Malware and other threats are reported on and written about so ubiquitously that we tend to gloss over them. We have heard the advice 1,000 times - keep your system updated, don't click on unknown links, keep backups, etc. So another book on malware and other threats can be met with a yawn.
Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats from no starch press is different. First of all the authors have outstanding credentials. For example, Alex Matrosov is a leading offensive security researcher at NVIDIA. He has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. Before joining NVIDIA, Alex served as Principal Security Researcher at Intel Security Center of Excellence (SeCoE), spent more than six years in the Intel Advanced Threat Research team, and was Senior Security Researcher at ESET. Alex has authored and co-authored numerous research papers and is a frequent speaker at security conferences, including REcon, ZeroNights, Black Hat, DEFCON, and others. Alex received an award from Hex-Rays for his open source plug-in HexRaysCodeXplorer, supported since 2013 by the team at REhint. Wow.
The book gives an evolutionary/historical look at rootkits and bootkits including the newer classes of malware that target the BIOS and chipset firmware which current Windows defensive software can't reach. It covers boot processes for Windows 32-bit and 64-bit operating systems. So you will learn about how Windows boots-including 32-bit, 64-bit, and UEFI mode-and where to find vulnerabilities as well as the details of boot process security mechanisms like Secure Boot, including an overview of Virtual Secure Mode (VSM) and Device Guard.
The first part cover Rootkits and the authors look at the "classic" OS-level rootkits such as TDL3 and Festi rootkit. These case studies show how hackers view the operating system internals and compose their implants using the structure of the OS. You will read reverse engineering and forensic techniques for analyzing real malware.
Part 2 focuses on Bootkits and the authors dive into the Windows boot process and what has changed over time. This includes the Master Boot Record, partition tables, bootmgr module and so on. It is very complete and includes coverage of newer virtualization approaches and ransomware.
Part 3 deals with the forensics of bootkits, rootkits and other BIOS threats. https://nostarch.com/rootkits will get you updates and more resources like a link to the author's website for source code and more.
I did not read the book cover to cover and expect unless you are a security professional you won't either. But I jumped around and learned more about things I thought I already knew well (like the legacy boot process) and lived through (remember the Brain virus on 360k floppies?)
It's a great resource to have and I am sure I will be visiting it more in the future for specific answers and techniques because the bad guys just do not stop. Recommended.
Great Lakes Geek Rating:4 out of 5 pocket protectors.
Reviewed by Entreprenerd Dan Hanson, the Great Lakes Geek
What are you reading? Let us know at firstname.lastname@example.org
Top of Page
Back to Great Lakes Geek Book Reviews