Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware - Fighting Malicious Code

Posted by timothy on from the best-revenge dept.

AMuse writes "After taking a course at SANS from Ed Skoudis (and later hacking with him at the DefCon "Capture the Flag" contest in Las Vegas), I decided it was time to buy a copy of his latest book and see if he writes as well as he teaches. "Malware: Fighting Malicious code" is his most recent computer security book and was definitely a worthy purchase. Though the topic itself is not for novices, Skoudis does a splendid job of reviewing the basics with each chapter so that a less experienced security professional can follow along and learn. Additionally, he is very careful to show both Windows and UNIX/Linux examples of the topics, making the book accessible to a far wider crowd than some platform centric books I've read." Read on for the rest of AMuse's review. Malware: Fighting Malicious Code author Ed Skoudis pages 636 publisher Prentice Hall rating 9 reviewer Matt Linton ISBN 0131014056 summary A detailed look at malicious computer code, how to examine and defend against it.

One of the finest points of the book is that it's structured with the simplest (and most common) cyber-attacks in the initial chapters, and later in the book builds upon those concepts clearly. With each new chapter he delves deeper into the computer attack world and the increasing complexity of attacks and how to recognize, detect and counter them. Every description of an attack is paired with useful graphics and examples of code dumps or program output. As a bonus, the programs he recommends as tools in his book are the very ones he uses in his demonstrations.

Viruses, Worms and Mobile Code: The first few chapters start out relatively light for an experienced security person. They cover viruses, worms and mobile code (the nifty high level languages like ActiveX, JavaScript and VB which are so easy to abuse). Though the information is on a light level for the pro, a novice would find these chapters packed with useful information and examples of each of many types of nasty code. After each example, the book shows how to recognize an infection, then how to prevent them in the first place.

Trojans and Backdoors Once he's gotten the reader's feet feet wet, Skoudis begins to wade in deeper with discussion and analysis of Trojans and Backdoors. Even a pro will likely read something here that they didn't know before. As a quick example, he covers "port knocking" with spoofed hosts and sniffers as a means of evading detection of your backdoor by pesky net admins. Although these chapters include many high level concepts, Skoudis clearly demonstrates them via real world examples and references to code that you can obtain yourself and try out (On a well isolated network, of course!)

User and Kernel mode Rootkits After a healthy dose of trojans and backdoors, the book moves on to discuss in very great detail the current status of User and Kernel mode rootkits. In my opinion, these two chapters were the most detailed and thorough in the book. All told, about 160 pages of the book are dedicated to the Windows and UNIX/Linux kernels, how they operate and of course how they can be completely taken over and replaced by an attacker. If there's any book that can leave SysAdmins awake at night in paranoid fits, this is the book and these are the chapters.

The truly nasty stuff In the final chapters, he leaves the world of attacks that are already in the wild and discusses attacks that are yet to come. These topics include polymorphic code that alters itself with each infection to evade IDS and Antivirus signatures, tightly packaged combo attacks, potential BIOS rootkits and even microcode attacks where the CPU itself is infected with an attackers' code, hiding rootkits as soon as the power switch is flipped on.

Tying it all together The book then ends with two very helpful chapters which detail how to establish a test lab for yourself and analyze malicious code on your own. As a bonus, there's also a chapter on real world scenarios that you can investigate yourself to see what you've learned.

Conclusion All told, I would recommend this book for any serious security professional or SysAdmin/NetAdmin. It's also a very good read for Novice geeks but, although Skoudis does an excellent job of explaining the basics, the later chapters may be a bit too complex for someone without at least a bit of time as a power user.

You can purchase Malware: Fighting Malicious Code from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page

22 of 111 comments (clear)

  1. Hate to ask... by Anonymous Coward · · Score: 5, Insightful

    When can we expect Malware: Fighting Ignorant Users? Not trying to troll, this should be step 1 in the battle.

    1. Re:Hate to ask... by boisepunk · · Score: 3, Insightful

      They get the shit kicked out of them every time they go online. They take their junky Gateways back to PC shops to 'wipe and reinstall' every six months. They lose files because 'I know I didn't download that file to my hard drive - I downloaded it to my desktop instead' and then they can't find it.

      You tell them the simplest things to get them out of the most complex situations and they demand 'user friendly'. They want products that cure only the latest ill and demand at most one mouse click.

      Wonder of wonders the world (the Internet) is as it is. And wonder of wonders is that it's taken the sophisticated malware engineers so long to get sophisticated.

      There's a slaughter going on, and although MS are responsible with their crappy stuff, the users are also responsible - for using it. And I hope we've heard the last of that classic line 'it only affects Windows users', because it should be evident to even the most brain-dead MS fanatic at this point that the entire Internet is affected.

      It's time to put up some housing ordinances so MS users aren't allowed to ruin the neighbourhood. High time and beyond.

      --
      main(0)
    2. Re:Hate to ask... by Anonymous Coward · · Score: 3, Insightful

      "It's time to put up some housing ordinances so MS users aren't allowed to ruin the neighbourhood. High time and beyond." ... Shouldn't that be "non-qualified" MS users? Dont' bash the whole gang. I'm pretty sure there are some very qualified and useful MS users (Me being one of them).

    3. Re:Hate to ask... by javatips · · Score: 4, Insightful

      Maybe "Malware: Educating Ignorant Users" would be better.

    4. Re:Hate to ask... by javatips · · Score: 3, Insightful

      What it boils down to is that we need some basic validation method, which vets code that should/shouldn't be loaded, and people who don't know what they're doing shouldn't be allowed to override it.

