The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
by Reverend Bill Blunden
Wordware Press 2009.
ISBN 978-1-59822-061-2. Amazon.com USD 32.97
Reviewed by Richard Austin May 24, 2010
Be warned, this is a dangerous book. When an author can couple deep knowledge and understanding with the ability to clearly present difficult material through the written word, actions may ensue. When that potential is used to explore one of the most feared denizens of the malware menagerie, the rootkit, the result at the very least is dangerous. Blunden does not shy away from the danger but meets the objections head-on in terms that will be familiar to those of us who support (at least in some form) the philosophy of full-disclosure: the bad people already know this stuff. He sums this viewpoint up with an especially apt quote on page 3, "The best safecrackers in the business never steal a penny. They work for UL" (Underwriters Laboratory). If we are to successfully defend our infrastructures, we must understand the weapons that will be used against us.
Blunden divides his presentation into four parts: fundamentals, system modification, anti-forensics and a lengthy appendix of hands-on projects that apply the material.
Part 1 (Fundamentals) opens with a chapter on "Setting the Stage" which describes his own first encounter with a rootkit and then moves on to define rookits in terms of the services they provide: concealment, command and control (C2) and surveillance. This focus on function rather than form is a deep insight that runs through the rest of the book.
Chapter two (Into the Catacombs: IA-32) presents an excellent introduction to the widely used computer architecture, IA32, by skillfully presenting the required information but no more. The discussion is immediately applied through constructing a terminate-and-stay-resident (TSR) keylogger.
Chapter 3 (Windows System Architecture) delves into how Microsoft Windows (Vista) works with the IA-32 architecture. Chapter 4 (Rootkit Basics) begins to apply the understanding of hardware and software architecture to the problem of building a rootkit. The chapter provides extensive material on the use of debuggers which play an important role in both exploring the system and testing a rootkit. Particular attention should be paid to section 4.3 (A Rootkit Skeleton) as it abstracts out the common themes of a rootkit that are too often concealed under implementation details.
Part II (System Modification) presents the common techniques used by rootkits in "altering the contents of memory at runtime" (p.240) which are so important in providing stealth for the running rootkit while it carries out its mission. The discussion illustrates the "dance" of attack and defense by showing how the countermeasures for one technique (such as call table hooks) are foiled by another.
Chapter 5 (Hooking Call Tables) describes how a rootkit can insert itself into a system by altering the dispatch tables used to interface with system routines to enable execution of an adversary's code whither before or instead of the system code.
Chapter 6 (Patching System Routines) examines techniques for modifying the code running on the system (either by patching it on disk (binary patching) or when it is loaded into memory (run-time patching)).
Chapter 7 (Altering Kernel Objects) delves into how system (kernel) objects can be modified to effect concealment (for example, to hide a process or a driver) or to grant additional privileges.
Chapter 8 (Deploying Filter Drivers) covers the nefarious uses that can be made of the "filter driver" capability built into Windows. Filter drivers are intended to allow creation of "stacks" of drivers with well-defined functionality that can be transparently inserted with affecting the layer above or below. For example, one way to implement full-disk encryption is to insert an encryption driver into the disk driver stack that transparently encrypts/decrypts information as it flows through the stack. Nefarious applications include inserting a keylogger into the keyboard stack or a sniffer into the network stack.
Part III (Anti-forensics) deals with how a rootkit can maintain its concealment in the face of the techniques normally used to ferret it out, for example, during the investigation of a data breach.
Chapter 9 (Defeating Live Response) deals with how the rootkit can defeat "live response" forensic techniques (i.e., those conducted while the affected system is still running.
Chapter 10 (Defeating File System Analysis) covers how rootkits can evade analysis conducted on disk images (traditional computer forensics) and includes material on foiling static and dynamic analysis of code (e.g., when a suspicious executable is exported from the disk image and executed under control of a debugger).
Chapter 11 (Defeating Network Analysis) covers the important subject of how rootkits hide while they carry out their function. Whether its purpose is to siphon off credit card numbers, access credentials or participate in a botnet, the rootkit will at some point have to communicate with the outside world in order to fulfill its purpose. This communication poses a threat to its concealment.
Chapter 12 (Countermeasure Summary) pulls the various forensic techniques together in an overall summary with the aid of several excellent diagrams.
Part IV (End Material) contains two short chapters ("The Tao of Rootkits" and "Closing Thoughts") followed by extensive listings of the hands-on projects developed throughout the book.
To repeat myself, this is a dangerous book. Unfortunately the knowledge it contains is already widely available to those that would use it to compromise the systems we're charged to protect. Blunden's achievement is the consolidation of the material into an excellent presentation on how rootkits work, how they hide and how their "cloaking devices" can be penetrated. The book will be very hard sledding for a managerially-focused security professional, but it is definitely one they should give to their technical colleagues with a strong "read-and-understand!" admonition.