The Rootkit Arsenal 79
Nicola Hahn writes "One of the first things I noticed while flipping through this hefty book is the sheer number of topics covered. Perhaps this is a necessity. As the author puts it, rootkits lie "at the intersection of several related disciplines: computer security, forensics, reverse-engineering, system internals, and device drivers." Upon closer inspection, it becomes clear that great pains have been taken to cover each subject in sufficient depth and to present ideas in a manner that's both articulate and well organized. This accounts for the book's girth; it weighs in at roughly 900 pages." Keep reading for the rest of Nicola's review.
This book is comprehensive enough to appeal to both novices and journeymen. To set the stage, the Rootkit Arsenal begins with a review of foundation material: the IA-32 execution environment, memory management, kernel-mode subtleties, call hooking, detour patching, and so forth. Yet, while the author devotes a significant amount of effort to explaining prerequisites and customary rootkit techniques, there's an abundance of more sophisticated content to engage more experienced members of the audience. For example, his explanation of how to use the WSK API and the most recent incarnation of the NDIS library (version 6.0) to construct covert channels over DNS is worth a read. I also appreciated his meticulous discussion of how to properly install Call Gates and handle the foibles of multi-processor systems.The Rootkit Arsenal | |
author | Reverend Bill Blunden |
pages | 916 |
publisher | Wordware Publishing |
rating | 5 Shuriken |
reviewer | Nicola Hahn |
ISBN | 1598220616 |
summary | A solid treatment of rootkits and anti-forensics |
One of the book's strong points is that there's coverage of issues which traditionally haven't appeared in books on this subject. For instance, there are several sections devoted to the Windows startup process and how it relates to the operation of bootkits. Part 3 of the book, which consists of four chapters, focuses on anti-forensics, with an emphasis on defeating file system analysis and the examination of an unknown executable. To this end, Reverend Bill ventures off into the tactics used to implement binary armoring, FISTing, obfuscation, code morphing, file scrubbing, and data contraception.
Not content to merely explain the basic mechanics of a particular scheme, Reverend Bill often illustrates how he derived his results and encourages the reader to verify what they've seen with a kernel debugger. This is a recurring theme throughout the book. Rather than just teach the reader a collection of tricks, the author demonstrates how the reader can identify new ones independently. After all, specific holes come and go, but the art of finding new ones will always have utility. This more than justifies the lengthy discussion of kernel debugging earlier on in the book.
All told, the book is reasonably self-contained. The source code examples are clean, instructive, and have been included in the book's appendix. As Reverend Blunden notes, the "Rootkit Arsenal" isn't about a specific rootkit that someone wrote (though such books exist). It's really about the rootkit that the reader will construct, such that the focus is on the nature of the tactics rather than a proof-of-concept rootkit. In this spirit, examples are long enough to illuminate potential sticking points but not so long that the reader feels like they're wading through mud in search of diamonds.
The author also exhibits good form in terms of giving credit where it's due. In the book's preface he specifically acknowledges a number of researchers who have made lasting contributions to the collective repository of knowledge (Mark Ludwig, Greg Hoglund, the grugq, Sven Schreiber, Joanna Rutkowska, Richard Bejtlich, etc.). While the author admits that many of the book's ideas can be unearthed by skulking about obscure regions of the internet, the real service that this book provides is to consolidate all of this disparate information together into one place, offering working implementations of each concept, and doing so in a remarkably lucid manner.
Yet, is this a responsible thing to do? Is it wise to show aspiring Black Hats how to manipulate forensic evidence so that they can implicate innocent people? Will publicizing the finer points of system modification make life easier for aspiring bad guys? Is he basically handing the reader a loaded gun and teaching them the nuances of a kill shot?
To a degree, Reverend Blunden sidesteps this issue as irrelevant. In the end he claims that he's just a broker of information, and that he doesn't care who uses the information or how they use it. If you asked me, this is a bit of a cop out (he sounds a little like an arms dealer). Furthermore, he accuses other authors (the ones who fall back on the traditional argument that they're bolstering security by encouraging vendors to improve their products) of churching up their books in "ethical window dressing." In the eyes of Reverend Bill, this book is what it is ...without apology: another source of useful data.
If I had one complaint about the Rootkit Arsenal, it's that the author sticks primarily to software-based rootkit technology. For instance, he eschews BIOS-based tools. At one point the author states:
"In my opinion, a firmware-based rootkit is essentially a one-shot deal that should only be used in the event of a high-value target where the potential return would justify the R&D required to build it. Also, because of the instance-specific nature of this technique, I'd be hard pressed to offer a single recipe that would a useful to the majority of the reading audience. Though a firmware-related discussion may add a bit of novelty and mystique, in the greater scheme of things it makes much more sense to focus on methods which are transferable from one motherboard to the next."
Last but not least, the author's tendency towards the political arena, which defined a couple of his previous books, rears its head again in The Rootkit Arsenal's final chapter. Here, the good Reverend suggests that if it's possible to control a sprawling operating system like Windows with a relatively small rootkit binary, then perhaps the metaphor carries over into the body politic of the United States. Could a small segment of the population be quietly influencing the trajectory that society takes? Dave Emory and Noam Chomsky look out!
Readers interested in getting a closer look at the book's organization and table to contents can visit the author's web site.
You can purchase The Rootkit Arsenal from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Is this a responsible thing to do? (Score:5, Insightful)
> is this a responsible thing to do?
