Index
Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
0-day (zero-day) exploits, 218
3xx status codes, 49–50
64-bit processors, 92
64-bit systems, 196
64-bit Windows, 87
A
access
administrator-level, 78
building, 291
disk, 75
.htaccess for redirects, 51
network, 75
personal data, 74
root-level, 78
via keylogging. See keylogging
via malicious files, 38
websites, 74
AccessData, 276
ACPI (Advanced Configuration and Power Interface), 182, 194
ActionScript, 45
Ad Syndicator, 2
Adams, Keith, 169
AddDevice() routine, 121
address space layout randomization (ASLR), 257
administrator rights, 124
administrator-level access, 78
administrators
backdoors and, 82
easing workload, 26
email issues, 26–27
malware prevention for, 293
precautions, 220
rootkits and, 78
ADMmutate tool, 242
ads. See also pop-up blockers; pop-ups
AdWords, 56
Bing Ads, 56
browsers that block, 227
case study, 2–4
examples, 67
hover ads, 230–231
overview, 66
usage of, 67
Yahoo! Ads, 56
AdSense, 56
Advanced Configuration and Power Interface (ACPI), 182, 194
Advanced Services API, 88
advapi32.dll, 116
advertiser competition, 56
adware, 67, 205, 227. See also ads; pop-ups
Adware prefix, 207
AdwareWebsearch, 67
AdWords, 56
AFX rootkit, 148–151
AIPUs (Artificial Intelligence Processing Units), 195
AMD64 ISA, 182
AMD64 platform, 286
AMD64 processors, 185
AMD64 SVM extensions, 182
AMD-V SVM/Pacifica, 178–179
Android prefix, 207
anomaly-based detection, 214–215, 239
anti-detection evasion techniques, 241–244
anti-malware. See AV entries
anti-phishing modules, 35
Anti-Rootkit tool, 275
anti-spyware programs/modules, 31, 64
antivirus. See AV entries
APIs (Application Programming Interfaces)
Advanced Services, 88
functions, 87
hooked API processes, 84–87, 105
native, 117
Application Programming Interfaces. See APIs
application source code, 208
application virtual machines, 163–164
applications
baselining, 215
console, 89
macros, 209–210
profiling, 215
signing, 258
userland, 251
user mode, 86
viruses, 208
architecture rings. See protection rings
artifacts, VM, 170–171
Artificial Intelligence Processing Units (AIPUs), 195
ASLR (address space layout randomization), 257
asset security, 291
aswMBR tool, 275–276
attachments, email, 26–29
audit scripts, 284
authentication, three-factor, 60–61
AutoIT, 17
automatic updates, 295–296
AV industry, 220
AV policy, 216
AV (antivirus) software, 203–220. See also viruses
anomaly-based detection, 214–215
challenges, 216–218
countermeasures, 219–220
detection rates, 216–217
evolution of, 204
features/techniques, 212–215
future of, 219
heuristic-based detection, 214–215
manual (on demand) scanning, 212
overview, 204
real-time (on-access) scanning, 212–213
response to emerging threats, 217–218
role of, 215–218
signature-based detection, 213–214, 219, 251–252
strengths, 216
top industry performers, 216
vulnerabilities, 218
zero-day exploits, 218
AV technology, 204
AV test results, 216
AV-Comparatives, 216
AV-Test Institute, 216
av-test.org, 214
B
Back Orifice, 82
backdoor communication, 75–76
Backdoor prefix, 207
backdoors, 81–82
considerations, 78
described, 205
Hacker Defender, 105–107
local, 81
remote, 81
rootkits and, 79–83
Bacteraloh, 17
Bagle, 15
baked-in security, 297
bank account data theft, 74–76
bare metal hypervisors, 164
base address, 308–309
Base Services API, 88
baselining applications, 215
.BAT extension, 13
batch scripts, 284
behavioral HIPSs, 238–240
BHOs (Browser Helper Objects), 3, 66
Bing Ads, 56
BIOS, 194
Bitdefender Rootkit Remover, 274–275
BitLocker drive encryption, 258
BlackEnergy, 17
BlackICE, 223
BlackLight tool, 103, 151–152, 264–265
blue screen, 114
blue screen of death (BSOD), 265–266
boneroot rootkit, 144
boot manager, 74
boot process, 209
boot sector viruses, 209
boot sectors, 209
boot sequence, 180
Browser Helper Objects (BHOs), 3, 66
BSOD (blue screen of death), 265–266
building access, 291
bus drivers, 119
Butler, Jamie, 132, 142, 151, 303
C
C2 (command-and-control) servers, 35–36
CALL instruction, 140, 310–318
CARO (Computer AntiVirus Researchers Organization), 206
Carrier, Brian, 286
C&C servers, 75–76
CD drive, 295
central processing units. See CPUs
CGI (Common Gateway Interface) scripts, 82
C.H.A.O.S., 151–152
child pornography, 66
Chrome browser, 225–226
Cisco Security Education, 292
class filter drivers, 140
clean/un-clean approach, 252–253
click fraud, 54–56
Client/Server Run-Time Subsystem, 115
client-side exploits/attacks, 27, 29, 31
cloaked code, 152–155
cloaking, 53
code
application, 208
cloaked, 152–155
integrity, 64
managed, 87
morphing, 211
shellcode, 242
Code Integrity feature, 64
The Code Project, 327
code signing, 63–64
CodeRed, 15
CodeRedII, 15
Codeword rootkit detection tool, 335
Cogswell, Bryce, 262
Coke (Vecna), 15
ComChannel interface, 177
command-and-control (C2) servers, 35–36
Common Control Library API, 88
Common Dialog Box Library API, 88
Common Gateway Interface (CGI) scripts, 82
companion viruses, 208
Compatible Regular Expressions (PCRE), 284
completion routine, 146
Computer AntiVirus Researchers Organization (CARO), 206
computer authentication systems, 60–61
