Boot Sector Rootkits

[satyr]

hi,

I wanted to look more into rootkits, specially kernel mode rootkits which affect the boot sector.

Please suggest resources for me to understand and learn so that I am able to analyse these malwares.

I want to dig deep into rootkits and understand how to analyze them.

Any help appreciated.

[ajohnson]

I haven't done much in this area, but http://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319/ref=sr_1_2?ie=UTF8&qid=1329145052&sr=8-2 was a decent introductory read. It's from 2005 and is probably dated now, but Syngress has a couple of others that seem like they would be of interest to you: http://www.amazon.com/Managed-Code-Rootkits-Hooking-Environments/dp/1597495743/ref=sr_1_3?ie=UTF8&qid=1329145052&sr=8-3

http://www.amazon.com/Guide-Kernel-Exploitation-Attacking-Core/dp/1597494860/ref=sr_1_12?ie=UTF8&qid=1329145052&sr=8-12

rootkit.com used to be a good resource as well, but it's not loading at the moment for me. I'm not sure if that's still around or not.

[lorddicranius]

Wasn't rootkit.com Haugland's site that was involved with the whole Anonymous/HBGary Federal ordeal?  Was it ever brought back up after that breach?

[ajohnson]

Wasn't rootkit.com Haugland's site that was involved with the whole Anonymous/HBGary Federal ordeal?  Was it ever brought back up after that breach?

Yea, that's correct. He's also the co-author of the first book I recommended.

I never participated there, so aside from hearing about that ordeal, I really don't know if it was ever brought back up. It very well may not have been.

[Eleven]

Here is a nice analysis of the TDL4 rootkit.  http://resources.infosecinstitute.com/tdss4-part-1/

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System Second edition will be out March 7.