0%

Book Description

Rootkits and Bootkits will teach you how to understand and counter sophisticated, advanced threats buried deep in a machine’s boot process or UEFI firmware.

With the aid of numerous case studies and professional research from three of the world’s leading security experts, you’ll trace malware development over time from rootkits like TDL3 to present-day UEFI implants and examine how they infect a system, persist through reboot, and evade security software. As you inspect and dissect real malware, you’ll learn:

•How Windows boots—including 32-bit, 64-bit, and UEFI mode—and where to find vulnerabilities

•The details of boot process security mechanisms like Secure Boot, including an overview of Virtual Secure Mode (VSM) and Device Guard

•Reverse engineering and forensic techniques for analyzing real malware, including bootkits like Rovnix/Carberp, Gapz, TDL4, and the infamous rootkits TDL3 and Festi

•How to perform static and dynamic analysis using emulation and tools like Bochs and IDA Pro

•How to better understand the delivery stage of threats against BIOS and UEFI firmware in order to create detection capabilities

•How to use virtualization tools like VMware Workstation to reverse engineer bootkits and the Intel Chipsec tool to dig into forensic analysis

Cybercrime syndicates and malicious actors will continue to write ever more persistent and covert attacks, but the game is not lost. Explore the cutting edge of malware analysis with Rootkits and Bootkits.

Covers boot processes for Windows 32-bit and 64-bit operating systems.