Conficker worm, 39
console applications, 89
contagion worm, 30
controllers, 125
cookies, 67
CoolWebSearch, 67
CoPilot tool, 286
core libraries, 284
corporate policies, 38, 291. See also policies
CounterTack, 276
CPUs (central processing units)
64-bit, 92
instruction set architecture, 111–112
privileged mode, 113–114
protection rings, 85–86, 112–113, 164
CreateRemoteThread() function, 91–95
criminal identity theft, 58
crossview, 252
cryptographic signing, 251
CryptoLocker, 17
cryptovirology, 21
Cuckoo Sandbox, 278
custom rootkits, 195–196
customers, data theft, 53–54
D
Dark Avenger, 9
DarkSpy tool, 261–262
DARPA (Defense Advanced Research Projects Agency), 286
data storage, offline, 61
Data Translation Lookaside Buffer (DTLB), 153
database rootkits, 190–193
datagrams, 243
Davis, Michael A., 158
DbProtect tool, 193
DDK (Driver Development Kit), 117, 119, 121, 301
DDNS (Dynamic Domain Name Services), 24
DDoS prefix, 207
De Guzman, Onel A, 9
deadbox forensics, 259–260
deep defense, 293–294
Defense Advanced Research Projects Agency (DARPA), 286
defense countermeasure service, 181
defense-in-depth, 293–294
denial of service (DoS), 243
detection rates, 216–217
detour detection code, 313–322
detours. See also inline hooking; patches
AFX rootkit, 148–151
described, 256
detecting in SSDT, 310–322
image modification and, 135–140
SSDT patch/detour detection, 306–322
Detours Express, 139
detours program, 139
Device Chains, 134
device drivers, 118
device filter drivers, 140
Device Guard, 64
device logs, 216
DFRWS (Digital Forensic Research Workshop), 278
DGA (domain generation algorithm), 39
Digital Forensic Research Workshop (DFRWS), 278
Digital Rights Management (DRM), 85
digitally signed rootkits, 196
direct disk access hooking, 257
Direct Kernel Object Manipulation. See DKOM
directory traversal attack, 177
disassemblers, 313–314
disk access, 75
disk drivers, 111
diStorm disassembler, 313–314
DKOM (Direct Kernel Object Manipulation)
countermeasures, 143–144
Volatility framework, 280
DLL injection
advanced, 95–98
Hacker Defender, 105
methods for, 91–98
Vanquish rootkit, 100
VMChat, 177
DLLs (Dynamic Link Libraries)
NTDLL.DLL, 116–117
overview, 86–87
Vanquish, 100–101
Win32 subsystem, 115–116
DNS (domain name system), 24–26, 67
document-bound macros, 209
.DOCX extension, 13
Dolan-Gavitt, Brendan, 282
domain generation algorithm (DGA), 39
domain name system (DNS), 24–26, 67
domain names, 46
domains, new, 46–47
Domas, Christopher, 194
DoS (denial of service), 243
Downloader prefix, 207
drive-by downloads, 47
driver chain, 119–120
Driver Development Kit (DDK), 117, 119, 121, 301
DRIVER OBJECT structure, 122
driver signing, 258
DriverEntry() routine, 121
drivers
bus, 119
chained, 119
class filter, 140
device, 118
device filter, 140
disk, 111
filtered, 119, 140–142, 145–148
filter-hook, 119
function, 119
hashes, 142
IRPs and, 132–135
kernel. See kernel drivers
“known good,” 141–142
layered, 140–142
loaded kernel, 262
loading, 124–125
malicious, 251
mmhook.sys, 153
monolithic, 140
msdirectx.sys, 153
names, 142
NDIS, 224
network, 119
NIC, 120
protocol, 119
signed, 142
stacked, 119
unauthorized, 141–142
Windows, 119
DRM (Digital Rights Management), 85
DroidDream, 55
DTLB (Data Translation Lookaside Buffer), 153
dumpster diving, 59
Duqu, 17
DVDs, 295
Dynamic Domain Name Services (DDNS), 24
dynamic kernel-mode rootkits, 168
Dynamic Link Libraries. See DLLs
Dyrmose, Michael, 244
E
Early Launch Anti-Malware (ELAM), 258
EasyHook, 99
education. See training
ELAM (Early Launch Anti-Malware), 258
elastic defense, 293–294
Elisan, Christopher, 219
attachments, 26–29
client-side exploits, 27
exploit example, 29
as malware backdoor, 27–28
as malware delivery method, 26–29
Microsoft Office files, 28
most frequently emailed file types, 13, 14
rock phishing, 29
social engineering and, 27
spear phishing, 29
threat countermeasures, 28–29
threats, 27–29
training users on, 291
webmail services, 204
email addresses, 3
employee data theft, 53–54
encrypted network traffic, 237
encrypted viruses, 210
encryptors, 21
end-user education, 290–293
ENISA Information Security Awareness Material, 292
enterprise hosts, 222
entry-point obscuring (EPO) viruses, 211
EPO (entry-point obscuring) viruses, 211
EPROCESS data structure, 280
.exe. See executable files
executable (.exe) files, 86–87
DLLs and, 86–87
overview, 13–15
packers used in, 20, 21–22, 23
rules for, 29
execution path analysis, 254
execution scripts, 284
expert system-based HIPSs, 238–240
Expert Systems, 215
Extended Copyright Protection (XCP), 85
F
“false trust,” 11
far calls, 311
Fast Flux, 24–26
FATkit paper, 278
file execution, 13–15
file scanner service, 181
file types, 13–14
filenames, malware, 12–13
files
disabled, 212
executable. See executable files
hidden, 264
log. See log files
Microsoft Office, 28
nonexecutable, 212
PE, 213–214
PTP, 35–38
viruses, 208
filter drivers, 119, 140–142, 145–148
filter-hook drivers, 119
filtering
HTTP, 30
NDIS, 224
URLs, 31
financial identity theft, 58
Firefox browser, 226
firewalls
attacks on, 224
bypassing, 75
countermeasures, 224
