Home Page Icon
Home Page
Table of Contents for
PART I: ROOTKITS
Close
PART I: ROOTKITS
by Sergey Bratus, Eugene Rodionov, Alex Matrosov
Rootkits and Bootkits
Cover Page
Title Page
Copyright Page
Dedication
About the Authors
About the Technical Reviewer
BRIEF CONTENTS
CONTENTS IN DETAIL
FOREWORD
ACKNOWLEDGMENTS
ABBREVIATIONS
INTRODUCTION
Why Read This Book?
What’s in the Book?
How to Read This Book
PART I: ROOTKITS
1 WHAT’S IN A ROOTKIT: THE TDL3 CASE STUDY
History of TDL3 Distribution in the Wild
Infection Routine
Controlling the Flow of Data
The Hidden Filesystem
Conclusion: TDL3 Meets Its Nemesis
2 FESTI ROOTKIT: THE MOST ADVANCED SPAM AND DDOS BOT
The Case of Festi Botnet
Dissecting the Rootkit Driver
The Festi Network Communication Protocol
Bypassing Security and Forensics Software
The Domain Generation Algorithm for C&C Failure
Malicious Functionality
Conclusion
3 OBSERVING ROOTKIT INFECTIONS
Methods of Interception
Restoring the System Kernel
The Great Rootkits Arms Race: A Nostalgic Note
Conclusion
PART II: BOOTKITS
4 EVOLUTION OF THE BOOTKIT
The First Bootkits
The Evolution of Bootkits
Modern Bootkits
Conclusion
5 OPERATING SYSTEM BOOT PROCESS ESSENTIALS
High-Level Overview of the Windows Boot Process
The Legacy Boot Process
The Windows Boot Process
Conclusion
6 BOOT PROCESS SECURITY
The Early Launch Anti-Malware Module
Microsoft Kernel-Mode Code Signing Policy
Secure Boot Technology
Virtualization-Based Security in Windows 10
Conclusion
7 BOOTKIT INFECTION TECHNIQUES
MBR Infection Techniques
VBR/IPL Infection Techniques
Conclusion
8 STATIC ANALYSIS OF A BOOTKIT USING IDA PRO
Analyzing the Bootkit MBR
VBR Analysis Techniques
Advanced IDA Pro Usage: Writing a Custom MBR Loader
Conclusion
Exercises
9 BOOTKIT DYNAMIC ANALYSIS: EMULATION AND VIRTUALIZATION
Emulation with Bochs
Virtualization with VMware Workstation
Microsoft Hyper-V and Oracle VirtualBox
Conclusion
Exercises
10 AN EVOLUTION OF MBR AND VBR INFECTION TECHNIQUES: OLMASCO
The Dropper
The Bootkit Functionality
The Rootkit Functionality
Conclusion
11 IPL BOOTKITS: ROVNIX AND CARBERP
Rovnix’s Evolution
The Bootkit Architecture
Infecting the System
Post-Infection Boot Process and IPL
Kernel-Mode Driver Functionality
The Hidden Filesystem
The Hidden Communication Channel
Case History: The Carberp Connection
Conclusion
12 GAPZ: ADVANCED VBR INFECTION
The Gapz Dropper
Infecting the System with the Gapz Bootkit
Gapz Rootkit Functionality
Hidden Storage
Conclusion
13 THE RISE OF MBR RANSOMWARE
A Brief History of Modern Ransomware
Ransomware with Bootkit Functionality
The Ransomware Modus Operandi
Analyzing the Petya Ransomware
Analyzing the Satana Ransomware
Conclusion
14 UEFI BOOT VS. THE MBR/VBR BOOT PROCESS
The Unified Extensible Firmware Interface
Differences Between the Legacy BIOS and UEFI Boot Processes
GUID Partition Table Specifics
How UEFI Firmware Works
Conclusion
15 CONTEMPORARY UEFI BOOTKITS
Overview of Historical BIOS Threats
All Hardware Has Firmware
Ways to Infect the BIOS
Understanding Rootkit Injection
UEFI Rootkits in the Wild
Conclusion
16 UEFI FIRMWARE VULNERABILITIES
What Makes Firmware Vulnerable?
Classifying UEFI Firmware Vulnerabilities
A History of UEFI Firmware Protections
Intel Boot Guard
Vulnerabilities in the SMM Modules
Vulnerabilities in the S3 Boot Script
Vulnerabilities in the Intel Management Engine
Conclusion
PART III: DEFENSE AND FORENSIC TECHNIQUES
17 HOW UEFI SECURE BOOT WORKS
What Is Secure Boot?
UEFI Secure Boot Implementation Details
Attacking Secure Boot
Protecting Secure Boot with Verified and Measured Boot
Intel BootGuard
ARM Trusted Boot Board
Verified Boot vs. Firmware Rootkits
Conclusion
18 APPROACHES TO ANALYZING HIDDEN FILESYSTEMS
Overview of Hidden Filesystems
Retrieving Bootkit Data from a Hidden Filesystem
Parsing the Hidden Filesystem Image
The HiddenFsReader Tool
Conclusion
19 BIOS/UEFI FORENSICS: FIRMWARE ACQUISITION AND ANALYSIS APPROACHES
Limitations of Our Forensic Techniques
Why Firmware Forensics Matter
Understanding Firmware Acquisition
The Software Approach to Firmware Acquisition
The Hardware Approach to Firmware Acquisition
Analyzing the Firmware Image with UEFITool
Analyzing the Firmware Image with Chipsec
Conclusion
INDEX
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
INTRODUCTION
Next
Next Chapter
1 WHAT’S IN A ROOTKIT: THE TDL3 CASE STUDY
PART I
ROOTKITS
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset