Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Footnotes

Chapter 1

1. http://static1.esetstatic.com/us/resources/white-papers/TDL3-Analysis.pdf

2. Rodrigo Rubira Branco, Gabriel Negreira Barbosa, and Pedro Drimel Neto, “Scientific but Not Academic Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies” (paper presented at the Black Hat USA 2012 conference, July 21–26, Las Vegas, Nevada), https://media.blackhat.com/bh-us-12/Briefings/Branco/BH_US_12_Branco_Scientific_Academic_WP.pdf.

3. https://blogs.technet.microsoft.com/markrussinovich/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far/

Chapter 2

1. Brian Krebs, “Financial Mogul Linked to DDoS Attacks,” Krebs on Security blog, June 23, 2011, http://krebsonsecurity.com/2011/06/financial-mogul-linked-to-ddos-attacks/.

2. Eugene Rodionov and Aleksandr Matrosov, “King of Spam: Festi Botnet Analysis,” May 2012, http://www.welivesecurity.com/wp-content/media_files/king-of-spam-festi-botnet-analysis.pdf.

Chapter 4

1. David Harley, Robert Slade, and Urs E. Gattikerd, Viruses Revealed (New York: McGraw-Hill/Osborne, 2001).

Chapter 6

1. See Moxie Marlinspike, “Internet Explorer SSL Vulnerability,” https://moxie.org/ie-ssl-chain.txt.

Chapter 10

1. For more detail on the PPI scheme used for bootkits of this type, see Andrey Rassokhin and Dmitry Oleksyuk, “TDSS Botnet: Full Disclosure,” https://web.archive.org/web/20160316225836/ http://nobunkum.ru/analytics/en-tdss-botnet/.

Chapter 11

1. Debug registers dr4 and dr5 are reserved when debug extensions are enabled (when the DE flag in control register cr4 is set) and attempts to reference the dr4 and dr5 registers cause invalid-opcode exceptions (#UD). When debug extensions are not enabled (when the DE flag is clear), these registers are aliased to debug registers dr6 and dr7.

2. https://www.welivesecurity.com/media_files/white-papers/CARO_2011.pdf; https://www.welivesecurity.com/wp-content/media_files/Carberp-Evolution-and-BlackHole-public.pdf

Chapter 12

1. Eugene Rodionov and Aleksandr Matrosov, “Mind the Gapz,” Spring 2013, http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf.

Chapter 16

1. ESET Research, “LOJAX: First UEFI Rootkit Found in the Wild, Courtesy of the Sednit Group” (whitepaper), September 27, 2018, https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf.

2. You can find a detailed technical explanation of the S3–to–working-state resumption implementation in Jiewen Yao and Vincent J. Zimmer, “A Tour Beyond BIOS Implementing S3 Resume with EDKII” (Intel whitepaper), October 2014, https://firmware.intel.com/sites/default/files/A_Tour_Beyond_BIOS_Implementing_S3_resume_with_EDKII.pdf.

3. More information can be found in the aforementioned paper “A Tour Beyond BIOS: Implementing S3 Resume with EDKII” (https://firmware.intel.com/sites/default/files/A_Tour_Beyond_BIOS_Implementing_S3_resume_with_EDKII.pdf).

4. https://invisiblethingslab.com/resources/bh09usa/Ring%20-3%20Rootkits.pdf

5. https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats

Create new playlist

Sign In

Sign Up