Hacking Exposed Malware & Rootkits: Security Secrets and Solutions, Second Edition
1st Edition
Published on 16. December 2016
400 pages
978-0-07-182575-7 (ISBN)
Description
Arm yourself for the escalating war against malware and rootkits Thwart debilitating cyber-attacks and dramatically improve your organization s security posture using the proven defense strategies in this thoroughly updated guide. Hacking Exposed Malware and Rootkits: Security Secrets & Solutions, Second Edition fully explains the hacker s latest methods alongside ready-to-deploy countermeasures. Discover how to block pop-up and phishing exploits, terminate embedded code, and identify and eliminate rootkits. You will get up-to-date coverage of intrusion detection, firewall, honeynet, antivirus, and anti-rootkit technology. Learn how malware infects, survives, and propagates across an enterprise See how hackers develop malicious code and target vulnerable systems Detect, neutralize, and remove user-mode and kernel-mode rootkits Use hypervisors and honeypots to uncover and kill virtual rootkits Defend against keylogging, redirect, click fraud, and identity theft Block spear phishing, client-side, and embedded-code exploits Effectively deploy the latest antivirus, pop-up blocker, and firewall software Identify and stop malicious processes using IPS solutions
More details
Other editions
Additional editions
Christopher Elisan | Michael Davis | Sean Bodmer
Hacking Exposed Malware & Rootkits: Security Secrets and Solutions, Second Edition
Security Secrets and Solutions, Second Edition
Book
01/2017
2nd Edition
McGraw-Hill Professional
€66.70
Shipment within 15-20 days
Content
- Cover
- Title Page
- Copyright Page
- Dedication
- Contents
- Foreword
- Acknowledgments
- Introduction
- Part I Malware
- CASE STUDY: Please Review This Before Our Quarterly Meeting
- 1 Malware Propagation
- Malware Is Still King
- The Spread of Malware
- Why They Want Your Workstation
- Intent Is Hard to Detect
- It's a Business
- Significant Malware Propagation Techniques
- Social Engineering
- File Execution
- Modern Malware Propagation Techniques
- StormWorm
- Metamorphism
- Obfuscation
- Dynamic Domain Name Services
- Fast Flux
- Malware Propagation Injection Vectors
- Malicious Websites
- Phishing
- Peer-to-Peer (P2P)
- Worms
- Summary
- 2 Malware Functionality
- What Malware Does Once It's Installed
- Pop-ups
- Search Engine Redirection
- Data Theft
- Click Fraud
- Identity Theft
- Keylogging
- Malware Behaviors
- Identifying Installed Malware
- Typical Install Locations
- Installing on Local Drives
- Modifying Timestamps
- Affecting Processes
- Disabling Services
- Modifying the Windows Registry
- Summary
- Part II Rootkits
- CASE STUDY: The Invisible Rootkit That Steals Your Bank Account Data
- Disk Access
- Firewall Bypassing
- Backdoor Communication
- Intent
- Presence and Significance
- 3 User-Mode Rootkits
- Rootkits
- Timeline
- Major Features of Rootkits
- Types of Rootkits
- User-Mode Rootkits
- What Are User-Mode Rootkits?
- Background Technologies
- Injection Techniques
- Hooking Techniques
- User-Mode Rootkit Examples
- Summary
- 4 Kernel-Mode Rootkits
- Ground Level: x86 Architecture Basics
- Instruction Set Architectures and the Operating System
- Protection Rings
- Bridging the Rings
- Kernel Mode: The Digital Wild West
- The Target: Windows Kernel Components
- The Win32 Subsystem
- What Are These APIs Anyway?
- The Concierge: NTDLL.DLL
- Functionality by Committee: The Windows Executive (NTOSKRNL.EXE)
- The Windows Kernel (NTOSKRNL.EXE)
- Device Drivers
- The Windows Hardware Abstraction Layer (HAL)
- Kernel Driver Concepts
- Kernel-Mode Driver Architecture
- Gross Anatomy: A Skeleton Driver
- WDF, KMDF, and UMDF
- Kernel-Mode Rootkits
- What Are Kernel-Mode Rootkits?
