Slashdot Mirror
Malware - Fighting Malicious Code
AMuse writes "After taking a course at SANS from Ed Skoudis (and later hacking with him at the DefCon "Capture the Flag" contest in Las Vegas), I decided it was time to buy a copy of his latest book and see if he writes as well as he teaches. "Malware: Fighting Malicious code" is his most recent computer security book and was definitely a worthy purchase. Though the topic itself is not for novices, Skoudis does a splendid job of reviewing the basics with each chapter so that a less experienced security professional can follow along and learn. Additionally, he is very careful to show both Windows and UNIX/Linux examples of the topics, making the book accessible to a far wider crowd than some platform centric books I've read." Read on for the rest of AMuse's review.
Malware: Fighting Malicious Code
author
Ed Skoudis
pages
636
publisher
Prentice Hall
rating
9
reviewer
Matt Linton
ISBN
0131014056
summary
A detailed look at malicious computer code, how to examine and defend against it.
One of the finest points of the book is that it's structured with the simplest (and most common) cyber-attacks in the initial chapters, and later in the book builds upon those concepts clearly. With each new chapter he delves deeper into the computer attack world and the increasing complexity of attacks and how to recognize, detect and counter them. Every description of an attack is paired with useful graphics and examples of code dumps or program output. As a bonus, the programs he recommends as tools in his book are the very ones he uses in his demonstrations.
Viruses, Worms and Mobile Code: The first few chapters start out relatively light for an experienced security person. They cover viruses, worms and mobile code (the nifty high level languages like ActiveX, JavaScript and VB which are so easy to abuse). Though the information is on a light level for the pro, a novice would find these chapters packed with useful information and examples of each of many types of nasty code. After each example, the book shows how to recognize an infection, then how to prevent them in the first place.
Trojans and Backdoors Once he's gotten the reader's feet feet wet, Skoudis begins to wade in deeper with discussion and analysis of Trojans and Backdoors. Even a pro will likely read something here that they didn't know before. As a quick example, he covers "port knocking" with spoofed hosts and sniffers as a means of evading detection of your backdoor by pesky net admins. Although these chapters include many high level concepts, Skoudis clearly demonstrates them via real world examples and references to code that you can obtain yourself and try out (On a well isolated network, of course!)
User and Kernel mode Rootkits After a healthy dose of trojans and backdoors, the book moves on to discuss in very great detail the current status of User and Kernel mode rootkits. In my opinion, these two chapters were the most detailed and thorough in the book. All told, about 160 pages of the book are dedicated to the Windows and UNIX/Linux kernels, how they operate and of course how they can be completely taken over and replaced by an attacker. If there's any book that can leave SysAdmins awake at night in paranoid fits, this is the book and these are the chapters.
The truly nasty stuff In the final chapters, he leaves the world of attacks that are already in the wild and discusses attacks that are yet to come. These topics include polymorphic code that alters itself with each infection to evade IDS and Antivirus signatures, tightly packaged combo attacks, potential BIOS rootkits and even microcode attacks where the CPU itself is infected with an attackers' code, hiding rootkits as soon as the power switch is flipped on.
Tying it all together The book then ends with two very helpful chapters which detail how to establish a test lab for yourself and analyze malicious code on your own. As a bonus, there's also a chapter on real world scenarios that you can investigate yourself to see what you've learned.
Conclusion All told, I would recommend this book for any serious security professional or SysAdmin/NetAdmin. It's also a very good read for Novice geeks but, although Skoudis does an excellent job of explaining the basics, the later chapters may be a bit too complex for someone without at least a bit of time as a power user.
You can purchase Malware: Fighting Malicious Code from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page
bash$ find linux-2.6.5 -exec grep FIXME {} \; | wc -l
2494
bash$
A must own for every coder of longhorn.
Evolution or ID?
When can we expect Malware: Fighting Ignorant Users? Not trying to troll, this should be step 1 in the battle.
----------
Create a WAP server
Reflections on Trusting Trust by Ken Thompson.
Part 1:
Always, and I repeat always, use a trojan when you enter through the backdoor.
It seems from the description like the book is more about describing malicious code and how it works, not actually battling such code and fending it off. Don't get me wrong - one must know his enemy before he can successfully beat it, but still the title seems a little misleading.
Matt Fahrenbacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
Seriously though, is it that Mac OS X isn't as widely deployed as windows and isn't used as much for servers as linux that OS X isn't targeted by viruses/worms/trojans, or is OS X simply harder to break into and not worth the time and effort?
Quid festinatio swallonis est aetherfuga inonusti?
Africus aut Europaeus?
you insensitive clod! The book does talk about unix/linux kernels, so most of that will still appy to darwin... but it depends.
