Cipher Book Review, Issue E149

Rootkits and Bootkits - Reversing Modern Malware and Next Generation Threats
by Alex Matrosov, Eugene Rodionov, and Sergey Bratus

No Starch Press 2019.
ISBN-13 978-1-59327-716-1, ISBN-10: 1-59327-716-4 450 pages

Reviewed by  Sven Dietrich   06/06/19 

As we consume our daily dose of Internet connected devices, we may sometimes forget one central concern: "Do I trust my device?" We entrust a lot of personal or proprietary information in our desktops, tablets, smartphones, especially the latter ones that accompany us in our everyday life. Could it have been subverted? And would we even notice?

Alex Matrosov, Eugene Rodionov, and Sergey Bratus provide us with insights into the world of rootkits and bootkits, these nasty ways of achieving exactly that: for malware to stay mostly unnoticed while performing its evil tasks. While rootkits have been much more prevalent, bootkits are now the answer to our ongoing arms race for controlling the boot process, zooming in on the weak(er) spots in the system, and asking the question: "Who's on first?" and "Who's on second?" (and third, of course). The one that's "on first" will most likely control the hardware and any other sophisticated access control mechanism will face the challenge of dealing with a tainted or compromised environment. The book not only explains the basic boot processes down to the firmware and what can live down below there, but supplies the tools for us to inspect and analyze, to quench the thirst of curiosity for the question: "What happened here?"

We tend to forget the complexity of the boot process that leads to the final presentation of an interface that we are familiar with: the operating system, known to us via the Graphical User Interface (GUI), the command line, or dedicated and proprietary hardware interfaces such as those used by Internet of Things (IoT) devices. The authors focus on educating the reader with the foundational knowledge required to grasp the intricacies of grabbing control of the system. Could (or would) one want to take control in a benign manner? Those of you who have jailbroken or rooted your phone may not have realized that you may have affected the boot process of your mobile device to bypass protection mechanisms that are there to protect you... and your device, more often than not via code signatures. A malicious attacker will want to do the same, bypassing the code integrity checks, the system profiling checks also known as secure boot.

The book is divided into three parts: Part I covers Rootkits, Part II describes Bootkits, and Part III discusses Defense and Forensic Techniques. Each part is subdivided into chapters, for a total of 19 chapters altogether. An introduction gives the reader an overview for the best experience with the book, and a set of abbreviations allows the unfamiliar reader to quickly come up to speed.

In Part I, the reader can explore Rootkits in three chapters. The first chapter is a case study of the TDL3 rootkit with a historical overview of its impact, the infection mechanism, the kernel hooks, how the hidden filesystem worked, and how it met its match. After this appetizer, the reader can continue on to the Festi Rootkit in chapter two, which covers a botnet with distributed denial-of-service and spam attacks, and learn about how this rootkit inserted itself into a system and managed to "fly under the radar" and resist analysis with anti-debugging and anti-virtualization techniques. Lastly, chapter three discusses a variety of techniques, mostly Windows-centric, for the rootkit to bypass detection or protection mechanisms by intercepting them.

In Part II, the reader, primed by the first part, can delve into the depths of bootkits in thirteen chapters. From the history of the bootkit via the 1971 Creeper and the boot sector viruses of the MS-DOS days to more recent occurrences, the authors describe how the advent of the secure boot process (e.g. with the Unified Extensible Firmware Interface aka UEFI) and code signing policies have pushed malware developers to get closer and closer to the hardware for gaining control earlier, ideally first. In these chapters, the reader learns about the first bootkit as well as modern, more contemporary bootkits, how to analyze them statically using reverse engineering tools or even dynamically via emulation and virtualization, about case studies of bootkits, and about the difference between legacy boot modes (e.g. master boot record or volume boot record) and UEFI secure boot. This part is rounded off with descriptions of master boot record ransomware and UEFI vulnerabilities.

In Part III, the authors describe defense and forensic techniques for dealing with rootkits and bootkits in three chapters. The first chapter here covers the UEFI secure boot process, explaining verified and measured boot processes. The second chapter in here is all about analyzing hidden filesystems that these rootkits/bootkits create. The last chapter in this part covers BIOS/UEFI forensics, and raises our paranoia as we progress the point of reading out firmware chips for doing forensics on that code. In the end, we realize that modifying firmware is a way to be "on first."

The book uses a mix of text, command line examples, code snippets, and screenshots to keep the reader interested at multiple levels. While there is no classical bibliography, the book does have web links throughout for more background information.

Alex Matrosov, Eugene Rodionov, and Sergey Bratus are experts in their field that have delivered a solid hands-on technical book. While enthralled with the stories from the trenches, I got flashbacks of my days of analyzing rootkits on SunOS and Solaris workstations about 20 years ago. It was a fun book to read.

Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org