- Challenges Faced by Kernel-Mode Rootkits
- Methods and Techniques
- Kernel-Mode Rootkit Samples
- Klog by Clandestiny
- AFX by Aphex
- FU and FUTo by Jamie Butler, Peter Silberman, and C.H.A.O.S
- Shadow Walker by Sherri Sparks and Jamie Butler
- He4Hook by He4 Team
- Sebek by The Honeynet Project
- Summary
- Summary of Countermeasures
- 5 Virtual Rootkits
- Overview of Virtual Machine Technology
- Types of Virtual Machines
- The Hypervisor
- Virtualization Strategies
- Virtual Memory Management
- Virtual Machine Isolation
- Virtual Machine Rootkit Techniques
- Rootkits in the Matrix: How Did We Get Here?!
- What Is a Virtual Rootkit?
- Types of Virtual Rootkits
- Detecting the Virtual Environment
- Escaping the Virtual Environment
- Hijacking the Hypervisor
- Virtual Rootkit Samples
- Summary
- 6 The Future of Rootkits
- Increases in Complexity and Stealth
- Custom Rootkits
- Digitally Signed Rootkits
- Summary
- Part III Prevention Technologies
- CASE STUDY: A Wolf in Sheep's Clothing
- Scareware
- Fakeware
- Look of Authenticity
- Countermeasures
- 7 Antivirus
- Now and Then: The Evolution of Antivirus Technology
- The Virus Landscape
- Definition of a Virus
- Classification
- Simple Viruses
- Complex Viruses
- Antivirus-Core Features and Techniques
- Manual or "On-Demand" Scanning
- Real-Time or "On-Access" Scanning
- Signature-Based Detection
- Anomaly/Heuristic-Based Detection
- A Critical Look at the Role of Antivirus Technology
- Where Antivirus Excels
- Top Performers in the Antivirus Industry
- Challenges for Antivirus
- The Future of the Antivirus Industry
- Summary and Countermeasures
- 8 Host Protection Systems
- Personal Firewall Capabilities
- Personal Firewall Limitations
- Pop-Up Blockers
- Chrome
- Firefox
- Microsoft Edge
- Safari
- Example Generic Pop-Up Blocker Code
- Summary
- 9 Host-Based Intrusion Prevention
- HIPS Architectures
- Growing Past Intrusion Detection
- Behavioral vs. Signature
- Behavioral Based
- Signature Based
- Anti-Detection Evasion Techniques
- How Do You Detect Intent?
- HIPS and the Future of Security
- Summary
- 10 Rootkit Detection
- The Rootkit Author's Paradox
- A Quick History
- Details on Detection Methods
- System Service Descriptor Table Hooking
- IRP Hooking
- Inline Hooking
- Interrupt Descriptor Table Hooks
- Direct Kernel Object Manipulation
- IAT Hooking
- Legacy DOS or Direct Disk Access Hooking
- Windows Anti-Rootkit Features
- Software-Based Rootkit Detection
- Live Detection vs. Offline Detection
- System Virginity Verifier
- IceSword and DarkSpy
- RootkitRevealer
- F-Secure's BlackLight Technology
- Rootkit Unhooker
- GMER
- Helios and Helios Lite
- McAfee Rootkit Detective and RootkitRemover
- TDSSKiller
- Bitdefender Rootkit Remover
- Trend Micro Rootkit Buster
- Malwarebytes Anti-Rootkit
- Avast aswMBR
- Commercial Rootkit Detection Tools
- Offline Detection Using Memory Analysis: The Evolution ofMemory Forensics
- Virtual Rootkit Detection
- Hardware-Based Rootkit Detection
- Summary
- 11 General Security Practices
- End-User Education
- Security Awareness Training Programs
- Defense-in-Depth
- System Hardening
- Automatic Updates
- Virtualization
- Baked-In Security (from the Beginning)
- Summary
- Appendix System Integrity Analysis: Building Your Own Rootkit Detector
- What Is System Integrity Analysis?
- The Two Ps of Integrity Analysis
- Pointer Validation: Detecting SSDT Hooks
- Patch/Detour Detection in the SSDT
- The Two Ps for Detecting IRP Hooks
- The Two Ps for Detecting IAT Hooks
- Our Third Technique: Detecting DKOM
- Sample Rootkit Detection Utility
- Index