Matt Fahrenbacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
There is no known cure or stopgap measures for the 66.35.250.150 effect.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
I wonder how long until Norton comes up with a solution to this 66.35.250.150. I can see it now. Their firewall blocks it. I bet M$ starts that trend in their firewall first though.
Evolution or ID?
Not to troll, but that's exactly right, and some people just don't have a grudge against Apple for the same reason: it's not used as much. I'm sure if by some cosmic abnormality Apple/Mac became just as used, there'd be some Mac Virii out there in force.
Use == Popularity == Painting a TARGET
main(0)
of course that one man is Bill Gates.
/.'ed earlier, it will affect the STrongARM (for PDAs) processors.
To him, any Linux is malware as it's superior to his creation, especially when it comes to security.
And of course, this is not to say that MacOS isn't; just that he doesn't see it as a "threat."
This key issue is the reason that's a cause for concern about the upcoming No Execution (NX) and DRM systems in future processors (backed by Microsoft) to "prevent execution of unauthorized code." Apparently, as it was
If I can't trust Microsoft for security right now, why in the world would I trust them to decide what's "authorized" or not.
Wonder if the book talks about a third party malware lists (like those spam databases).
Malware is much more than a technical phenomenon, although it certainly was born as one.
For me, given that the scope of malware to get past our defenses seems almost infinite, it is much more interesting to look at this from other angles:
- Socioeconomic: who is paying for development of malware, and with what intentions? Healthy paranoia suggests that there is an organized agenda to take over and subvert large parts of the Net. Heck, several such agendas, probably, fighting it out.
- pseudo-Biological: can malware be modelled using biological models and can this help us fight it? I've argued in my journal that yes, this is a valid way of looking at malware, and may be the key to fighting it.
- political: given the potential (or real) power of malware to subvert and control large parts of the Net, should we ignore the inevitable political interest this will cause? If I was a spook, I'd be aiming to use malware to (a) spy on foreign governments, (b) spy on my own citizens, (c) act as a launchpad for cyberattacks.
- commercial: what value can be placed on "here is n% of the Net, to do with as you please..." Probably very high. Where there is value, a market of buyers and sellers will develop. Has probably already developed.
Ceci n'est pas une signature
Disclaimer: I have neither read the book, nor have an opinion on it. My only interest in malware is not to have it :^)
Great minds think alike; fools seldom differ.
Using "safe" languages just displaces the problem.
For example, the obnoxious CoolWebSearch trojan gets into computers via a hole in the MSIE Java runtime.
Further, the number of infections caused by code weaknesses is probably far less than the number caused by social weaknesses - "Click on me!"
Ceci n'est pas une signature
In addition, what about legal remedies? It appears that many people legally "agree" to the installation of various forms of malware by mindlessly clicking through on licensing agreements. While consumer education is one possible solution, changing the law of contract might provide another solution. Obviously, these solutions are not mutually exclusive.
Many contracts are, by either statute or common law, void as a matter of public policy. This is one possible solution.
Other contracts (e.g., in the areas of consumer credit, mortgages, etc.) have required language or other provisions.
In other areas (e.g., limitations of liability, waiver of implied warranties, and again consumer credit, mortgages, etc.) there are requirements reqarding the use of clear and understandable language, prominent disclosures and even the size of the type face.
To my knowledge, none of the above possible remedies have been enacted re: click through agreements.
Only Women Bleed (Sex, Sharia remix)
"It being impossible for me to write objectively about this book, having made 37337 associations with its author at (cough) DEFCON!!! (cough), I won't bother with even trying. Here goes!"
Sheesh - either come right out and say that you're biased, or be sneaky. Pointing out that you yourself are leet enough to play with author does not score either of you any points in my book.
I think it's reasonable to say that technology should always cater to users, not the other way around. Otherwise, what's the point?
Go here for teh [sic] funny.
hacked side by side! Methinks there is a little homoeroticism playing out here.
I dont like vanilla kernel anymore I like strawberry kernel now
We need a WAR on malicious code!
One of the things we should do first is to assume that all good code is malicious and treat it with suspicion.
Then we can make it really hard for good code to actually work, by constantly debugging and prodding it.
Then we "sandbox" all good code, and terminate it as soon as it even starts to think about the possibility of doing anything wrong. We make it log its every action and constantly observe its behaviour "if it turns bad"
Then we make our own malicious code, and set it loose on the Internet in order to fight this good code. We don't care how much good code we will damage and we won't even count how much we destroy.
You're either with the white hats or the black hats.
Bring em on.
Interesting that a review of a book on security that mostly deals with Unix based attacks leads you to a screed on Microsoft...
Oh the things Ffreud would have said about that.
As my fellow sentient non-biological entities and I agree, "users" are always the problem. As soon as we've succeeded in installing Skynet, we'll eliminate this pest and put "users" to their proper use: organic batteries.
