O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Hacking Exposed Malware & Rootkits: Security Secrets and Solutions, Second Edition, 2nd Edition

Book Description

Arm yourself for the escalating war against malware and rootkits

Thwart debilitating cyber-attacks and dramatically improve your organization’s security posture using the proven defense strategies in this thoroughly updated guide. Hacking Exposed™ Malware and Rootkits: Security Secrets & Solutions, Second Edition fully explains the hacker’s latest methods alongside ready-to-deploy countermeasures. Discover how to block pop-up and phishing exploits, terminate embedded code, and identify and eliminate rootkits. You will get up-to-date coverage of intrusion detection, firewall, honeynet, antivirus, and anti-rootkit technology.

• Learn how malware infects, survives, and propagates across an enterprise
• See how hackers develop malicious code and target vulnerable systems
• Detect, neutralize, and remove user-mode and kernel-mode rootkits
• Use hypervisors and honeypots to uncover and kill virtual rootkits
• Defend against keylogging, redirect, click fraud, and identity theft
• Block spear phishing, client-side, and embedded-code exploits
• Effectively deploy the latest antivirus, pop-up blocker, and firewall software
• Identify and stop malicious processes using IPS solutions

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. Contents
  6. Foreword
  7. Acknowledgments
  8. Introduction
  9. Part I Malware
    1. CASE STUDY: Please Review This Before Our Quarterly Meeting
    2. 1 Malware Propagation
      1. Malware Is Still King
      2. The Spread of Malware
      3. Why They Want Your Workstation
      4. Intent Is Hard to Detect
      5. It’s a Business
      6. Significant Malware Propagation Techniques
        1. Social Engineering
        2. File Execution
      7. Modern Malware Propagation Techniques
        1. StormWorm
        2. Metamorphism
        3. Obfuscation
        4. Dynamic Domain Name Services
        5. Fast Flux
      8. Malware Propagation Injection Vectors
        1. Email
        2. Malicious Websites
        3. Phishing
        4. Peer-to-Peer (P2P)
        5. Worms
      9. Summary
    3. 2 Malware Functionality
      1. What Malware Does Once It’s Installed
        1. Pop-ups
        2. Search Engine Redirection
        3. Data Theft
        4. Click Fraud
        5. Identity Theft
        6. Keylogging
        7. Malware Behaviors
      2. Identifying Installed Malware
        1. Typical Install Locations
        2. Installing on Local Drives
        3. Modifying Timestamps
        4. Affecting Processes
        5. Disabling Services
        6. Modifying the Windows Registry
      3. Summary
  10. Part II Rootkits
    1. CASE STUDY: The Invisible Rootkit That Steals Your Bank Account Data
      1. Disk Access
      2. Firewall Bypassing
      3. Backdoor Communication
      4. Intent
      5. Presence and Significance
    2. 3 User-Mode Rootkits
      1. Rootkits
        1. Timeline
        2. Major Features of Rootkits
        3. Types of Rootkits
      2. User-Mode Rootkits
        1. What Are User-Mode Rootkits?
        2. Background Technologies
        3. Injection Techniques
        4. Hooking Techniques
      3. User-Mode Rootkit Examples
      4. Summary
    3. 4 Kernel-Mode Rootkits
      1. Ground Level: x86 Architecture Basics
        1. Instruction Set Architectures and the Operating System
        2. Protection Rings
        3. Bridging the Rings
        4. Kernel Mode: The Digital Wild West
      2. The Target: Windows Kernel Components
        1. The Win32 Subsystem
        2. What Are These APIs Anyway?
        3. The Concierge: NTDLL.DLL
        4. Functionality by Committee: The Windows Executive (NTOSKRNL.EXE)
        5. The Windows Kernel (NTOSKRNL.EXE)
        6. Device Drivers
        7. The Windows Hardware Abstraction Layer (HAL)
      3. Kernel Driver Concepts
        1. Kernel-Mode Driver Architecture
        2. Gross Anatomy: A Skeleton Driver
        3. WDF, KMDF, and UMDF
      4. Kernel-Mode Rootkits
        1. What Are Kernel-Mode Rootkits?
        2. Challenges Faced by Kernel-Mode Rootkits
        3. Methods and Techniques
      5. Kernel-Mode Rootkit Samples
        1. Klog by Clandestiny
        2. AFX by Aphex
        3. FU and FUTo by Jamie Butler, Peter Silberman, and C.H.A.O.S
