Slashdot Mirror
The Rootkit Arsenal
Nicola Hahn writes "One of the first things I noticed while flipping through this hefty book is the sheer number of topics covered. Perhaps this is a necessity. As the author puts it, rootkits lie "at the intersection of several related disciplines: computer security, forensics, reverse-engineering, system internals, and device drivers." Upon closer inspection, it becomes clear that great pains have been taken to cover each subject in sufficient depth and to present ideas in a manner that's both articulate and well organized. This accounts for the book's girth; it weighs in at roughly 900 pages." Keep reading for the rest of Nicola's review.
The Rootkit Arsenal
author
Reverend Bill Blunden
pages
916
publisher
Wordware Publishing
rating
5 Shuriken
reviewer
Nicola Hahn
ISBN
1598220616
summary
A solid treatment of rootkits and anti-forensics
This book is comprehensive enough to appeal to both novices and journeymen. To set the stage, the Rootkit Arsenal begins with a review of foundation material: the IA-32 execution environment, memory management, kernel-mode subtleties, call hooking, detour patching, and so forth. Yet, while the author devotes a significant amount of effort to explaining prerequisites and customary rootkit techniques, there's an abundance of more sophisticated content to engage more experienced members of the audience. For example, his explanation of how to use the WSK API and the most recent incarnation of the NDIS library (version 6.0) to construct covert channels over DNS is worth a read. I also appreciated his meticulous discussion of how to properly install Call Gates and handle the foibles of multi-processor systems.
One of the book's strong points is that there's coverage of issues which traditionally haven't appeared in books on this subject. For instance, there are several sections devoted to the Windows startup process and how it relates to the operation of bootkits. Part 3 of the book, which consists of four chapters, focuses on anti-forensics, with an emphasis on defeating file system analysis and the examination of an unknown executable. To this end, Reverend Bill ventures off into the tactics used to implement binary armoring, FISTing, obfuscation, code morphing, file scrubbing, and data contraception.
Not content to merely explain the basic mechanics of a particular scheme, Reverend Bill often illustrates how he derived his results and encourages the reader to verify what they've seen with a kernel debugger. This is a recurring theme throughout the book. Rather than just teach the reader a collection of tricks, the author demonstrates how the reader can identify new ones independently. After all, specific holes come and go, but the art of finding new ones will always have utility. This more than justifies the lengthy discussion of kernel debugging earlier on in the book.
All told, the book is reasonably self-contained. The source code examples are clean, instructive, and have been included in the book's appendix. As Reverend Blunden notes, the "Rootkit Arsenal" isn't about a specific rootkit that someone wrote (though such books exist). It's really about the rootkit that the reader will construct, such that the focus is on the nature of the tactics rather than a proof-of-concept rootkit. In this spirit, examples are long enough to illuminate potential sticking points but not so long that the reader feels like they're wading through mud in search of diamonds.
The author also exhibits good form in terms of giving credit where it's due. In the book's preface he specifically acknowledges a number of researchers who have made lasting contributions to the collective repository of knowledge (Mark Ludwig, Greg Hoglund, the grugq, Sven Schreiber, Joanna Rutkowska, Richard Bejtlich, etc.). While the author admits that many of the book's ideas can be unearthed by skulking about obscure regions of the internet, the real service that this book provides is to consolidate all of this disparate information together into one place, offering working implementations of each concept, and doing so in a remarkably lucid manner.
Yet, is this a responsible thing to do? Is it wise to show aspiring Black Hats how to manipulate forensic evidence so that they can implicate innocent people? Will publicizing the finer points of system modification make life easier for aspiring bad guys? Is he basically handing the reader a loaded gun and teaching them the nuances of a kill shot?
To a degree, Reverend Blunden sidesteps this issue as irrelevant. In the end he claims that he's just a broker of information, and that he doesn't care who uses the information or how they use it. If you asked me, this is a bit of a cop out (he sounds a little like an arms dealer). Furthermore, he accuses other authors (the ones who fall back on the traditional argument that they're bolstering security by encouraging vendors to improve their products) of churching up their books in "ethical window dressing." In the eyes of Reverend Bill, this book is what it is ...without apology: another source of useful data.
If I had one complaint about the Rootkit Arsenal, it's that the author sticks primarily to software-based rootkit technology. For instance, he eschews BIOS-based tools. At one point the author states:
"In my opinion, a firmware-based rootkit is essentially a one-shot deal that should only be used in the event of a high-value target where the potential return would justify the R&D required to build it. Also, because of the instance-specific nature of this technique, I'd be hard pressed to offer a single recipe that would a useful to the majority of the reading audience. Though a firmware-related discussion may add a bit of novelty and mystique, in the greater scheme of things it makes much more sense to focus on methods which are transferable from one motherboard to the next."