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. About the Authors
  6. About the Technical Reviewer
  7. BRIEF CONTENTS
  8. CONTENTS IN DETAIL
  9. FOREWORD
  10. ACKNOWLEDGMENTS
  11. ABBREVIATIONS
  12. INTRODUCTION
    1. Why Read This Book?
    2. What’s in the Book?
    3. How to Read This Book
  13. PART I: ROOTKITS
  14. 1 WHAT’S IN A ROOTKIT: THE TDL3 CASE STUDY
    1. History of TDL3 Distribution in the Wild
    2. Infection Routine
    3. Controlling the Flow of Data
    4. The Hidden Filesystem
    5. Conclusion: TDL3 Meets Its Nemesis
  15. 2 FESTI ROOTKIT: THE MOST ADVANCED SPAM AND DDOS BOT
    1. The Case of Festi Botnet
    2. Dissecting the Rootkit Driver
    3. The Festi Network Communication Protocol
    4. Bypassing Security and Forensics Software
    5. The Domain Generation Algorithm for C&C Failure
    6. Malicious Functionality
    7. Conclusion
  16. 3 OBSERVING ROOTKIT INFECTIONS
    1. Methods of Interception
    2. Restoring the System Kernel
    3. The Great Rootkits Arms Race: A Nostalgic Note
    4. Conclusion
  17. PART II: BOOTKITS
  18. 4 EVOLUTION OF THE BOOTKIT
    1. The First Bootkits
    2. The Evolution of Bootkits
    3. Modern Bootkits
    4. Conclusion
  19. 5 OPERATING SYSTEM BOOT PROCESS ESSENTIALS
    1. High-Level Overview of the Windows Boot Process
    2. The Legacy Boot Process
    3. The Windows Boot Process
    4. Conclusion
  20. 6 BOOT PROCESS SECURITY
    1. The Early Launch Anti-Malware Module
    2. Microsoft Kernel-Mode Code Signing Policy
    3. Secure Boot Technology
    4. Virtualization-Based Security in Windows 10
    5. Conclusion
  21. 7 BOOTKIT INFECTION TECHNIQUES
    1. MBR Infection Techniques
    2. VBR/IPL Infection Techniques
    3. Conclusion
  22. 8 STATIC ANALYSIS OF A BOOTKIT USING IDA PRO
    1. Analyzing the Bootkit MBR
    2. VBR Analysis Techniques
    3. Advanced IDA Pro Usage: Writing a Custom MBR Loader
    4. Conclusion
    5. Exercises
  23. 9 BOOTKIT DYNAMIC ANALYSIS: EMULATION AND VIRTUALIZATION
    1. Emulation with Bochs
    2. Virtualization with VMware Workstation
    3. Microsoft Hyper-V and Oracle VirtualBox
    4. Conclusion
    5. Exercises
  24. 10 AN EVOLUTION OF MBR AND VBR INFECTION TECHNIQUES: OLMASCO
    1. The Dropper
    2. The Bootkit Functionality
    3. The Rootkit Functionality
    4. Conclusion
  25. 11 IPL BOOTKITS: ROVNIX AND CARBERP
    1. Rovnix’s Evolution
    2. The Bootkit Architecture
    3. Infecting the System
    4. Post-Infection Boot Process and IPL
    5. Kernel-Mode Driver Functionality
    6. The Hidden Filesystem
    7. The Hidden Communication Channel
    8. Case History: The Carberp Connection
    9. Conclusion
  26. 12 GAPZ: ADVANCED VBR INFECTION
    1. The Gapz Dropper
    2. Infecting the System with the Gapz Bootkit
    3. Gapz Rootkit Functionality
    4. Hidden Storage
    5. Conclusion
  27. 13 THE RISE OF MBR RANSOMWARE
    1. A Brief History of Modern Ransomware
    2. Ransomware with Bootkit Functionality
    3. The Ransomware Modus Operandi
    4. Analyzing the Petya Ransomware
    5. Analyzing the Satana Ransomware
    6. Conclusion
  28. 14 UEFI BOOT VS. THE MBR/VBR BOOT PROCESS
    1. The Unified Extensible Firmware Interface
    2. Differences Between the Legacy BIOS and UEFI Boot Processes
    3. GUID Partition Table Specifics
    4. How UEFI Firmware Works
    5. Conclusion
  29. 15 CONTEMPORARY UEFI BOOTKITS
    1. Overview of Historical BIOS Threats
    2. All Hardware Has Firmware
    3. Ways to Infect the BIOS
    4. Understanding Rootkit Injection
    5. UEFI Rootkits in the Wild
    6. Conclusion
  30. 16 UEFI FIRMWARE VULNERABILITIES
    1. What Makes Firmware Vulnerable?
    2. Classifying UEFI Firmware Vulnerabilities
    3. A History of UEFI Firmware Protections
    4. Intel Boot Guard
    5. Vulnerabilities in the SMM Modules
    6. Vulnerabilities in the S3 Boot Script
    7. Vulnerabilities in the Intel Management Engine
    8. Conclusion
  31. PART III: DEFENSE AND FORENSIC TECHNIQUES
  32. 17 HOW UEFI SECURE BOOT WORKS
    1. What Is Secure Boot?
    2. UEFI Secure Boot Implementation Details
    3. Attacking Secure Boot
    4. Protecting Secure Boot with Verified and Measured Boot
    5. Intel BootGuard
    6. ARM Trusted Boot Board
    7. Verified Boot vs. Firmware Rootkits
    8. Conclusion
  33. 18 APPROACHES TO ANALYZING HIDDEN FILESYSTEMS
    1. Overview of Hidden Filesystems
    2. Retrieving Bootkit Data from a Hidden Filesystem
    3. Parsing the Hidden Filesystem Image
    4. The HiddenFsReader Tool
    5. Conclusion
  34. 19 BIOS/UEFI FORENSICS: FIRMWARE ACQUISITION AND ANALYSIS APPROACHES
    1. Limitations of Our Forensic Techniques
    2. Why Firmware Forensics Matter
    3. Understanding Firmware Acquisition
    4. The Software Approach to Firmware Acquisition
    5. The Hardware Approach to Firmware Acquisition
    6. Analyzing the Firmware Image with UEFITool
    7. Analyzing the Firmware Image with Chipsec
    8. Conclusion
  35. INDEX
18.116.69.53