keylogger detection, 64
personal, 222–224
whitelisted, 251
Windows Firewall, 258
Witty Worm and, 223
fixmbr command, 76
Flame, 17
Flash Player, 45
.FLV extension, 13
FlyPaper, 277
Forensics RAM extraction device (FRED), 286
fragmentation attacks, 243
frame redirects, 52–53
function detours. See detours
function drivers, 119
function pointers, 255
function prologue, 136
FUTo rootkit, 151–152
fuzzing, 177
G
Garfinkel, Tal, 169
Garner, George M., 278
Gator program, 67
GDI (Graphics Device Interface), 116
gdi32.dll, 116
GDTs (Global Descriptor Tables), 113, 130–131, 174, 311–312
GetHandleInfo() function, 330–333
GetThreadContext() function, 95, 96
Global Descriptor Tables (GDTs), 113, 130–131, 174, 311–312
global service table, 305
GNU Privacy Guard (GPG), 61
GNU Public License version 3 (GPLv3), 301
Google AdWords/AdSense, 56
GPG (GNU Privacy Guard), 61
GPLv3 (GNU Public License version 3), 301
GPU (Graphical Processing Unit), 195
Grand Idea Studios, 286
Grand, Joe, 286
graphic cards, 195
Graphical Device Interface API, 88
Graphical Processing Unit (GPU), 195
Graphics Device Interface (GDI), 116
grayware, 205
green government, 296
Group Policy, 258
Guidance Software, 276
H
Hacker Defender (HxDef), 102–108
hackers
prevention methods, 293
for profit, 9–10
HAL (Hardware Abstraction Layer), 117, 118
Happy99, 15
Hardware Abstraction Layer (HAL), 117, 118
hardware emulation, 164
hardware virtual machine. See HVM entries
hardware-based rootkit detection, 286–287
hardware-based rootkits, 193–195
hashes, 142
He4Hook rootkit, 155–157
Health Insurance Portability and Accountability Act (HIPAA), 217
Heasman, John, 194
Helios Lite tool, 268–271
heuristic-based detection, 214–215
HIDS (host-based intrusion detection system), 234, 235–236
hijacking. See hooking entries
HIPAA (Health Insurance Portability and Accountability Act), 217
HIPS. See host-based intrusion prevention system
Hoglund, Greg, 124, 134–135, 142, 276, 303
home users, 292–293
Honeynet Project, 158
hook-based keyloggers, 62
hooked pointer detection, 304
hooking engines, 98–99
HookProcFunc() function, 89–90
hooks/hooking
DKOM, 300
EasyHook, 99
filter-hook drivers, 119
He4Hook rootkit, 155–157
IAT. See IAT hooking
inline function hooking, 98, 135–140, 310
IRP. See IRP hooking
methods, 253
model-specific registers, 131–132
SSDT. See SSDT hooking
user-mode rootkits, 98–99
Windows hooking, 89–91
host protection systems, 221–231
host-based intrusion detection system (HIDS), 234, 235–236
host-based intrusion prevention system (HIPS), 233–247
active vs. passive defense, 246
anti-detection evasion techniques, 241–244
architectures, 234–237
behavioral vs. signature, 238–241
behavioral based, 238–240
future of security, 246–247
growing past, 237–248
intent, 245–248
networks, 235
NIDS. See NIDSs
overview, 234
policy based, 238–240
hover ads, 230–231
.htaccess for redirects, 51
HTML frame redirects, 52–53
HTML pop-ups, 44
HTTP 3xx status codes, 49–50
HTTP activity, 47–48
HTTPS activity, 47–48
HVM rootkits, 169, 170, 178–179, 182–185
HVMs (hypervisor virtual machines), 163–164, 184–185
HxDef (Hacker Defender), 102–108
Hypersight, 186
hypervisor virtual machine. See HVM entries
hypervisors, 164–166
bare metal, 164
hijacking, 178–179
overview, 164–166
I
IAT (Import Address Table), 98, 327
IAT hooking
detecting, 323–327
hooked pointer detection, 304
image modification and, 135
patched code detection, 304
IceSword tool, 103, 261–262, 263
identity theft, 57–61
attacks, 59–60
countermeasures, 60–61
criminal, 58
financial, 58
overview, 57–58
IDPSs (intrusion detection or intrusion detection/prevention systems), 239
IDSs (intrusion detection systems)
anomaly based, 239
considerations, 244
improvements on, 237–238
overview, 64–65
session splicing, 242
IDTs (Interrupt Dispatch Tables), 127, 129–130, 172
ILOVEYOU virus, 9
image modification, kernel-mode rootkits, 135–140
Import Address Table. See IAT
indicators of compromise (IoCs), 219
Infostealer prefix, 207
injection techniques, user-mode rootkits, 87–98
inline hooking, 98, 135–140, 256, 310. See also detours
inline patches, 136
InstDrv utility, 146–147
Institute for Security and Open Methodologies (ISECOM), 303
instruction set, 111
instruction set architectures (ISAs), 110, 111–112, 182
Instruction Translation Lookaside Buffer (ITLB), 153
INT 13, 257
Inta, 15
integrity. See also system integrity analysis
Code Integrity feature, 64
considerations, 302
Integrity Violation Indicators, 300, 302
level of trust, 302
integrity analysis. See system integrity analysis
Integrity Protection Driver (IPD), 251
integrity violation indicators (IVIs), 300, 302
Intel Programmer’s Manual, 313
Intel VT-x/Vanderpool, 178–179
Internet scams, 290
Internet usage, training users on, 291
Interrupt Dispatch Tables. See IDT entries
interrupt request (IRQ), 129
interrupt request level (IRQL), 124–125
Interrupt Service Routine (ISR), 129, 130
interruptibility, 124
interrupts, 113
intrusion detection or intrusion detection/prevention systems (IDPSs), 239
intrusion detection systems. See IDSs
intrusion prevention systems. See IPSs
I/O request packets. See IRP entries