Last but not least, the author's tendency towards the political arena, which defined a couple of his previous books, rears its head again in The Rootkit Arsenal's final chapter. Here, the good Reverend suggests that if it's possible to control a sprawling operating system like Windows with a relatively small rootkit binary, then perhaps the metaphor carries over into the body politic of the United States. Could a small segment of the population be quietly influencing the trajectory that society takes? Dave Emory and Noam Chomsky look out!
Readers interested in getting a closer look at the book's organization and table to contents can visit the author's web site.
You can purchase The Rootkit Arsenal from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
One of the book's strong points is that there's coverage of issues which traditionally haven't appeared in books on this subject. For instance, there are several sections devoted to the Windows startup process and how it relates to the operation of bootkits. Part 3 of the book, which consists of four chapters, focuses on anti-forensics, with an emphasis on defeating file system analysis and the examination of an unknown executable. To this end, Reverend Bill ventures off into the tactics used to implement binary armoring, FISTing, obfuscation, code morphing, file scrubbing, and data contraception.
Not content to merely explain the basic mechanics of a particular scheme, Reverend Bill often illustrates how he derived his results and encourages the reader to verify what they've seen with a kernel debugger. This is a recurring theme throughout the book. Rather than just teach the reader a collection of tricks, the author demonstrates how the reader can identify new ones independently. After all, specific holes come and go, but the art of finding new ones will always have utility. This more than justifies the lengthy discussion of kernel debugging earlier on in the book.
All told, the book is reasonably self-contained. The source code examples are clean, instructive, and have been included in the book's appendix. As Reverend Blunden notes, the "Rootkit Arsenal" isn't about a specific rootkit that someone wrote (though such books exist). It's really about the rootkit that the reader will construct, such that the focus is on the nature of the tactics rather than a proof-of-concept rootkit. In this spirit, examples are long enough to illuminate potential sticking points but not so long that the reader feels like they're wading through mud in search of diamonds.
The author also exhibits good form in terms of giving credit where it's due. In the book's preface he specifically acknowledges a number of researchers who have made lasting contributions to the collective repository of knowledge (Mark Ludwig, Greg Hoglund, the grugq, Sven Schreiber, Joanna Rutkowska, Richard Bejtlich, etc.). While the author admits that many of the book's ideas can be unearthed by skulking about obscure regions of the internet, the real service that this book provides is to consolidate all of this disparate information together into one place, offering working implementations of each concept, and doing so in a remarkably lucid manner.
Yet, is this a responsible thing to do? Is it wise to show aspiring Black Hats how to manipulate forensic evidence so that they can implicate innocent people? Will publicizing the finer points of system modification make life easier for aspiring bad guys? Is he basically handing the reader a loaded gun and teaching them the nuances of a kill shot?
To a degree, Reverend Blunden sidesteps this issue as irrelevant. In the end he claims that he's just a broker of information, and that he doesn't care who uses the information or how they use it. If you asked me, this is a bit of a cop out (he sounds a little like an arms dealer). Furthermore, he accuses other authors (the ones who fall back on the traditional argument that they're bolstering security by encouraging vendors to improve their products) of churching up their books in "ethical window dressing." In the eyes of Reverend Bill, this book is what it is ...without apology: another source of useful data.
If I had one complaint about the Rootkit Arsenal, it's that the author sticks primarily to software-based rootkit technology. For instance, he eschews BIOS-based tools. At one point the author states:
"In my opinion, a firmware-based rootkit is essentially a one-shot deal that should only be used in the event of a high-value target where the potential return would justify the R&D required to build it. Also, because of the instance-specific nature of this technique, I'd be hard pressed to offer a single recipe that would a useful to the majority of the reading audience. Though a firmware-related discussion may add a bit of novelty and mystique, in the greater scheme of things it makes much more sense to focus on methods which are transferable from one motherboard to the next."
Last but not least, the author's tendency towards the political arena, which defined a couple of his previous books, rears its head again in The Rootkit Arsenal's final chapter. Here, the good Reverend suggests that if it's possible to control a sprawling operating system like Windows with a relatively small rootkit binary, then perhaps the metaphor carries over into the body politic of the United States. Could a small segment of the population be quietly influencing the trajectory that society takes? Dave Emory and Noam Chomsky look out!
Readers interested in getting a closer look at the book's organization and table to contents can visit the author's web site.
You can purchase The Rootkit Arsenal from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This story on how to create malware comes immediately following a story on Slashdot about the increase in Malware.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
As the author puts it, rootkits lie "at the intersection of several related disciplines: computer security, forensics, reverse-engineering, system internals, and device drivers."
