Contents

Foreword

Acknowledgments

Introduction

Part I   Malware

CASE STUDY: Please Review This Before Our Quarterly Meeting

1   Malware Propagation

Malware Is Still King

The Spread of Malware

Why They Want Your Workstation

Intent Is Hard to Detect

It’s a Business

Significant Malware Propagation Techniques

Social Engineering

File Execution

Modern Malware Propagation Techniques

StormWorm

Metamorphism

Obfuscation

Dynamic Domain Name Services

Fast Flux

Malware Propagation Injection Vectors

Email

Malicious Websites

Phishing

Peer-to-Peer (P2P)

Worms

Summary

2   Malware Functionality

What Malware Does Once It’s Installed

Pop-ups

Search Engine Redirection

Data Theft

Click Fraud

Identity Theft

Keylogging

Malware Behaviors

Identifying Installed Malware

Typical Install Locations

Installing on Local Drives

Modifying Timestamps

Affecting Processes

Disabling Services

Modifying the Windows Registry

Summary

Part II   Rootkits

CASE STUDY: The Invisible Rootkit That Steals Your Bank Account Data

Disk Access

Firewall Bypassing

Backdoor Communication

Intent

Presence and Significance

3   User-Mode Rootkits

Rootkits

Timeline

Major Features of Rootkits

Types of Rootkits

User-Mode Rootkits

What Are User-Mode Rootkits?

Background Technologies

Injection Techniques

Hooking Techniques

User-Mode Rootkit Examples

Summary

4   Kernel-Mode Rootkits

Ground Level: x86 Architecture Basics

Instruction Set Architectures and the Operating System

Protection Rings

Bridging the Rings

Kernel Mode: The Digital Wild West

The Target: Windows Kernel Components

The Win32 Subsystem

What Are These APIs Anyway?

The Concierge: NTDLL.DLL

Functionality by Committee: The Windows Executive (NTOSKRNL.EXE)

The Windows Kernel (NTOSKRNL.EXE)

Device Drivers

The Windows Hardware Abstraction Layer (HAL)

Kernel Driver Concepts

Kernel-Mode Driver Architecture

Gross Anatomy: A Skeleton Driver

WDF, KMDF, and UMDF

Kernel-Mode Rootkits

What Are Kernel-Mode Rootkits?

Challenges Faced by Kernel-Mode Rootkits

Methods and Techniques

Kernel-Mode Rootkit Samples

Klog by Clandestiny

AFX by Aphex

FU and FUTo by Jamie Butler, Peter Silberman, and C.H.A.O.S

Shadow Walker by Sherri Sparks and Jamie Butler

He4Hook by He4 Team

Sebek by The Honeynet Project

Summary

Summary of Countermeasures

5   Virtual Rootkits

Overview of Virtual Machine Technology

Types of Virtual Machines

The Hypervisor

Virtualization Strategies

Virtual Memory Management

Virtual Machine Isolation

Virtual Machine Rootkit Techniques

Rootkits in the Matrix: How Did We Get Here?!

What Is a Virtual Rootkit?

Types of Virtual Rootkits

Detecting the Virtual Environment

Escaping the Virtual Environment

Hijacking the Hypervisor

Virtual Rootkit Samples

Summary

6   The Future of Rootkits

Increases in Complexity and Stealth

Custom Rootkits

Digitally Signed Rootkits

Summary

Part III   Prevention Technologies

CASE STUDY: A Wolf in Sheep’s Clothing

Scareware

Fakeware

Look of Authenticity

Countermeasures

7   Antivirus

Now and Then: The Evolution of Antivirus Technology

The Virus Landscape

Definition of a Virus

Classification

Simple Viruses

Complex Viruses

Antivirus—Core Features and Techniques

Manual or “On-Demand” Scanning

Real-Time or “On-Access” Scanning

Signature-Based Detection

Anomaly/Heuristic-Based Detection

A Critical Look at the Role of Antivirus Technology

Where Antivirus Excels

Top Performers in the Antivirus Industry

Challenges for Antivirus

The Future of the Antivirus Industry

Summary and Countermeasures

8   Host Protection Systems

Personal Firewall Capabilities

Personal Firewall Limitations

Pop-Up Blockers

Chrome

Firefox

Microsoft Edge

Safari

Example Generic Pop-Up Blocker Code

Summary

9   Host-Based Intrusion Prevention

HIPS Architectures

Growing Past Intrusion Detection

Behavioral vs. Signature

Behavioral Based

Signature Based

Anti-Detection Evasion Techniques

How Do You Detect Intent?

HIPS and the Future of Security

Summary

10   Rootkit Detection

The Rootkit Author’s Paradox

A Quick History

Details on Detection Methods

System Service Descriptor Table Hooking

IRP Hooking

Inline Hooking

Interrupt Descriptor Table Hooks

Direct Kernel Object Manipulation

IAT Hooking

Legacy DOS or Direct Disk Access Hooking

Windows Anti-Rootkit Features

Software-Based Rootkit Detection

Live Detection vs. Offline Detection

System Virginity Verifier

IceSword and DarkSpy

RootkitRevealer

F-Secure’s BlackLight Technology

Rootkit Unhooker

GMER

Helios and Helios Lite

McAfee Rootkit Detective and RootkitRemover

TDSSKiller

Bitdefender Rootkit Remover

Trend Micro Rootkit Buster

Malwarebytes Anti-Rootkit

Avast aswMBR

Commercial Rootkit Detection Tools

Offline Detection Using Memory Analysis: The Evolution ofMemory Forensics

Virtual Rootkit Detection

Hardware-Based Rootkit Detection

Summary

11   General Security Practices

End-User Education

Security Awareness Training Programs

Defense-in-Depth

System Hardening

Automatic Updates

Virtualization

Baked-In Security (from the Beginning)

Summary

Appendix    System Integrity Analysis: Building Your Own Rootkit Detector

What Is System Integrity Analysis?

The Two Ps of Integrity Analysis

Pointer Validation: Detecting SSDT Hooks

Patch/Detour Detection in the SSDT

The Two Ps for Detecting IRP Hooks

The Two Ps for Detecting IAT Hooks

Our Third Technique: Detecting DKOM

Sample Rootkit Detection Utility

Index