IoCs (indicators of compromise), 219
IP datagrams, 243
IPD (Integrity Protection Driver), 251
IPS solutions, 246–247
IPSs (intrusion prevention systems), 64–65
anomaly based, 239
anti-detection evasion techniques, 241–244
evasion techniques, 244
host based. See host-based intrusion prevention system
solutions for, 246–247
IRP dispatch function, 156
IRP hooking
detecting, 323–327
device chains and, 132–135
He4Hook rootkit, 155–157
hooked pointer detection, 304
patched code detection, 304
Sebek rootkit, 158
IRPs (I/O request packets), 121, 132–135
IRQL (interrupt request level), 124–125
IRQs (interrupt requests), 129, 145–148
ISA (instruction set architecture), 182
ISECOM (Institute for Security and Open Methodologies), 303
ISR (Interrupt Service Routine), 129, 130
ITLB (Instruction Translation Lookaside Buffer), 153
IVIs (Integrity Violation Indicators), 300, 302
J
JavaScript pop-ups, 44–45
JavaScript redirects, 52
Jellyfish, 195
jump (JMP) instruction, 140, 303, 310–318, 321
K
Kaspersky Antivirus, 129
KBlock.A, 55
kernel
Windows architecture, 114–118
WoW64, 92
kernel base address, 308–309
kernel-based keyloggers, 61
kernel driver development, 125
kernel drivers
challenges, 123
development of, 125
execution path, 254
malicious, 251
Memoryze tool, 284
Win32k.sys, 116
Windows, 119–122
kernel mode
challenges, 123
driver architecture, 119–122
protection rings and, 112
rootkit techniques and, 304
kernel patch protection (KPP), 257
Kernel-Mode Driver Framework (KMDF), 122
kernel-mode rootkits, 109–160
AFX, 148–151
attributes, 123
challenges, 123–126
considerations, 159
countermeasure summary, 159–160
direct kernel object manipulation, 142–144
examples, 145–158
filter drivers, 140–142
FU, 151–152
FUTo, 151–152
He4Hook, 155–157
Honeynet Project, 158
image modification, 135–140
I/O request packet hooking, 132–135
Klog, 145–148
layered drivers, 140–142
methods/techniques, 126–145
model-specific registers hooking, 131–132
NDIS, 144–145
protection rings, 85–86, 112–113, 164
Shadow Walker, 152–155
table hooking, 126–131
TDI, 144–145
Windows kernel driver, 119–122
Windows kernel-mode architecture, 114–118
x86 architecture basics, 110–114
keyboard drivers, 111, 118, 145
keyboard IRPs, 145
keylogging, 61–65
Klein, Tobias, 174–176
Klog rootkit, 145–148
KMDF (Kernel-Mode Driver Framework), 122
Knowbe4, 292
KNTList tool, 278
Komoku, 286
Konov.A, 55
Koobface, 17
Kornburst, Alexander, 190, 191
KPP (kernel patch protection), 257
L
layered drivers, 140–142
LDTs (Local Descriptor Tables), 113, 130–131, 173–174, 311
legacy DOS, 257
legal issues, 37
library rootkit, 83
Ligh, Michael Hale, 282
link viruses, 208
Linux-based keyloggers, 62
Linux prefix, 207
Linux systems
affected processes, 70
disabled services, 70
timestamp modification, 69
typical malware install locations, 68–69
live forensics, 259–260
loadable kernel modules, 118
loaded kernel drivers, 262
loaders, 124
LoadLibrary() function, 91–92, 95–97
local backdoors, 81
Local Descriptor Tables (LDTs), 113, 130–131, 173–174, 311
local machine software keyloggers, 61–62
log cleaners, 78
log files
access logs, 47
device logs, 216
system logs, 64
logging outgoing links, 47–48
logical discrepancies, 171, 173–176
logical to linear address translation, 312
LoveLetter, 15
low-hanging fruit, 216
LSASS vulnerability, 224
M
Mac OS systems, 226–227
macros, 209–210
major function codes, 133
Malfind plug-in, 282
malicious intent, 56
malicious kernel drivers, 251
malicious websites, 29–31. See also websites
administrators and, 293
affecting processes, 69–70
behaviors, 65–67
best practices, 220
click fraud, 54–56
countermeasures, 160
current state of, 8
data theft, 53–54
delivery of, 13–15
detection rates, 216–217
disabled services, 70
Dynamic Domain Name Services, 24
Fast Flux, 24–26
file execution, 13–15
file types, 13–14
filenames of, 12–13
home users and, 292–293
identifying installed malware, 68–71
identity theft, 57–61
on local drives, 69
“low-hanging fruit,” 216
malicious websites, 29–31
metamorphic, 19–20
mobile devices, 54
obfuscation, 20–24
overview, 8
pop-ups. See pop-ups
production of, 219
for profit, 9–10
propagation injection vectors, 26–39
propagation of, 7–40
propagation techniques, 10–15
propagation techniques (modern), 16–26
redirection. See search engine redirection
social engineering and. See social engineering
timestamp modification, 69
training users on, 291
Trojan Horse, 205
workstations, 8–9
worms. See worms
malware classification system, 159–160
malware factory, 219
managed code, 87
Mandiant, 276
Mandiant Red Curtain, 277
Mandiant Redline, 278
manual scanning, 212
Master Boot Record (MBR), 74, 209
MBR (Master Boot Record), 74, 209
McAfee, 271
mdd (memory DD) tool, 278
Mebroot rootkit, 74–76
memory
executable, 215
virtual, 166–167
memory address space, 114
memory addresses, 86
Memory Analysis, 277–285
memory attribute monitoring, 215
memory cloaking, 152–155
memory DD (mdd) tool, 278
memory forensics, 277–285
Memory Manager, 125
memory mapping, 118
memory protection mechanisms, 313
memory-based attacks, 193
memory-based rootkits, 79
