1. http://static1.esetstatic.com/us/resources/white-papers/TDL3-Analysis.pdf
2. Rodrigo Rubira Branco, Gabriel Negreira Barbosa, and Pedro Drimel Neto, “Scientific but Not Academic Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies” (paper presented at the Black Hat USA 2012 conference, July 21–26, Las Vegas, Nevada), https://media.blackhat.com/bh-us-12/Briefings/Branco/BH_US_12_Branco_Scientific_Academic_WP.pdf.
3. https://blogs.technet.microsoft.com/markrussinovich/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far/
1. Brian Krebs, “Financial Mogul Linked to DDoS Attacks,” Krebs on Security blog, June 23, 2011, http://krebsonsecurity.com/2011/06/financial-mogul-linked-to-ddos-attacks/.
2. Eugene Rodionov and Aleksandr Matrosov, “King of Spam: Festi Botnet Analysis,” May 2012, http://www.welivesecurity.com/wp-content/media_files/king-of-spam-festi-botnet-analysis.pdf.
1. David Harley, Robert Slade, and Urs E. Gattikerd, Viruses Revealed (New York: McGraw-Hill/Osborne, 2001).
1. See Moxie Marlinspike, “Internet Explorer SSL Vulnerability,” https://moxie.org/ie-ssl-chain.txt.
1. For more detail on the PPI scheme used for bootkits of this type, see Andrey Rassokhin and Dmitry Oleksyuk, “TDSS Botnet: Full Disclosure,” https://web.archive.org/web/20160316225836/ http://nobunkum.ru/analytics/en-tdss-botnet/.
1. Debug registers dr4 and dr5 are reserved when debug extensions are enabled (when the DE flag in control register cr4 is set) and attempts to reference the dr4 and dr5 registers cause invalid-opcode exceptions (#UD). When debug extensions are not enabled (when the DE flag is clear), these registers are aliased to debug registers dr6 and dr7.
2. https://www.welivesecurity.com/media_files/white-papers/CARO_2011.pdf; https://www.welivesecurity.com/wp-content/media_files/Carberp-Evolution-and-BlackHole-public.pdf
1. Eugene Rodionov and Aleksandr Matrosov, “Mind the Gapz,” Spring 2013, http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf.
1. ESET Research, “LOJAX: First UEFI Rootkit Found in the Wild, Courtesy of the Sednit Group” (whitepaper), September 27, 2018, https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf.
2. You can find a detailed technical explanation of the S3–to–working-state resumption implementation in Jiewen Yao and Vincent J. Zimmer, “A Tour Beyond BIOS Implementing S3 Resume with EDKII” (Intel whitepaper), October 2014, https://firmware.intel.com/sites/default/files/A_Tour_Beyond_BIOS_Implementing_S3_resume_with_EDKII.pdf.
3. More information can be found in the aforementioned paper “A Tour Beyond BIOS: Implementing S3 Resume with EDKII” (https://firmware.intel.com/sites/default/files/A_Tour_Beyond_BIOS_Implementing_S3_resume_with_EDKII.pdf).
4. https://invisiblethingslab.com/resources/bh09usa/Ring%20-3%20Rootkits.pdf
5. https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf
3.135.212.195