The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System (2ed)
by Bill Blunden

Wordware Press 2013.
ISBN 978-1-4496-2636-5 . USD40.71 ; Table of Contents.

Reviewed by  Richard Austin   01/28/2014 

This is a new edition of a book that was originally reviewed in 2010 (previous review).

While the book retains the previous edition's highly technical presentation of the ins-and-outs of rootkits and how they work, it displays an enhanced focus on anti-forensics. One of the factors that make modern rootkits so dangerous is their ability to hide in plain sight and remain undiscovered by the usual defensive measures we have in place (e.g., anti-malware, intrusion detection). As Blunden notes, "A well-designed rootkit will make a compromised system appear as nothing as wrong" (p. 12). The goals of a rootkit are basically to maintain a foothold that provides the adversary long-term access to a system and surveillance capability (e.g., credential capture, data exfiltration, etc.).

Anti-forensics is focused on minimizing "the quality and quantity of useful trace evidence that is generated in addition to assuring that the quality of information is also limited" (p.35). Or, to put it another way, it's very hard to defeat what you cannot see. Supporting this theme, Blunden provides a detailed exploration of how this is actually accomplished. First, he explores "Postmortem" analysis (the processes performed after a system is imaged using classic digital forensics techniques) and explains how both disk and executable analysis can be defeated. However he notes (p. 402) that ideally (from an adversary's point of view) these techniques should be of limited use because the best rootkits never leave traces on disk in the first place.

The second half (by page count) of the book is devoted to how live response can be defeated. "Live response" is an umbrella term for techniques used to investigating a running system for evidence of intrusion. Defenders developed live response to counter adversaries' use of techniques such as memory-only malware. As might be expected, in the continuing dance of attack and defense, adversaries were quick to respond. Be advised that even with the author's substantial introduction (chapters 3-6), your humble correspondent found himself leafing through the Intel architecture manuals more than once as he followed the presentation.

As I said in my original review, this is a very dangerous book. However, it is also a critically useful book and deserves careful study by the technical security professional. Blunden has resisted the temptation to change a page here and there and call it a "new edition" by doing a substantial reorganization and update of the text. The focus on anti-forensics, though a core component in the original edition, is now the thread that binds the topics together. Definitely a recommended read.

It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin ( fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ++++++++++++++++++++for the Newsletter.html file +++++++++++++++++++++++++++++
  • Richard Austin's review of The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System (2ed) by Bill Blunden