Memoryze tool, 283–285
metadata, 48
metamorphic engines, 19
metamorphic malware, 19–20
metamorphic viruses, 211
metamorphism, 19–20
meta-refresh feature, 51–52
Meterpreter, 245–246
Microsoft Anti-Spyware, 31
Microsoft Defender, 258
Microsoft Development Network (MSDN), 87
Microsoft Edge browser, 226, 257–258
Microsoft Malicious Software Removal Tool (MSRT), 258
Microsoft Office file handling, 28
Microsoft Office Isolated Conversion Environment (MOICE), 210
Microsoft Office Suite, 209–210
Migbot rootkit, 124, 313, 319–322
Migbot rootkit patches, 136–139
mmhook.sys driver, 153
mobile devices, 54
model-specific registers (MSR) hooking, 131–132
MOICE (Microsoft Office Isolated Conversion Environment), 210
monolithic drivers, 140
morphing code, 211
MSBlast, 15
msdirectx.sys driver, 153
MSDN (Microsoft Development Network), 87
MSR (model-specific registers) hooking, 131–132
MSRT (Microsoft Malicious Software Removal Tool), 258
multiprocessing, 166
N
National Cyber Awareness System, 292
National Security Agency (NSA), 210
Native API functions, 117
NDIS (Network Device Interface Standard) API, 120
NDIS drivers, 224
NDIS filtering, 224
NDIS rootkit, 144–145
near calls, 311
Netsky, 15
netstat tool, 260
network administrators, 244, 293
Network Device Interface Standard. See NDIS entries
network drivers, 119
network encoding, 22–24
network intrusion detection systems. See NIDSs
network intrusion prevention systems (NIPSs), 234, 235–237, 244, 247
Network Services API, 88
network-based backdoors, 81–82
networks
backdoors, 82
encrypted traffic, 237
HIPSs and, 235
MSDN, 87
protecting, 39
PTP, 35–38
NIC drivers, 120
NIDSs (network intrusion detection systems)
denial of service attacks, 243
fragmentation attacks, 243
keylogger detection, 64–65, 234, 243, 244
session splicing, 242
Nigilant32 tool, 278
Nimda, 15
NIPSs (network intrusion prevention systems), 234, 235–237, 244, 247
no-execute (NX), 257
NOP sled technique, 242
Nopill, 173–174
NSA (National Security Agency), 210
NT Rootkit, 144
NTDLL.DLL, 116–117
NTOSKRNL.EXE, 117–118
NX (no-execute), 257
O
O97M prefix, 207
obfuscation, 20–24
Object Manager, 327–328
.ocx extension, 118
offline analysis, 259–260
offline scanning, 212
offline secure data storage, 61
oligomorphic engine, 20
oligomorphic technique, 20
oligomorphic viruses, 211
Omella, Alfredo Andres, 175
on-access scanning, 212–213
on-demand scanning, 212
OpenProcess() function, 151–152
Opera web browser, 225
operating systems
hardening, 295
instruction set architectures, 111–112
integrity. See system integrity analysis
interruptibility, 124
updates, 295–296
operational threats, 36–37
OS-level virtualization, 166
overwriting viruses, 208
P
P2P (peer-to-peer) technology, 35–38
Pacifica, 178–179
packet decoding, 237
PAE (physical address extension), 111
Paladin tool, 186
parasitic viruses, 208
paravirtualization, 166
partitions, shadow, 220
password lockers, 61
passwords
email, 63
keyloggers and, 63
locking, 61
phishing and, 181
policies, 291
three-factor authentication, 60
tips for, 293
training users on, 291
patch/detour detection, 303, 310–322
patched code detection, 304
patches. See also detours
AFX rootkit, 148–151
image modification and, 135–140
inline, 136
Migbot and, 136–139
rules, 29
SSDT patch/detour detection, 306–322
Patchfinder, 253–254
PatchGuard, 130, 131, 132, 257–258
pathogen viruses, 208
PaX tool, 153
pay-per-click (PPC) advertising, 3, 54, 56
PbBlister.A, 55
PC backup feature, 220
PCRE (Compatible Regular Expressions), 284
.PDF extension, 13
PE files, 213–214
PE (Portable Executable) format, 86, 98
Peer-to-peer (P2P) technology, 35–38
penetration testing, 177
perimeter defenses, 220
persistence, 123
persistent rootkits, 79
personal firewalls, 222–224
personally identifiable information (PII), 59, 181
PGP (Pretty Good Privacy), 61
PHIDE rootkit, 333
phishing attacks, 32–35
active, 33
attacks, 33–34
countermeasures, 35
overview, 32
passive, 33–34
rock phishing, 29
search engine redirection, 48
threats, 32
voice, 59–60
websites, 181
phishing web server service, 181
Phrack Magazine, 327
physical address extension (PAE), 111
Physics Processing Units (PPU), 195
PIDs (Process IDs), 256
PII (personally identifiable information), 59, 181
plug-ins, 281–283
pointer validation
detecting SSDT hooks, 305–310
hooked pointer detection, 304
IAT, 300
IRP, 300
overview, 303
SSDT, 300
policies
AV, 216
P2P attacks and, 38
passwords, 291
software restriction, 258
training users on, 291
policy-based HIPSs, 238–240
polymorphic shellcode, 242
polymorphic viruses, 211
polymorphism, 19–20
pop-up blockers, 225–231
attacks, 228–231
browsers listed, 227
bypassing, 44–45
Chrome browser, 225–226
countermeasures, 231
example, 228
Firefox browser, 226
hover ads, 230–231
identifying, 44
Microsoft Edge browser, 226
Opera web browser, 225
pop-up overlay, 229
rise of, 42
Safari browser, 226–227
pop-up overlay, 229
pop-ups, 42–45. See also ads
blocking. See pop-up blockers
browsers that block, 227
case study, 2–4
countermeasures, 45
examples, 67
with Flash, 45
with HTML, 44
as infection vector, 42
with JavaScript, 44–45
as payload, 42