Subdivide all you want - computer science is a single discipline.
> is this a responsible thing to do?
Of course it is. How can we implement security if we don't understand the ways we can be attacked?
I really would prefer that Slashdot not help promote a book that is intended to help educate would-be malware coders. While I realize the information would still be out there without this review, Slashdot is undoubtedly contributing sales to the author by raising the profile of this book.
Seth
$5 / month hosted VPS on linux = awesome!
Binary armour and FISTing? That second term certainly clarifies the need for the first.
What accounts for CmdrTaco's girth?
Too many tacos?
Rootkits?? I just use miracle grow.
Let me rephrase that:
Computers should ship with an "alternative" boot environment that cannot be permanently changed, only toggled to and from the main boot environment.
The job of the alternative boot environment is to allow cleanup tools to delete threats.
An example of how this could be done in Vista:
Boot computer using a back-up, read-only firmware to a Vista CD that had a stripped-down network stack or stripped-down USB-drivers. Having stripped-down software removes some points of vulnerability. From the clean BIOS+Vista boot, load and authenticate security modules. These can be loaded from a web site or external media. The authentication is key: If it's not authenticated it's rejected. The authenticated security modules would then clean up the system as best they could, and would run a heuristic analysis on the non-booted environment to look for remaining suspicious behavior, such as the loading of unsigned device drivers or a BIOS that contains non-authenticated patches.
Why Vista? It's not the best technical solution but in a year or two it will be the most familiar bootable CD out there.
As a side bonus, a similar "clean boot environment" can be used for web-access kiosks. However, these would need a richer network stack, a web browser and plugins, and would need to be re-created almost daily to keep up with security threats. An immutable BIOS with a CD that loads, authenticates, and runs a "boot image" over the network, with a daily reboot to grab the freshest image, might be the way to go here.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This book is about how to destroy the environment!
1) Write 900 page book
2) Publicize book
3) ???
4) Destroy the environment, er, I mean, PROFIT!
Too bad curling up with a Kindle isn't my idea of fun.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Forensics is such an incredibly time-consuming process, most businesses have no time for it. Reimage the machine and get back to work. It's a shame.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
I would really like to hear from someone who has experience in that domain comment or review these books, we always have these nobodies that we can't really do a search on, but if you had someone that worked at the NSA and said "yep this is a great book about cryptology" or
someone at the FBI saying "yep this book is the one that is effective in helping someone
create the perfect background search" etc.
For once, just....for once. :(
Please stick to standard topic images.
(Yes, I will be blocking these images if possible... sure would be nice if it were an option though.)
Rootkit: The New Scientology. Our Kool-Aid isn't just tasty, it's ubicwi, ubitiquis, ubitquit... it's everywhere.
"a quasi-satirical religion"
I've yet to see a religion that isn't quasi-satirical, at the very least.
Apparently from your judgmental comment, you believe in an Imaginary Friend that is always serious then?
Boring.
From the book review above: "It's really about the rootkit that the reader will construct, such that the focus is on the nature of the tactics rather than a proof-of-concept rootkit."
This isn't about security. It's not written from the perspective of, "Attackers will use these techniques, you need to defend in this manner." This is a "Here is how you do some lame shit" guide. I'm not advocating security through obscurity. I'm saying, the guy who wrote this book is trying to make money by equipping retards with information to fuck up people's computers. I would have hoped Slashdot would promote books intended to help protect people's computers.
Seth
$5 / month hosted VPS on linux = awesome!
If the BIOS is immutable or at least guaranteed-clean-replaceable, "I detected and removed the hard drive" and replacing the infected component gives you a usable machine.
Not sure, but for some reason the Knoppix stuff couldn't deal with SATA chipsets. That might be why they haven't released anything in a while. But that INSERT disc used to be my fave, too.
Seth
$5 / month hosted VPS on linux = awesome!
I trust there are chapters dedicated to Sony & EMI, purveyors of fine stealthy rootkits.
I just returned from a week long Information Security convention for my government agency. It was eye opening how vulnerable supposedly "secure" systems are. Especially after the Gartner, and NIST speakers finished their presentation. It seems that locking up your computer in a lead lined box and burying it in a hole 12 feet deep is about what you need to do, lol. They also talked about FRID and how very vulnerable, for example, the new passports -- which have much of your private info on them -- with the encryted RFID chips in them are. Also how there are contests to see who can pick up RFID and wifi signals from the farthest away. I believe he said they got up to 100ft for RFIDs and 3 miles for those 300ft radius wifi routers.