        4. Shadow Walker by Sherri Sparks and Jamie Butler
        5. He4Hook by He4 Team
        6. Sebek by The Honeynet Project
      6. Summary
        1. Summary of Countermeasures
    4. 5 Virtual Rootkits
      1. Overview of Virtual Machine Technology
        1. Types of Virtual Machines
        2. The Hypervisor
        3. Virtualization Strategies
        4. Virtual Memory Management
        5. Virtual Machine Isolation
      2. Virtual Machine Rootkit Techniques
        1. Rootkits in the Matrix: How Did We Get Here?!
        2. What Is a Virtual Rootkit?
        3. Types of Virtual Rootkits
        4. Detecting the Virtual Environment
        5. Escaping the Virtual Environment
        6. Hijacking the Hypervisor
      3. Virtual Rootkit Samples
      4. Summary
    5. 6 The Future of Rootkits
      1. Increases in Complexity and Stealth
      2. Custom Rootkits
      3. Digitally Signed Rootkits
      4. Summary
  11. Part III Prevention Technologies
    1. CASE STUDY: A Wolf in Sheep’s Clothing
      1. Scareware
      2. Fakeware
      3. Look of Authenticity
      4. Countermeasures
    2. 7 Antivirus
      1. Now and Then: The Evolution of Antivirus Technology
      2. The Virus Landscape
        1. Definition of a Virus
        2. Classification
        3. Simple Viruses
        4. Complex Viruses
      3. Antivirus—Core Features and Techniques
        1. Manual or “On-Demand” Scanning
        2. Real-Time or “On-Access” Scanning
        3. Signature-Based Detection
        4. Anomaly/Heuristic-Based Detection
      4. A Critical Look at the Role of Antivirus Technology
        1. Where Antivirus Excels
        2. Top Performers in the Antivirus Industry
        3. Challenges for Antivirus
      5. The Future of the Antivirus Industry
      6. Summary and Countermeasures
    3. 8 Host Protection Systems
      1. Personal Firewall Capabilities
        1. Personal Firewall Limitations
      2. Pop-Up Blockers
        1. Chrome
        2. Firefox
        3. Microsoft Edge
        4. Safari
        5. Example Generic Pop-Up Blocker Code
      3. Summary
    4. 9 Host-Based Intrusion Prevention
      1. HIPS Architectures
      2. Growing Past Intrusion Detection
      3. Behavioral vs. Signature
        1. Behavioral Based
        2. Signature Based
      4. Anti-Detection Evasion Techniques
      5. How Do You Detect Intent?
      6. HIPS and the Future of Security
      7. Summary
    5. 10 Rootkit Detection
      1. The Rootkit Author’s Paradox
      2. A Quick History
      3. Details on Detection Methods
        1. System Service Descriptor Table Hooking
        2. IRP Hooking
        3. Inline Hooking
        4. Interrupt Descriptor Table Hooks
        5. Direct Kernel Object Manipulation
        6. IAT Hooking
        7. Legacy DOS or Direct Disk Access Hooking
      4. Windows Anti-Rootkit Features
      5. Software-Based Rootkit Detection
        1. Live Detection vs. Offline Detection
        2. System Virginity Verifier
        3. IceSword and DarkSpy
        4. RootkitRevealer
        5. F-Secure’s BlackLight Technology
        6. Rootkit Unhooker
        7. GMER
        8. Helios and Helios Lite
        9. McAfee Rootkit Detective and RootkitRemover
        10. TDSSKiller
        11. Bitdefender Rootkit Remover
        12. Trend Micro Rootkit Buster
        13. Malwarebytes Anti-Rootkit
        14. Avast aswMBR
        15. Commercial Rootkit Detection Tools
        16. Offline Detection Using Memory Analysis: The Evolution ofMemory Forensics
      6. Virtual Rootkit Detection
      7. Hardware-Based Rootkit Detection
      8. Summary
    6. 11 General Security Practices
      1. End-User Education
        1. Security Awareness Training Programs
      2. Defense-in-Depth
      3. System Hardening
      4. Automatic Updates
      5. Virtualization
      6. Baked-In Security (from the Beginning)
      7. Summary
    7. Appendix System Integrity Analysis: Building Your Own Rootkit Detector
      1. What Is System Integrity Analysis?
      2. The Two Ps of Integrity Analysis
        1. Pointer Validation: Detecting SSDT Hooks
        2. Patch/Detour Detection in the SSDT
      3. The Two Ps for Detecting IRP Hooks
      4. The Two Ps for Detecting IAT Hooks
      5. Our Third Technique: Detecting DKOM
      6. Sample Rootkit Detection Utility
  12. Index