threats, 43–45
usage of, 67
pornography, 66
Portable Executable. See PE entries
ports, virtual, 175
PPC (pay-per-click) advertising, 3, 54, 56
.PPTX extension, 13
PPU (Physics Processing Units), 195
Pretty Good Privacy (PGP), 61
Process IDs (PIDs), 256
process virtual machines, 163–164
processes
affected by malware, 69–70
described, 85
virtual addresses, 86
ProcessExplorer tool, 282
processors. See CPUs; kernel entries
profiling applications, 215
program monitoring, 64
programs. See applications
prologue, 136
propagation injection vectors, 26–39
email, 26–29
malicious websites, 29–31
P2P threats, 35–37
phishing. See phishing
users, 27
worms. See worms
protection rings, 85–86, 111, 112–113, 164
protocol drivers, 119
pslist tool, 280
PspCidTable structure, 151–152
psscan2 tool, 280
PTP files, 35–38
publisher competition, 56
Q
Quist, Danny, 173–174
R
RAIDE tool, 303
real-time scanning, 212–213
Red Curtain tool, 277
Red Pill, 172–173
redirect loops, 53
redirection
search engine. See search engine redirection
server-side scripting for, 50–51
stealing page ranks, 48
Redline tool, 278
refresh meta tagging, 48–49, 51–52
registry keys, 263
regulatory issues, 292
reimaging systems, 220
relative addressing, 311
remote access software keyloggers, 61–62
remote backdoors, 81
repscan tool, 193
resource discrepancies, 171
Responder Pro, 276
restore points, 220
rings, protection, 85–86, 111, 112–113, 164
robin hood approach, 238
rock phishing, 29
RookitRevealer program, 103
root.exe, 149
rootkit detection tools
anomaly-based detection, 214–215, 239
Anti-Rootkit, 275
aswMBR tool, 275–276
Bitdefender Rootkit Remover, 274–275
BlackLight tool, 103, 151–152, 264–265
building your own, 299–335
cautionary notes, 301
Codeword, 335
commercial, 276–277
DarkSpy, 261–262
hardware based, 286–287
Helios, 268–271
Helios Lite, 268–271
history of, 251–254
listed, 103
live detection, 259–260
Memory Analysis, 277–285
memory forensics, 277–285
Memoryze, 283–285
methods, 254–257
offline detection, 259–260, 277–285
Red Curtain, 277
Rootkit Unhooker, 265–266
RootkitBuster, 275
RootkitRevealer, 262–264
sample, 335
System Virginity Verifier, 139, 150, 260–261
TDSSKiller, 272–274
VMM, 285
Rootkit Remover, 274–275
Rootkit Unhooker tool, 265–266
RootkitBuster, 275
RootkitRemover tool, 271–272, 273
RootkitRevealer, 262–264
rootkits
AFX, 148–151
backdoors and, 79–83
bank account data theft, 74–76
Bone rootkit, 144
concealing existence of, 82
custom, 195–196
database, 190–193
digitally signed, 196
disarming, 189
dynamic kernel mode, 168
features, 81–82
FUTo, 151–152
future of, 187–197
goal of, 79
Hacker Defender, 102–108
hardware based, 193–195
He4Hook, 155–157
installation of, 189
kernel mode. See kernel-mode rootkits
Klog, 145–148
library, 83
malware types, 168
Mebroot, 74–76
memory based, 79
NDIS, 144–145
NT Rootkit, 144
overview, 79–83
paradoxical nature of, 250
PCI based, 286
persistent, 79
PHIDE, 333
physical resources, 250
removing, 189
requirements for, 250
Sebek, 158
Shadow Walker, 152–155
static kernel mode, 168
stealth functionality, 82, 188–195
system access and, 81–82
TDI, 144–145
TDSS, 272–274
timeline, 80–81
uninstalling, 76
user mode. See user-mode rootkits
virtual. See virtual rootkits
Windows anti-rootkit features, 257–258
XCP rootkit, 85
root-level access, 78
Russinovich, Mark, 262
Rutkowska, Joanna, 159–160, 168, 172–173, 303
S
sandboxing, 278
Sasser, 15
SCADA (Supervisory Control and Data Acquisition) systems, 217
SCM (Service Control Manager), 124, 146–147
ScoopyNG, 174–176
SDL (Secure Development Lifecycle), 257
search engine redirection, 46–53
attacks/techniques, 48–53
countermeasures, 48–53
drive-by downloads, 47
.htaccess for redirects, 51
HTML frame redirects, 52–53
HTTP 3xx status codes, 49–50
JavaScript redirects, 52
logging outgoing links, 47–48
manual redirects, 49
redirect loops, 53
refresh meta tagging, 48–49, 51–52
server-side scripting for redirects, 50–51
search engines
Ad Syndicator, 2
considerations, 4
Google, 225
modifying metadata, 48
phishing attacks, 48
redirection. See search engine redirection
Sebek rootkit, 158
Secure Development Lifecycle (SDL), 257
secure ID, 60
secure token, 60–61
security
baked-in, 297
best practices, 292–293
defense-in-depth, 293–294
future of, 246–247
general practices, 289–297
layers of, 294
passwords. See passwords
system hardening, 295
security awareness training programs, 291–293
security information and event management (SIEM) system, 234, 244
security operations center (SOC), 293
sensitive information file scanner service, 181
servers
C2, 35–36
C&C, 75–76
live, 217–218
production, 217–218
server-side scripting, 50–51
Service Control Manager (SCM), 124, 146–147
service-level agreements (SLAs), 195
services.exe, 124
session splicing, 242
severity levels, 123
shadow partitions, 220
Shadow Walker rootkit, 152–155
Shanks, Wylie, 278
shellcode, 242
ShrewdCKSpy, 55
shutdowns, 181–182
SIDT (store IDT), 172–173
SIEM (security information and event management) system, 234, 244
signature-based detection, 213–214, 219, 251–252
signature-based HIPSs, 238, 240–241
