Rootkits and Bootkits

Rootkits and Bootkits

Reversing Modern Malware and Next Generation Threats
by Alex Matrosov, Eugene Rodionov, and Sergey Bratus
May 2019, 448 pp.
ISBN-13: 
9781593277161

Look Inside!

Rootkits and BootkitsRootkits and BootkitsRootkits and BootkitsRootkits and BootkitsRootkits and BootkitsRootkits and Bootkits

DOWNLOAD RESOURCES: Click here to visit the author's website for source code and other resources

Download Chapter 6: Boot Process Security

Featured in Great Lakes Geek.

Rootkits and Bootkits will teach you how to understand and counter sophisticated, advanced threats buried deep in a machine’s boot process or UEFI firmware.

With the aid of numerous case studies and professional research from three of the world’s leading security experts, you’ll trace malware development over time from rootkits like TDL3 to present-day UEFI implants and examine how they infect a system, persist through reboot, and evade security software. As you inspect and dissect real malware, you’ll learn:

  • How Windows boots—including 32-bit, 64-bit, and UEFI mode—and where to find vulnerabilities
  • The details of boot process security mechanisms like Secure Boot, including an overview of Virtual Secure Mode (VSM) and Device Guard
  • Reverse engineering and forensic techniques for analyzing real malware, including bootkits like Rovnix/Carberp, Gapz, TDL4, and the infamous rootkits TDL3 and Festi
  • How to perform static and dynamic analysis using emulation and tools like Bochs and IDA Pro
  • How to better understand the delivery stage of threats against BIOS and UEFI firmware in order to create detection capabilities
  • How to use virtualization tools like VMware Workstation to reverse engineer bootkits and the Intel Chipsec tool to dig into forensic analysis

Cybercrime syndicates and malicious actors will continue to write ever more persistent and covert attacks, but the game is not lost. Explore the cutting edge of malware analysis with Rootkits and Bootkits.

Covers boot processes for Windows 32-bit and 64-bit operating systems.

Author Bio 

Alex Matrosov is a leading offensive security researcher at NVIDIA. He has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. Before joining NVIDIA, Alex served as Principal Security Researcher at Intel Security Center of Excellence (SeCoE), and spent more than six years in the Intel Advanced Threat Research team, and was Senior Security Researcher at ESET. Alex has authored and co-authored numerous research papers, and is a frequent speaker at security conferences, including REcon, ZeroNights, Black Hat, DEFCON, and others. Also, he is awarded by Hex-Rays for open-source plugin HexRaysCodeXplorer which is developed and supported since 2013 by REhint’s team.

Eugene Rodionov, PhD, is a Security Researcher at Intel working in the domain of BIOS security for Client Platforms. Before that, Rodionov ran internal research projects and performed in-depth analysis of complex threats at ESET. His fields of interest include firmware security, kernel-mode programming, anti-rootkit technologies, and reverse engineering. Rodionov has spoken at security conferences such as Black Hat, REcon, ZeroNights, and CARO, and has co-authored numerous research papers.

Sergey Bratus is a Research Associate Professor in the Computer Science Department at Dartmouth College. He has previously worked at BBN Technologies on Natural Language Processing research. Bratus is interested in all aspects of Unix security, in particular in Linux kernel security, and detection and reverse engineering of Linux malware.

Table of contents 

Introduction

Part 1: ROOTKITS
Chapter 1: What’s in a Rootkit: The TDL3 Case Study
Chapter 2: Festi Rootkit: The Most Advanced Spam Bot
Chapter 3: Observing Rootkit Infections

Part 2: BOOTKITS
Chapter 4: Bootkit Background and History
Chapter 5: Operating System Boot Process Essentials
Chapter 6: Boot Process Security
Chapter 7: Bootkit Infection Techniques
Chapter 8: Static Analysis of a Bootkit Using IDA Pro
Chapter 9: Bootkit Dynamic Analysis: Emulators and Virtualization
Chapter 10: Evolution of MBR and VBR Infection Techniques: Olmasco
Chapter 11: IPL Bootkits: Rovnix & Carberp
Chapter 12: Gapz: Advanced VBR Infection
Chapter 13: The Rise of MBR Ransomeware
Chapter 14: UEFI Boot vs. MBR/VBR Boot Process
Chapter 15: Contemporary UEFI Bootkits
Chapter 16: UEFI Firmware Vulnerabilities

Part 3: DEFENSE AND FORENSIC TECHNIQUES
Chapter 17: How Secure Boot Works
Chapter 18: Analyzing the Hidden File System
Chapter 19: CHIPsec: BIOS/UEFI Forensics

View the detailed Table of Contents
View the Index

Reviews 

“This deep reference, jam-packed with code and technical information, will support an engineer or system administrator tasked with putting these vulnerabilities in their place.”
—Ben Rothke, Security Management

Featured in Great Lakes Geek.

“Alex Matrosov, Eugene Rodionov, and Sergey Bratus are experts in their field that have delivered a solid hands-on technical book. While enthralled with the stories from the trenches, I got flashbacks of my days of analyzing rootkits on SunOS and Solaris workstations about 20 years ago. It was a fun book to read.”
Sven Dietrich, Cipher: the newsletter of the IEEE Computer Society's Technical Committee on Security and Privacy

"I enjoyed reading the book and learning about the malware, even if it was not particularly relevant to me, as 'I don’t do Windows.' Still, there’s more than enough here that’s relevant to Linux users, as malware writers are now turning their attention to Linux servers."
—Rik Farrow, USENIX ;login: magazine

"[A] seminal book that explains how to understand and counter sophisticated, advanced threats buried deep in a machine’s boot process or UEFI firmware."
—Business Wire

Updates 

Page 42: in Figure 3-2, in the middle of the figure, the text that reads "Before inception" and "After inception" should read "Before interception" and "After interception"

Page 210: in Figure 13-1, the box numbered 6 that currently reads "Display random messages" should read "Display ransom message"