die exploit... ANY OS would be affected?
    Reply
  • shiitaki
    The reason it is Microsoft's fault is the abundant vectors for attack provided by Microsoft in the first place. Why does my Word macro need to have so much power on my computer? Why does my Word processor need admin rights? This is a systemic issue brought about as a result of an ideology to coddle and worship developers, the downside being you have so many ways to violate the system.

    To compound this is issue is the design ethos that constantly falls back on requiring people to constantly click 'Okay' buttons while using a computer, most people won't even take the time to read the dialog boxes because they are common to the use of Windows.

    The Windows OS is meant to be supported by IT staff, and to that end Microsoft really has nothing for the end user other than being cheap. As far as a the Microsoft store goes, we are supposed to rely on Microsoft who allowed obvious fraudulent applications without any review in their store? That Microsoft app store?

    This is bad because in combination with other know exploits, as in the infamous Word macro kind of attack, or even Microsoft's own Windows Defender engine, this is going to be a source of pain for a long time to come. The fact that Word macros have yet to be addressed in over two decades shows how poor Microsoft takes security.

    Yes, it is Microsoft's fault, for why this is going to be really bad for millions of users.
    Reply