signatures, 213–214, 218, 219, 251–252
single stepping, 254
Single-Flux, 24–25
single-sign-on (SSO), 61
Skape, 129
Slammer, 15
SLAs (service-level agreements), 195
SLDT, 173–174
Smart cards, 65
Smith, Val, 173–174
SMSCurse, 55
Sobig, 15
SOC (security operations center), 293
social engineering
email attacks, 27
overview, 11–13
training users on, 291
of trusted insiders, 27
Soeder, Derek, 175
software, illegal, 74
software keyloggers, 63
software restriction policy, 258
software-based detection tools, 258–285, 287
Sony CDs, 85
source code. See code
Sparks, Sherri, 303
spear phishing, 29
Spyware prefix, 207
SpyZeuS, 17
SSDT (System Service Dispatch Table), 126–129
countermeasures, 129
detection code, 306–322
detour detection code, 313–322
JMPs/CALLs, 310–318
locating kernel base address, 308–309
mapping, 305
obtaining copy of, 306–308
patch/detour detection, 306–322
use of, 126–128
SSDT entries, 129, 309–310, 313–315
SSDT hooking
described, 304
detecting, 305–310
hooked pointer detection, 304
overview, 254–255
patched code detection, 304
pointer validation, 305–310
SSO (single-sign-on), 61
Stagefright, 55
static kernel-mode rootkits, 168
stealth functionality, 82, 123, 188–195
stealth propagation, 4
store IDT (SIDT), 172–173
store task register (STR), 175
STR (store task register), 175
string matching weaknesses, 241
SuckIt rootkit, 172
Suiche, Matthew, 278
Supervisory Control and Data Acquisition (SCADA) systems, 217
svchost.exe, 124
SVM (V Secure Virtual Machine), 178, 182
SVV (System Virginity Verifier), 139, 150, 260–261
Symantec, 206
symbolic links, 251
.sys extension, 118
SYSENTER hooking, 131–132
SYSENTER instruction, 113
Sysinternals Suite, 145
system hardening, 295
system integrity analysis, 303–322
building your own rootkit, 299–335
cautionary notes, 301
considerations, 300
detection technique summary, 304
Integrity Violation Indicators, 300
overview, 301–303
patch/detour detection, 303–304, 310–322
pointer validation, 303–310
System Integrity Team Blog, 257
system logs, 64
system patches, 29
system reimaging, 220
System Service Dispatch Table. See SSDT
System Service Dispatcher, 127
system service dispatching, 126
system services, 117
System Virginity Verifier (SVV), 139, 150, 260–261
systems
64-bit, 196
automatic updates, 295–296
Linux. See Linux systems
Mac OS, 226–227
Unix. See Unix systems
validating. See system integrity analysis
Windows. See Windows systems
T
table hooking, 98, 126–131. See also hooks/hooking
tainted view, 252–253
TAN (Transaction Authentication Number) codes, 55
Target breach, 217
Targetsoft spyware, 65
task segment selector (TSS), 175
TDI (Transport Driver Interface), 120
TDI rootkit, 144–145
TDSS Rootkit, 272–274
TDSSKiller, 272–274
third-party libraries, 284
threads, 85
ThreatAnalyzer tool, 246
three-factor authentication, 60–61
timestamp modification, 69
timing discrepancies, 171, 176
TPM (Trusted Platform Module), 194
Trackware prefix, 207
training
asset security, 291
building access, 291
Cisco Security Education, 292
email, 291
end-user education, 290–293
ENISA Information Security Awareness Material, 292
hacker prevention methods, 293
Internet usage, 291
malicious website malware, 31
malware, 291
malware prevention for administrators, 293
malware prevention for home users, 292–293
National Cyber Awareness System, 292
P2P attacks, 37–38
passwords, 291
phishing attacks, 32
policies, 291
regulatory issues, 292
security awareness, 291–293
social engineering, 291
Transaction Authentication Number (TAN) codes, 55
translation lookaside buffers, 153
transparency, virtual machines, 171–172
Transport Driver Interface. See TDI entries
Trojan Horse, 205
Trojan prefix, 207
trust, 302
Trusted Platform Module (TPM), 194
trusted view, 252
TSS (task segment selector), 175
tuning, 238
U
UAC (User Account Control), 258
Ultimate Packer for Executables (UPX), 213
UMDF (User-Mode Driver Framework), 122
universal resource locators. See URLs
Unix prefix, 207
Unix systems
affected processes, 70
disabled services, 70
timestamp modification, 69
typical malware install locations, 68–69
Unload() routine, 121
UPAO (User Protection Always-ON), 258
updates, automatic, 295–296
UPX (Ultimate Packer for Executables), 213
URLs (universal resource locators)
cloaking, 53
filtering, 31
User Account Control (UAC), 258
user intent, 245
User Interface API, 88
user mode, 112
User Protection Always-ON (UPAO), 258
user training. See training
userland applications, 251
user-mode applications, 86
User-Mode Driver Framework (UMDF), 122
user-mode programs, 114
user-mode rootkits, 77–108
background technologies, 84–87
examples, 100–108
hooking techniques, 98–99
injection techniques, 87–98
overview, 83–84
usernames, 60
V
V Secure Virtual Machine (SVM), 178, 182
VAD (Virtual Address Descriptor), 282–283
VAD tree, 282–283
VAM (virtualization-aware malware), 169
Vanderpool, 178–179
VBA (Visual Basic for Applications), 209
Vecna (Coke), 15
Virtual Address Descriptor (VAD), 282–283
virtual addresses, 86
Virtual Box software, 318
virtual environment, 170–177
Virtual Machine Control Block (VMCB), 179
Virtual Machine Control Structure (VMCS), 179
