Slashdot Mirror
Malware - Fighting Malicious Code
AMuse writes "After taking a course at SANS from Ed Skoudis (and later hacking with him at the DefCon "Capture the Flag" contest in Las Vegas), I decided it was time to buy a copy of his latest book and see if he writes as well as he teaches. "Malware: Fighting Malicious code" is his most recent computer security book and was definitely a worthy purchase. Though the topic itself is not for novices, Skoudis does a splendid job of reviewing the basics with each chapter so that a less experienced security professional can follow along and learn. Additionally, he is very careful to show both Windows and UNIX/Linux examples of the topics, making the book accessible to a far wider crowd than some platform centric books I've read." Read on for the rest of AMuse's review.
Malware: Fighting Malicious Code
author
Ed Skoudis
pages
636
publisher
Prentice Hall
rating
9
reviewer
Matt Linton
ISBN
0131014056
summary
A detailed look at malicious computer code, how to examine and defend against it.
One of the finest points of the book is that it's structured with the simplest (and most common) cyber-attacks in the initial chapters, and later in the book builds upon those concepts clearly. With each new chapter he delves deeper into the computer attack world and the increasing complexity of attacks and how to recognize, detect and counter them. Every description of an attack is paired with useful graphics and examples of code dumps or program output. As a bonus, the programs he recommends as tools in his book are the very ones he uses in his demonstrations.
Viruses, Worms and Mobile Code: The first few chapters start out relatively light for an experienced security person. They cover viruses, worms and mobile code (the nifty high level languages like ActiveX, JavaScript and VB which are so easy to abuse). Though the information is on a light level for the pro, a novice would find these chapters packed with useful information and examples of each of many types of nasty code. After each example, the book shows how to recognize an infection, then how to prevent them in the first place.
Trojans and Backdoors Once he's gotten the reader's feet feet wet, Skoudis begins to wade in deeper with discussion and analysis of Trojans and Backdoors. Even a pro will likely read something here that they didn't know before. As a quick example, he covers "port knocking" with spoofed hosts and sniffers as a means of evading detection of your backdoor by pesky net admins. Although these chapters include many high level concepts, Skoudis clearly demonstrates them via real world examples and references to code that you can obtain yourself and try out (On a well isolated network, of course!)
User and Kernel mode Rootkits After a healthy dose of trojans and backdoors, the book moves on to discuss in very great detail the current status of User and Kernel mode rootkits. In my opinion, these two chapters were the most detailed and thorough in the book. All told, about 160 pages of the book are dedicated to the Windows and UNIX/Linux kernels, how they operate and of course how they can be completely taken over and replaced by an attacker. If there's any book that can leave SysAdmins awake at night in paranoid fits, this is the book and these are the chapters.
The truly nasty stuff In the final chapters, he leaves the world of attacks that are already in the wild and discusses attacks that are yet to come. These topics include polymorphic code that alters itself with each infection to evade IDS and Antivirus signatures, tightly packaged combo attacks, potential BIOS rootkits and even microcode attacks where the CPU itself is infected with an attackers' code, hiding rootkits as soon as the power switch is flipped on.
Tying it all together The book then ends with two very helpful chapters which detail how to establish a test lab for yourself and analyze malicious code on your own. As a bonus, there's also a chapter on real world scenarios that you can investigate yourself to see what you've learned.
Conclusion All told, I would recommend this book for any serious security professional or SysAdmin/NetAdmin. It's also a very good read for Novice geeks but, although Skoudis does an excellent job of explaining the basics, the later chapters may be a bit too complex for someone without at least a bit of time as a power user.
You can purchase Malware: Fighting Malicious Code from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page
Reflections on Trusting Trust by Ken Thompson.
"Seriously though, is it that Mac OS X isn't as widely deployed as windows and isn't used as much for servers as linux that OS X isn't targeted by viruses/worms/trojans, or is OS X simply harder to break into and not worth the time and effort?"
/.). Although the Unix examples apply to OS X as Unix is really BSD-Unix. They may not point out mac but the same rules apply.
OS X (based and intertwined with FreeBSD) tops the list of most secure operating systems (along with the other BSDs as already reported on
Evolution or ID?
It's certainly true that "as long as we use those tools, we're going to have those problems", but I'd go a step further and include computers and networks in your list of tools that have inherent issues.
Java is not as risk-prone as C, but that does not mean it's a security panacea. It has its own set of problems. You can say we shouldn't write code in unsafe languages, but then we wouldn't have any left.
And, to put it simply, Java applications don't run as fast as C applications. While most of the time that's not important, sometimes it is.
You can't tell people to stop using unsafe tools. That's equivalent to telling people to encase their computers in concrete and drop them in the ocean to secure them against malware. Instead, tell people where the risks lie and how to mitigate those risks. Then people will naturally gravitate toward safer tools and practices, because we are all lazy and that way we will have less work to do building adequately secure applications.
Disclaimer: I have neither read the book, nor have an opinion on it. My only interest in malware is not to have it :^)
Great minds think alike; fools seldom differ.
There is some area of research about proof carrying code, which is used to type check the bytecode before it is executed. I'm not aware if it is used in practice at all, since the research is still quite primitive. If you're naively doing checksum, then a clever hacker can generate valid checksum as well. If you're doing signed applet approach, then you revert the problem to whether you want to accept code from trusted entity, instead of whether you want to trust the code based on if its semantics are malicious.
I once had a signature.
One book that seems really interesting right now is the shellcoder's handbook by many people including noir from phrack and others...
;-)
:)
It's a complete guide to writing and understanding your own shellcodes.
I just received my copy and it looks so unique that i wonder if i should read it instead of studying for my finals
Anyone has praise (or not?) on this book?