Of course it is. How can we implement security if we don't understand the ways we can be attacked?
not pleased with this review (Score:1, Insightful)
I really would prefer that Slashdot not help promote a book that is intended to help educate would-be malware coders. While I realize the information would still be out there without this review, Slashdot is undoubtedly contributing sales to the author by raising the profile of this book.
Seth
Re:Is this a responsible thing to do? (Score:2, Insightful)
Also this information *IS* already out there. All it does is remove a bit of leg work needed. If you are savvy enough to make a root kit digging for it would not exactly be out of reach...
time (Score:5, Insightful)
Forensics is such an incredibly time-consuming process, most businesses have no time for it. Reimage the machine and get back to work. It's a shame.
Re:not pleased with this review (Score:5, Insightful)
I understand that in today's society there are enough people who have ignored their responsibilities and obligations as well as the laws of the land and common decency towards others that you immediately think to the worst that can happen.
However, the premise of innocent until proven guilty has a deeper meaning towards society in that they will obey the laws of the society and that when faced with the question, they will act responsibly, ethically, and legally. In other words, it's not just a principle that allows criminals to get out of trouble. It's a deeper ideal that speaks to society and how we want to be in general. It's a reflection of values provided by society that people will not act on their own in an unlawful way if they know of the law and have legal options. Based on that simple principle, we need the freedom to educate people who will act in favor of us and in ways detrimental to those who would harm us. If I say "this is how people get killed", it could be enough for someone to know how to kill someone. However, at the same time, it is enough so that others can make changes that stop people from getting killed in that way.
This book, even though it has the potential of training/educating future malware coders, also has the same if not more potential to train the people who will make the malware ineffective and/or obsolete. Most of the people who would read it would likely have the potential of doing good rather then bad even if the bad they did was because they thought they were doing good.
When looking at the good in people, or the potential for good, I see nothing wrong with this book nor do I see anything wrong with a review on it. I would hope you can consider this optimistic outlook and wait until you are proven wrong on the concept before taking the negative attitude toward it. Sometimes it's hard to do, especially when we are bombarded by negative news about the failings of people all the time, but I know that they are a minority of society because we simply wouldn't have enough time to hear about the negatives of everyone if that was the case.
Re:not pleased with this review (Score:3, Insightful)
I think your explanation of "presumption of innocence" is very good, even inspiring. And the reviewer seems to be on the same page with it.
If the reviewer's characterization of the book is accurate however, the book's author does not share this enlightened value. He's not saying "this is how people get killed, and I implicitly presume that you'll use this information innocently". He's saying "this is how people get killed, and whether you use it to protect or murder people is fine with me." That is an overtly amoral stance, and it is reasonable for people to criticize it. The value of the book may far outweigh this defect, but that's a judgment call.
I don't think the parent post deserved to be modded a troll.
Re:time (Score:4, Insightful)
Security engineer: "Our network logs show there is some sort of rootkit or bot on labAD01, boss."
Boss geekymachoman: "Find out how it got on there and what it did."
Security engineer: "OK, should take about three days to do a full forensic analysis."
Boss geekymachoman: "What? We can't delay all the other projects by three days! I hired you to do a job! Do it instantly or I will sack you! And I want a pony."
Yeah... it sure would be great working with you, buddy!
Re:not pleased with this review (Score:4, Insightful)
Hey, fuck you. This shit is fascinating, but I don't care to go trawling through the dark underbelly of the internet to get to it. People who actually plan to write rootkits can already get this information. Curious onlookers can't get it easily, until now.
I've never synthesized a drug in my life, and don't plan to. But PiHKAL [erowid.org] is still one of my favorite books. What's so bad about that?
Re:time (Score:1, Insightful)
Point number 2: REALLY? I get moving production onto another server if you have clean backups. But saying you're going to clean up a hacked system is unprofessional madness for anything but the lowest common denominator of virus--and even then, you're basically flipping a coin and hoping that it wasn't just used as a vector for something bigger and nastier--hiding in the obvious. You ever heard of t0rn--a rootkit that had another rootkit hidden in it... not that anyone knew for a few years.
Many of the hacks I've seen studied and reversed have taken people a minimum of 30-40 hours for people to reverse, and often up into the hundreds. There's contests devoted to it. Unless you're talking driveby downloads you're way off mark.
So, you'll block what the rootkit does, and allow the core of the business...? You mean like you should have in the firewall to start with? What if it communicates through outbound ICMP, DNS, or even on port 80/443? I've seen all but ICMP in the wild, and I've got the software to tunnel through ICMP on my drives... And there's not getting into the *really* stealthy stuff.
How do you block out a threat you haven't even identified yet, where the attack had absolute access to the hardware, may have broken out of the VM, or blue pilled the operating system? You don't actually think your antivirus will catch every rootkit out there do you? You're going to have to shut it off anyway to scan--there's already ones that will hijack the system calls the A/V makes.
And I bet whatever A/V you run will recognize the exploit too... What're you going to do, send the entire disk to Symantec and tell them it got hacked somehow? There's documented cases of rootkits in freaking printers--these people have experience hiding their code.
Don't tell me you're going to clean that problem up in three days. You're going to get rid of everything you know about and find on it in three days, and pray that your boss never finds out.
Re:time (Score:4, Insightful)
It is horribly obvious you have never even attempted a forensic analysis of an infected machine. Stop embarrassing yourself. Reimaging is NOT a forensic analysis. Reimaging does not take three days. Analysis takes three days AT MINIMUM for something like a rootkit.
I am a security engineer in a large, international software company with multiple datacenters. You are a punk kid talking out his rear. You're not fooling anyone.