Windows Rootkits (and Bootkits) Guide v2

4 months ago 62

BOOK THIS SPACE FOR AD

ARTICLE AD

The picture from the movie Elysium

Hello folks and have a good day. If u follow my blog, u might know that my two previous blog posts discussed km malware - rootkits and bootkits - focusing on the Ring 0 tricks they employ and the timeline of their appearance. I'm excited to share version two of my research paper "Windows Rootkits Guide", now titled "Windows Rootkits and Bootkits Guide," which includes even more information than the first version. The biggest addition is a deep dive into bootkit families and the techniques they use (TTPs), alongside more details about rootkit techniques.

https://artemonsecurity.com/rootkits_bootkits_v2.pdf

The document is intended to be a comprehensive guide to Windows km malware, with some exceptions and remarks as noted in it. Just like the first version, this guide includes direct document references to the researches, from which the information was taken. It has the structure of a reference book, which allows you to easily navigate from a specific malware family to its rootkit TTPs (Windows kernel tricks).

The new document covers information about:

More than 70 rootkit techniques and km tricksMore than 90 rootkit and bootkit familiesAlmost 300 web links to malware researches

The following techniques are included:

Intercepting system services with 6 sub-techniquesDirect Kernel Object Manipulation (DKOM) with 15 sub-techniquesInline patching kernel mode code with 9 sub-techniquesIntercepting driver object major functions and 10 sub-techniquesIntercepting IDT/ISRSetting up itself as a filter driver and 4 sub-techniquesUsing Windows kernel callbacksUsing and hiding NTFS Alternate Data Streams (ADS)KeyloggerWindows IP FilteringDisabling Windows kernel callbacksThe subject of bootkit infection with 4 sub-techniquesDefeating Driver Signature Enforcement (DSE) with 6 sub-techniques14 other not categorized sub-techniques, including, disabling/bypassing PatchGuard

The following web resources made this document possible:

Malpedia | https://malpedia.caad.fkie.fraunhofer.deMITRE ATT&CK® | https://attack.mitre.org/KernelModeInfo forum | https://www.kernelmode.info/forum/rootkit_com site mirror | https://github.com/claudiouzelac/rootkit.com/tree/master/Virus Bulletin | https://www.virusbulletin.com/virusbulletin/

Also, the following studies are dedicated to the same purpose, i e summarizing information about Ring 0 malware:

An In-Depth Look at Windows Kernel Threats by Trend | https://documents.trendmicro.com/assets/white_papers/wp-an-in-depth-look-at-windows-kernel-threats.pdf«Nice Boots!» - A Large-Scale Analysis of Bootkits and New Ways to Stop Them | https://publications.sba-research.org/publications/bootcamp_dimva_2015.pdfBootkit's development overview and trend | http://www.vxjump.net/files/seccon/bktrend.pdfBootkits: Past, Present & Future | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdfPositive Technologies | Bootkits: evolution and detection methods

The research details the following malware families.