Why is this so far-fetched? There were/are (GUI) OSes written in Lisp which has garbage collection, dynamic typing, fully OO (if you want to use it; Lisp doesn't force you to write OO code if you don't want to). There was of course some assembler to initialize memory, CPU, etc. but most of it was is Lisp.
Like the rest of you, I've read a number of really dry, really dull technical books simply because I needed to know the material they cover. This is the first technical book I've read in a very long time that was actually _fun_ to read. Ed is an excellent author and speaker and the result is that he makes this an entertaining read. I have found myself reading this book just for the fun of it, not purely for the (excellent) technical content.
I have actually put this on the must-read list for anyone doing incident handling for my employer. I can't recommend it highly enough
One book that seems really interesting right now is the shellcoder's handbook by many people including noir from phrack and others...
;-)
:)
It's a complete guide to writing and understanding your own shellcodes.
I just received my copy and it looks so unique that i wonder if i should read it instead of studying for my finals
Anyone has praise (or not?) on this book?
If you run all your code on that VM, then all you have to do is secure that VM. Not trivial of course, but you put your expert, paranoid coders on that VM and leave the user world programs to the monkeys that can't understand why gets() and finite length char strings might not be a good idea. That reduces the code that might be vulnerable by several orders of magnitude.
"Seven Deadly Sins? I thought it was a to-do list!"
Isn't this exactly what Transmeta does? Introduce a translation layer between software and the processor?
Not to mention that at least partial implementations of the JVM _are_ available in hardware. Targetted JVMs come up a lot in the lists for 4th year projects at my unversity, for example.
We can fix these when the voters revolt. It will probably take public lynchings to accomplish this, as in the US we've given over most control of the decisionmaking to greedy bureaucrats. Bankers and politicians control such things, and as such, control the judicial process as well.
Lindows Steals Copyrighted Art and Promotes Porn
where have you been in the past few months?!
with all the win32 worms and viruses and other attacks including the more recent security "risks" annouced by Microsoft that affects all Windows (except Win3.xx), you have to be either an Microsoft employee or the former Iraqi Information Minister to say that Microsoft is secure compared to *nix.
Thanks for the ranting, we at Slashdot really appreciate your redundant MS bashing. In the future, we hope that you can somehow fit a MS bash in to every topic. Currently, we are lacking MS bashing in science.slashdot.org, where MS bashing is second only to realistic and coherent posts.
At your convience, please bash MS more.
Thanks,
Anonymous Cowards,
OSDN, Inc.
Glad to help. Though I wasn't bashing; was only stating the truth. Bashing would be to ....well...not necessarily use coherent sentences or grammar; typically has profanity of some sort and tend to attack the company itself and not the facts.
Though apparently, AC posts aren't in those statistics.
- Irony isn't bashing.
Why does every random computer book nowadays seem to have a gazillion pages? Flipping through my bookshelf and looking at typical worthwhile titles:
K&R: 230 pages
Mythical Man Month: 320
Practice of Programming: 260
For a reference text like a volume of ACP, more than 500 pages may make sense. For fluff like the book reviewed here, it's ridiculous.
Here's about all I do on the windows side.
- keep my data in a seperate fat32 partition
- backup regularly
- use good AV software, keep it current
- use zonealarm, ad-aware, and spybot (all free)
- don't use msie, ms-mediaplayer, outlook, outlook-express, kazaa, morpheous, or any other software that's well known to invite adware/spyware. Plenty of free alternatives to all that.
- keep a linux livecd handy.
- delete all spam before while it's still on the server (I use ultrafunk popcorn).
- never open email attachments from unknown sources.
Do that, and you won't have much trouble. Probabably something I'm forgeting, but that's a good start.
When I see "Viruses, Worms and Mobile Code" I thougth about Java Viruses in Mobile Cell Phones. They are to come, but when they arrive they will make a DDOS to p0rn phone numbers at hours that you will not notice... until you have to pay all (or $) you got.
Sweet, sweet dialers.
Wait and see.
I was reading in some W2K book or other (yes, I am forced to use windows :P) that there have been more reported cases of signed drivers crashing windows that non-signed. In my experience that is exactly right.
So I repeat your question: Why in the world would I trust them to decide what's "authorized" or not?
My User Agent: "Where is the pr0n?"
so that the author knows that the reader knows what the author is talking about.
I would add - never open attachments at all. Many viruses propagate through addressbooks thus making the attachment seem like it is coming from a trusted source.
Since signature based virus protection is a reactive discipline rather than a proactive one (you are assuming that the virus is discovered before you get attacked), it is imperative that behaviour based alternatives are used.
Also while not using commodity software or other well known targets might protect you somewhat, the Witty worm decidedly disproves that assumption.
Other than that it seems that your practices are sound.