Rootkits and Bootkits

Reversing Modern Malware and Next Generation Threats
by Alex Matrosov, Eugene Rodionov, and Sergey Bratus

Spring 2017, 304 pp.
ISBN: 978-1-59327-716-1
Contents | Reviews | Updates

Order now and get early access to the PDF eBook!
(What's that?)
(Which chapters are available now?)

Get 30% off with the coupon code EARLYBIRD

Modern malware is always evolving because malware authors are constantly finding new ways to bypass security and avoid detection. Defending against (and even discovering) the latest malicious software requires cunning and extensive expertise because attackers have become much more sophisticated.

One particularly fascinating and threatening area of malware development is that of rootkits and bootkits. We’re talking hard stuff – attacks buried deep in a machine’s boot process or firmware. These are the kind of attacks that keep malware analysts up late at night. But help is on the way.

In Rootkits and Bootkits, authors Alex Matrosov, Eugene Rodionov, and Sergey Bratus share the knowledge and expertise they’ve gained during years of professional research. You’ll learn how to expose hidden files systems that can make rootkits so hard to identify and remove. You’ll explore how malware has evolved from rootkits like TDL3 to the present; how this stealthy software can take hold of a system; and how to counter anti-debugging, anti-disassembly, and anti-virtual machine measures. You’ll also learn how bootkits work, and how Windows boots so that you can better prevent infections in the first place.

Cybercrime syndicates and malicious actors keep pushing the envelope, writing ever more persistent and covert attacks. But the game is not lost. In this low-level tour through the wilds of malware, you’ll learn how to reverse next generation threats. Explore the cutting edge of malware analysis with Rootkits and Bootkits.


About the Author

Alex Matrosov has more than 10 years experience with malware analysis, reverse engineering and advanced exploitation techniques. He is a senior security researcher in the Advanced Threat Research team at Intel Security Group and prior to this role, he spent four years focused on advanced malware research at ESET. Matrosov is co-author of numerous research papers including Stuxnet Under the Microscope, and is frequently invited to speak at major security conferences such as REcon, ZeroNights, Black Hat and Virus Bulletin.

Eugene Rodionov, PhD, graduated with honors from the Information Security faculty of the Moscow Engineer-Physics Institute. He currently works at ESET, where he is involved with internal research projects and performs in-depth analysis of complex threats. His interests include kernel-mode programming, anti-rootkit technologies and reverse engineering. Rodionov has spoken at security conferences such as REcon, Virus Bulletin, ZeroNights, CARO and AVAR, and has co-authored numerous research papers.

Sergey Bratus is a Research Associate Professor in the Computer Science Department at Dartmouth College. He has previously worked at BBN Technologies on Natural Language Processing research. Bratus is interested in all aspects of Unix security, in particular in Linux kernel security, and detection and reverse engineering of Linux malware.


Table of Contents

Introduction

Part 1: ROOTKITS
Chapter 1: What's in a Rootkit: The TDL3 Case Study (NOW AVAILABLE)

Chapter 2: Festi Rootkit: The Most Advanced Spam Bot
Chapter 3: Observing Rootkit Infections
Chapter 4: Rootkit Static Analysis: IDA Pro
Chapter 5: Rootkit Dynamic Analysis: WinDbg

Part 2: BOOTKITS
Chapter 6: Bootkit Background and History (NOW AVAILABLE)
Chapter 7: Windows Boot Process Essentials (NOW AVAILABLE)
Chapter 8: Boot Process Security (NOW AVAILABLE)
Chapter 9: Bootkit Infection Technique (NOW AVAILABLE)
Chapter 10: Static Analysis of a Bootkit Using IDA Pro (NOW AVAILABLE)

Chapter 11: Bootkit Dynamic Analysis: Emulation and Virtualization (NOW AVAILABLE)
Chapter 12: Evolving from MBR to VBR Bootkits: Olmasco (NOW AVAILABLE)
Chapter 13: IPL Bootkits: Rovnix & Carberp (NOW AVAILABLE)
Chapter 14: Gapz: Advanced VBR Infection (NOW AVAILABLE)
Chapter 15: Rise of MBR/VBR Ransomeware
Chapter 16: UEFI Boot vs. MBR/VBR (NOW AVAILABLE)
Chapter 17: Contemporary UEFI Bootkits
Chapter 18: UEFI Firmware Vulnerabilities

Part 3: DEFENSE AND FORENSIC TECHNIQUES
Chapter 19: How Secure Boot Works
Chapter 20: HiddenFsReader: Bootkits Forensic Approaches
Chapter 21: CHIPsec: BIOS/UEFI Forensics

Part 4: ADVANCED REVERSE ENGINEERING
Chapter 22: Breaking Malware Cryptography
Chapter 23: Modern C++ Malware Reversing
Chapter 24: HexRaysCodeXplorer: Practical C++ Code Reconstruction

(top)