Rootkits and Bootkits

Rootkits and Bootkits

Reversing Modern Malware and Next Generation Threats
by Alex Matrosov, Eugene Rodionov, and Sergey Bratus
January 2019 (estimated), 504 pp.

Order now and get early access to the PDF eBook!
(What's that?)
(Which chapters are available now?)

Get 30% off with the coupon code EARLYBIRD

Rootkits and Bootkits delivers a master class in malware evolution that will give you the techniques and tools necessary to counter sophisticated, advanced threats. We’re talking hard stuff – attacks buried deep in a machine’s boot process or UEFI firmware that keep malware analysts up late at night.

Security experts Alex Matrosov, Eugene Rodionov, and Sergey Bratus share the knowledge they’ve gained over years of professional research. With these field notes, you’ll trace malware evolution from rootkits like TDL3 to present day UEFI implants and examine how these malware infect the system, persist through reboot, and evade security software. While you inspect real malware under the microscope, you’ll learn:

  • The details of the Windows boot process, from 32-bit to 64-bit and UEFI, and where it’s vulnerable.
  • Boot process security mechanisms like Secure Boot, the kernel-mode signing policy include some details about recent technologies like Virtual Secure Mode (VSM) and Device Guard.
  • The reverse engineering and forensic approaches for real malware discovered in the wild, including bootkits like Rovnix/Carberp, Gapz, TDL4 and the infamous rootkits TDL3 and Festi.
  • How to perform boot process dynamic analysis using emulation and virtualization
  • Modern BIOS-based rootkits and implants with directions for forensic analysis

Cybercrime syndicates and malicious actors keep pushing the envelope, writing ever more persistent and covert attacks. But the game is not lost. Explore the cutting edge of malware analysis with Rootkits and Bootkits.

Covers boot processes for Windows 32-bit and 64-bit operating systems.

Author Bio 

Alex Matrosov has more than 15 years experience with reverse engineering, Windows internals and advanced rootkits analysis. He is a Principal Research Scientist at Cylance. Before joining Cylance, Alex served as Security Researcher at Intel Security Center of Excellence (SeCoE) where he leads BIOS security for Client Platforms. Prior to this role, he spent four years focused on advanced malware and anti-rootkit research at ESET. Matrosov is co-author of numerous research papers including Stuxnet Under the Microscope, and is frequently invited to speak at major security conferences such as REcon, ZeroNights, Black Hat and DEF CON.

Eugene Rodionov, PhD, graduated with honors from the Information Security faculty of the Moscow Engineer-Physics Institute. He currently works at ESET, where he is involved with internal research projects and performs in-depth analysis of complex threats. His interests include kernel-mode programming, anti-rootkit technologies and reverse engineering. Rodionov has spoken at security conferences such as REcon, Virus Bulletin, ZeroNights, CARO and AVAR, and has co-authored numerous research papers.

Sergey Bratus is a Research Associate Professor in the Computer Science Department at Dartmouth College. He has previously worked at BBN Technologies on Natural Language Processing research. Bratus is interested in all aspects of Unix security, in particular in Linux kernel security, and detection and reverse engineering of Linux malware.

Table of contents 

Chapter 1: Observing Rootkit Infections
Chapter 2: What’s in a Rootkit: The TDL3 Case Study (NOW AVAILABLE)
Chapter 3: Festi Rootkit: The Most Advanced Spam Bot (NOW AVAILABLE)

Chapter 4: Bootkit Background and History (NOW AVAILABLE)
Chapter 5: Operating System Boot Process Essentials (NOW AVAILABLE)
Chapter 6: Boot Process Security (NOW AVAILABLE)
Chapter 7: Bootkit Infection Techniques (NOW AVAILABLE)
Chapter 8: Static Analysis of a Bootkit Using IDA Pro (NOW AVAILABLE)
Chapter 9: Bootkit Dynamic Analysis: Emulation and Virtualization (NOW AVAILABLE)
Chapter 10: Evolving from MBR to VBR Bootkits: Olmasco (NOW AVAILABLE)
Chapter 11: IPL Bootkits: Rovnix & Carberp (NOW AVAILABLE)
Chapter 12: Gapz: Advanced VBR Infection (NOW AVAILABLE)
Chapter 13: Rise of MBR Ransomware (NOW AVAILABLE)
Chapter 14: UEFI Boot vs. the MBR/VBR Boot Process (NOW AVAILABLE)
Chapter 15: Contemporary UEFI Bootkits
Chapter 16: UEFI Firmware Vulnerabilities

Chapter 17: How Secure Boot Works
Chapter 18: Bootkit Forensic Approaches (NOW AVAILABLE)
Chapter 19: BIOS/UEFI Forensics