virtual machine manager (VMM), 164, 285, 296
virtual machine-based rootkits (VMBRs), 169, 179–182
virtual machines. See VM entries
virtual memory management, 166–167
virtual ports, 175
virtual private networks (VPNs), 30, 37
virtual rootkits, 161–186
countermeasures, 185
detection of, 285–286
examples, 179–185
logical discrepancies, 171, 173–176
Nopill, 173–174
Red Pill, 172–173
ScoopyNG, 174–176
SubVirt, 179–182
techniques, 167–179
timing discrepancies, 171, 176
types of, 169–170
Vrdtsc tool, 176
VirtualAllocEx() function, 91–92
virtualization
OS-level, 166
paravirtualization, 166
strategies for, 166
of system resources, 163
virtual machines. See VM entries
Virtualization Technology extensions (VT-x), 178
virtualization-aware malware (VAM), 169
Virus Bulletin, 216
viruscan.jotti.org, 240
viruses, 205–211. See also malware
application, 208
application source code, 208
best practices, 220
boot sector, 209
classification, 206–207
common prefixes, 207
companion, 208
complex, 210–211
definition of, 205–206
encrypted, 210
entry-point obscuring, 211
file, 208
history, 10–11
links, 208
“low-hanging fruit,” 216
metamorphic, 211
naming conventions, 206
oligomorphic, 211
overwriting, 208
parasitic, 208
pathogen, 208
polymorphic, 211
simple, 208–210
vishing, 59–60
Visual Basic for Applications (VBA), 209
visualization, 186
Vitriol rootkit, 179, 184, 185
VM artifacts, 170–171
VM emulation, 166
VM images, 296
VM isolation, 167
VMBRs (virtual machine-based rootkits), 169, 179–182
VMCB (Virtual Machine Control Block), 179
VMChat, 177
VMCS (Virtual Machine Control Structure), 179
VMM (virtual machine manager), 164, 285, 296
VMs (virtual machines), 162–167
anomalies, 171–172
detecting artifacts, 170–171
hardware, 163–164
overview, 162–163
process, 163–164
rootkit detection, 285–286
transparency, 171–172
types of, 163–164
VMWare, 175
VMware Tools, 177
VMX root, 184
voice phishing, 59–60
Volatility plug-ins, 283
Volatility Framework, 278–281, 282
VPNs (virtual private networks), 30, 37
Vrdtsc tool, 176
VT-x (Virtualization Technology extensions), 178
vulnerabilities
in antivirus products, 218
application-level, 2
directory traversal, 177
LSASS, 224
Microsoft Office files, 28
mobile devices, 55
system hardening and, 295
viruses and, 205
W
W32 prefix, 207
W64 prefix, 207
W97M prefix, 207
Walters, Aaron, 278
warez sites, 74
Warfield, Andrew, 169
waterhole attack, 31
WDF (Windows Driver Foundation), 122
WDM (Windows Driver Model), 119, 122
WDM bus drivers, 119
WDM class driver, 119
web browsers
Chrome, 225–226
client-side exploits and, 31
cookies, 67
Firefox, 226
Internet Explorer, 226
listed, 227
Opera, 225
pop-up blockers. See pop-up blockers
protected mode, 220
Safari, 226–227
web-based content filtering, 31
webmail services, 204
websites
attacks on, 31
click fraud, 54–56
logging outgoing links, 47–48
malicious, 29–31
malware countermeasures, 31
pay-per-click advertising, 3, 54, 56
phishing, 181
pop-up blockers and. See pop-up blockers
redirection. See search engine redirection
targeted, 30–31
threats, 30–31
web-based content filtering, 31
white hats, 250
whitelisting, 251
WH_JOURNALPLAYBACK hook, 62
WH_JOURNALRECORD hook, 62
WH_KEYBOARD hook, 62
WH_MOUSE hook, 62
WH_MOUSE_LL hook, 62
Win32 subsystem, 114–116
Win32.Agent.dh, 18
Win95.CIH, 15
WinDbg tool, 136–137, 265–266, 318
Windows anti-rootkit features, 257–258
Windows based keyloggers, 62
Windows Defender, 31
Windows Driver Development Kit (DDK), 117, 119, 121, 301
Windows Driver Foundation (WDF), 122
Windows Driver Model. See WDM
Windows drivers, 119. See also drivers
Windows Executive, 117
Windows Firewall, 258
Windows hooking, 89–91
Windows kernel, 117–118
Windows kernel driver, 119–122
Windows kernel-mode architecture, 114–118
Windows Native API, 117
Windows Registry, 70–71, 251, 261–262
Windows restore points, 220
Windows Security Center (WSC), 258
Windows Server Update Services (WSUS), 29
Windows service hardening, 257
Windows Shell API, 88
Windows systems
64-bit, 87
affected processes, 69
Code Integrity feature, 64
Device Guard, 64
disabled services, 70
network backdoors and, 82
Registry modification, 70–71
timestamp modification, 69
typical malware install locations, 68
Windows-on-Windows for 64-bit (WoW64) kernel, 92
WinHex tool, 154
Witty Worm, 223–224
WM_CHAR messages, 62
WM_KEYDOWN messages, 62
workstations
user-mode rootkits and, 84
worms, 38–39
attacks, 39
Conficker, 39
considerations, 38
contagion, 30
countermeasures, 39
described, 205
threats, 38–39
Witty Worm, 223–224
WoW64 (Windows-on-Windows for 64-bit) kernel, 92
WriteProcessMemory() function, 92–95
WSC (Windows Security Center), 258
WSUS (Windows Server Update Services), 29
x86 architecture, 110–114, 179
x86 instructions, 171, 178–179, 310–311
x86 manual, 311
X97M prefix, 207
XCP (Extended Copyright Protection), 85
XCP rootkit, 85
.XLSX extension, 13
XML audit scripts, 284
XML format, 284
XNOR process, 22–24
XOR process, 22–24
XOR streams, 22
Y
Yahoo! Ads, 56
Yakkis.A, 55
Yxe, 55
Z
zero-day (0-day) exploits, 218
ZeuS Mobile, 55
ZitMo, 55
ZLIB compression, 284
Zlob program, 67