My Account Log in

1 option

Rootkits and bootkits : reversing modern malware and next generation threats / by Alex Matsorov, Eugene Rodionov, and Sergey Bratus.

O'Reilly Online Learning: Academic/Public Library Edition Available online

View online
Format:
Book
Author/Creator:
Matrosov, Alex, author.
Rodionov, Eugene, author.
Bratus, Sergey, author.
Language:
English
Subjects (All):
Computer security.
Malware (Computer software).
Physical Description:
1 online resource (450 pages)
Edition:
1st edition
Place of Publication:
San Francisco, California : No Starch Press, [2019]
System Details:
text file
Summary:
Rootkits and Bootkits will teach you how to understand and counter sophisticated, advanced threats buried deep in a machine’s boot process or UEFI firmware. With the aid of numerous case studies and professional research from three of the world’s leading security experts, you’ll trace malware development over time from rootkits like TDL3 to present-day UEFI implants and examine how they infect a system, persist through reboot, and evade security software. As you inspect and dissect real malware, you’ll learn: •How Windows boots—including 32-bit, 64-bit, and UEFI mode—and where to find vulnerabilities •The details of boot process security mechanisms like Secure Boot, including an overview of Virtual Secure Mode (VSM) and Device Guard •Reverse engineering and forensic techniques for analyzing real malware, including bootkits like Rovnix/Carberp, Gapz, TDL4, and the infamous rootkits TDL3 and Festi •How to perform static and dynamic analysis using emulation and tools like Bochs and IDA Pro •How to better understand the delivery stage of threats against BIOS and UEFI firmware in order to create detection capabilities •How to use virtualization tools like VMware Workstation to reverse engineer bootkits and the Intel Chipsec tool to dig into forensic analysis Cybercrime syndicates and malicious actors will continue to write ever more persistent and covert attacks, but the game is not lost. Explore the cutting edge of malware analysis with Rootkits and Bootkits . Covers boot processes for Windows 32-bit and 64-bit operating systems.
Contents:
Intro
Title Page
Copyright Page
Dedication
About the Authors
About the Technical Reviewer
BRIEF CONTENTS
CONTENTS IN DETAIL
FOREWORD
ACKNOWLEDGMENTS
ABBREVIATIONS
INTRODUCTION
Why Read This Book?
What's in the Book?
How to Read This Book
PART I: ROOTKITS
1 WHAT'S IN A ROOTKIT: THE TDL3 CASE STUDY
History of TDL3 Distribution in the Wild
Infection Routine
Controlling the Flow of Data
The Hidden Filesystem
Conclusion: TDL3 Meets Its Nemesis
2 FESTI ROOTKIT: THE MOST ADVANCED SPAM AND DDOS BOT
The Case of Festi Botnet
Dissecting the Rootkit Driver
The Festi Network Communication Protocol
Bypassing Security and Forensics Software
The Domain Generation Algorithm for C&amp
C Failure
Malicious Functionality
Conclusion
3 OBSERVING ROOTKIT INFECTIONS
Methods of Interception
Restoring the System Kernel
The Great Rootkits Arms Race: A Nostalgic Note
PART II: BOOTKITS
4 EVOLUTION OF THE BOOTKIT
The First Bootkits
The Evolution of Bootkits
Modern Bootkits
5 OPERATING SYSTEM BOOT PROCESS ESSENTIALS
High-Level Overview of the Windows Boot Process
The Legacy Boot Process
The Windows Boot Process
6 BOOT PROCESS SECURITY
The Early Launch Anti-Malware Module
Microsoft Kernel-Mode Code Signing Policy
Secure Boot Technology
Virtualization-Based Security in Windows 10
7 BOOTKIT INFECTION TECHNIQUES
MBR Infection Techniques
VBR/IPL Infection Techniques
8 STATIC ANALYSIS OF A BOOTKIT USING IDA PRO
Analyzing the Bootkit MBR
VBR Analysis Techniques
Advanced IDA Pro Usage: Writing a Custom MBR Loader
Exercises
9 BOOTKIT DYNAMIC ANALYSIS: EMULATION AND VIRTUALIZATION
Emulation with Bochs.
Virtualization with VMware Workstation
Microsoft Hyper-V and Oracle VirtualBox
10 AN EVOLUTION OF MBR AND VBR INFECTION TECHNIQUES: OLMASCO
The Dropper
The Bootkit Functionality
The Rootkit Functionality
11 IPL BOOTKITS: ROVNIX AND CARBERP
Rovnix's Evolution
The Bootkit Architecture
Infecting the System
Post-Infection Boot Process and IPL
Kernel-Mode Driver Functionality
The Hidden Communication Channel
Case History: The Carberp Connection
12 GAPZ: ADVANCED VBR INFECTION
The Gapz Dropper
Infecting the System with the Gapz Bootkit
Gapz Rootkit Functionality
Hidden Storage
13 THE RISE OF MBR RANSOMWARE
A Brief History of Modern Ransomware
Ransomware with Bootkit Functionality
The Ransomware Modus Operandi
Analyzing the Petya Ransomware
Analyzing the Satana Ransomware
14 UEFI BOOT VS. THE MBR/VBR BOOT PROCESS
The Unified Extensible Firmware Interface
Differences Between the Legacy BIOS and UEFI Boot Processes
GUID Partition Table Specifics
How UEFI Firmware Works
15 CONTEMPORARY UEFI BOOTKITS
Overview of Historical BIOS Threats
All Hardware Has Firmware
Ways to Infect the BIOS
Understanding Rootkit Injection
UEFI Rootkits in the Wild
16 UEFI FIRMWARE VULNERABILITIES
What Makes Firmware Vulnerable?
Classifying UEFI Firmware Vulnerabilities
A History of UEFI Firmware Protections
Intel Boot Guard
Vulnerabilities in the SMM Modules
Vulnerabilities in the S3 Boot Script
Vulnerabilities in the Intel Management Engine
PART III: DEFENSE AND FORENSIC TECHNIQUES
17 HOW UEFI SECURE BOOT WORKS
What Is Secure Boot?
UEFI Secure Boot Implementation Details
Attacking Secure Boot.
Protecting Secure Boot with Verified and Measured Boot
Intel BootGuard
ARM Trusted Boot Board
Verified Boot vs. Firmware Rootkits
18 APPROACHES TO ANALYZING HIDDEN FILESYSTEMS
Overview of Hidden Filesystems
Retrieving Bootkit Data from a Hidden Filesystem
Parsing the Hidden Filesystem Image
The HiddenFsReader Tool
19 BIOS/UEFI FORENSICS: FIRMWARE ACQUISITION AND ANALYSIS APPROACHES
Limitations of Our Forensic Techniques
Why Firmware Forensics Matter
Understanding Firmware Acquisition
The Software Approach to Firmware Acquisition
The Hardware Approach to Firmware Acquisition
Analyzing the Firmware Image with UEFITool
Analyzing the Firmware Image with Chipsec
Index.
Notes:
Includes index.
Description based on print version record.
Includes bibliographical references and index.
ISBN:
9781492071259
1492071250
9781593278830
1593278837
OCLC:
1103671222

The Penn Libraries is committed to describing library materials using current, accurate, and responsible language. If you discover outdated or inaccurate language, please fill out this feedback form to report it and suggest alternative language.

Find

Home Release notes

My Account

Shelf Request an item Bookmarks Fines and fees Settings

Guides

Using the Find catalog Using Articles+ Using your account