Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
by Alex Matrosov, Eugene Rodionov, and Sergey Bratus
Spring 2016, 304 pp.
$39.95 EARLY ACCESS Ebook
$49.95 Print Book and EARLY ACCESS Ebook
Get 30% off with the coupon code EARLYBIRD
Modern malware is always evolving because malware authors are constantly finding new ways to bypass security and avoid detection. Defending against (and even discovering) the latest malicious software requires cunning and extensive expertise because attackers have become much more sophisticated.
One particularly fascinating and threatening area of malware development is that of rootkits and bootkits. We’re talking hard stuff – attacks buried deep in a machine’s boot process or firmware. These are the kind of attacks that keep malware analysts up late at night. But help is on the way.
In Rootkits and Bootkits, authors Alex Matrosov, Eugene Rodionov, and Sergey Bratus share the knowledge and expertise they’ve gained during years of professional research. You’ll learn how to expose hidden files systems that can make rootkits so hard to identify and remove. You’ll explore how malware has evolved from rootkits like TDL3 to the present; how this stealthy software can take hold of a system; and how to counter anti-debugging, anti-disassembly, and anti-virtual machine measures. You’ll also learn how bootkits work, and how Windows boots so that you can better prevent infections in the first place.
Cybercrime syndicates and malicious actors keep pushing the envelope, writing ever more persistent and covert attacks. But the game is not lost. In this low-level tour through the wilds of malware, you’ll learn how to reverse next generation threats. Explore the cutting edge of malware analysis with Rootkits and Bootkits.
About the Author
Alex Matrosov has more than 10 years experience with malware analysis, reverse engineering and advanced exploitation techniques. He is a senior security researcher in the Advanced Threat Research team at Intel Security Group and prior to this role, he spent four years focused on advanced malware research at ESET. Matrosov is co-author of numerous research papers including Stuxnet Under the Microscope, and is frequently invited to speak at major security conferences such as REcon, ZeroNights, Black Hat and Virus Bulletin.
Eugene Rodionov, PhD, graduated with honors from the Information Security faculty of the Moscow Engineer-Physics Institute. He currently works at ESET, where he is involved with internal research projects and performs in-depth analysis of complex threats. His interests include kernel-mode programming, anti-rootkit technologies and reverse engineering. Rodionov has spoken at security conferences such as REcon, Virus Bulletin, ZeroNights, CARO and AVAR, and has co-authored numerous research papers.
Sergey Bratus is a Research Associate Professor in the Computer Science Department at Dartmouth College. He has previously worked at BBN Technologies on Natural Language Processing research. Bratus is interested in all aspects of Unix security, in particular in Linux kernel security, and detection and reverse engineering of Linux malware.
Table of Contents
Part 1: ROOTKITS
Chapter 1: What’s in a Rootkit: The TDL3 Case Study (NOW AVAILABLE)
Chapter 2: Festi Rootkit: The Most Advanced Spam Bot
Chapter 3: Observing Rootkit Infections
Chapter 4: Rootkit Static Analysis: IDA Pro
Chapter 5: Rootkit Dynamic Analysis: WinDbg
Part 2: BOOTKITS
Chapter 6: Bootkit Background and History (NOW AVAILABLE)
Chapter 7: The Windows Boot Process: Bringing Up a System in a Trustworthy State (NOW AVAILABLE)
Chapter 8: From Rootkits (TDL3) to Bootkits (TDL4): Bypassing Microsoft Kernel-Mode Code Signing Policy (NOW AVAILABLE)
Chapter 9: Operating System Boot Process Essentials (NOW AVAILABLE)
Chapter 10: Static Analysis of a Bootkit Using IDA Pro (NOW AVAILABLE)
Chapter 11: Bootkit Dynamic Analysis: Emulators and Virtual Machines
Chapter 12: Evolving from MBR to VBR Bootkits: Mebromi & Olmasco
Chapter 13: VBR Bootkits: Rovnix & Carberp
Chapter 14: Gapz: Advanced VBR Infection
Chapter 15: UEFI Boot vs. MBR/VBR
Chapter 16: Contemporary UEFI Bootkits
Part 3: DEFENSE AND FORENSIC TECHNIQUES
Chapter 17: How Secure Boot Works
Chapter 18: HiddenFsReader: Bootkits Forensic Approaches
Chapter 19: CHIPsec: BIOS/UEFI Forensics
Part 4: ADVANCED REVERSE ENGINEERING
Chapter 20: Breaking Malware Cryptography
Chapter 21: Modern C++ Malware Reversing
Chapter 22: HexRaysCodeXplorer: Practical C++ Code Reconstruction