      Microsoft calls that Trusted Computing ;-)

    5. Re:Hate to ask... by HD+Webdev · · Score: 2, Insightful

      No point in trying to educate them. A lot of this stuff is so esoteric that even relatively experienced and competent users get taken in, and new stuff comes up all the time. Is it sensible to make someone who really has no need for in depth computer knowledge sit down and cram new viruses and security vulnerabilities 2 hours a day?

      The solution is an OS that doesn't just load everything that comes along. It's the digital equivalent of walking around Times Square jabbing used hypodermics into your arm.

      Boxes coming out of Wal-Mart make it around 30-60 days before they end up here with mostly 'my internet connection is slow' problems.

      The real problem is a) They got hacked soon after figuring out how to connect to the internet and b) They get helpful toolbars/cursors/whatever that track everything and half the time end up hosting their internet connection.

      If the malware doesn't do it, the hacked box ends up spewing emails right away.

      So, they end up here, $60-$100 (depending on how long they let the problem go and if they kept their disks) to fix.

      Format, Restore, ZonealarmBasic Firewall (not anti-virus yet!), Spybot immunize registry, connect to network, update Windows, install Avast! anti-virus, make Mozilla the default browser, and have Avast! build a database of files on the system and what they are supposed to look like. I also keep an image of the finished setup so that the people who shut off their anti-virus/firewall can pay again here to get fixed and I don't have to go through all of the work again.

      Too many times I see people trying to do it in a different order for Windoze, and it just doesn't work well. Most add the antivirus first and don't realize that by the time they get the firewall in, the box is already rooted.

      So, how can a user figure it out of Microsoft & most computer shops can't?

      --
      This is not a dream, not a dream...we are transmitting from the year 1-9-9-9.
  2. Windows and Linux examples, yes by ChiralSoftware · · Score: 4, Insightful
    Of course there is malware for Windows and Linux because both are written in unsafe languages which manipulate memory directly and often cast objects to (void *) and use containers (pointers to regions of memory) which don't know their own size. I know I've posted on this before here on /., but as long as we use those tools, we're going to have those problems. It's interesting that he doesn't have any examples of Java malware, for instance.

    ----------
    Create a WAP server

    1. Re:Windows and Linux examples, yes by Anonymous Coward · · Score: 2, Insightful

      These unsafe aspects are exactly what make the languages so flexible... Using them incorrectly is where the flaws come into the picture.

      Are you suggesting that malware in java isnt possible or just isn't common?

    2. Re:Windows and Linux examples, yes by wandazulu · · Score: 5, Insightful

      You sound hungry, so I'll step up.

      You might feel safe in thinking that Java's sandbox protects from this kind of thing, but don't be too sure...what is a JVM written in? Those very unsafe languages you talk about.

      The fact is, at some point, *somebody's* gotta manipulate the memory directly; somebody's gotta keep track of what's been alloc'ed and what's been free'd, and whether that's at an application level, or at the OS level, you're going to find the very languages that you deem as unsafe.

      Abstract away and bytecode your way to a false sense of security, and you've done nothing but put up another curtain to lull you into a false sense of security. The fact is, this kind of thing is *always* going to be with us, whether intentional or by accident (Microsoft's whole KB).

      Think of it this way: cars are too dangerous for people to use because there's no way to stop them from running into the ditch. So we're going to develop a system by which everyone's car runs on rails, with all the latest safety systems to make sure everything is safe and secure and drive the way we think they should drive. Now you don't have to trust your own abilities, just us. And we know what's right, right?

    3. Re:Windows and Linux examples, yes by javatips · · Score: 3, Insightful

      It's kind of funny that you say that one should not program an OS in an interpretted language like Java. On the other hand, while the Linux kernel may be written in C, the initialization sequence of Linux (booting the OS to a usable state) is more or less a big script that is being interpretted (and there is even no JIT compilation involved).

      The argument of the grand-parent is not really a good one either. The fact that you cannot hack a Java application with buffer overflow (unless it's the JVM that does it) does not means that you cannot hack into a Java system. Badly coded Java code can be the target of malware (and there has been security issues with WebSpehere and Weblogic). If a security sensitive class is not final, anyone can inherit it and bypass some of it's code. Java offer many features that can help one build a secure application that is very resistant to malware, but you have to use those feature and be aware that beside buffer overflow, malware can use other technique to launch a succefull attack.

    4. Re:Windows and Linux examples, yes by sleepingsquirrel · · Score: 2, Insightful

      Maybe not Java, but someone should start an OS project with something like OCaml. You get most of the speed of something like C, with far fewer bugs. Oh, and there's no reason you can't compile your Java.

  3. one man's malware is another man's uber linux.... by MoFoQ · · Score: 2, Insightful

    of course that one man is Bill Gates.

    To him, any Linux is malware as it's superior to his creation, especially when it comes to security.
    And of course, this is not to say that MacOS isn't; just that he doesn't see it as a "threat."

    This key issue is the reason that's a cause for concern about the upcoming No Execution (NX) and DRM systems in future processors (backed by Microsoft) to "prevent execution of unauthorized code." Apparently, as it was /.'ed earlier, it will affect the STrongARM (for PDAs) processors.

    If I can't trust Microsoft for security right now, why in the world would I trust them to decide what's "authorized" or not.

    Wonder if the book talks about a third party malware lists (like those spam databases).

  4. Java malware by heironymouscoward · · Score: 4, Insightful

    Using "safe" languages just displaces the problem.

    For example, the obnoxious CoolWebSearch trojan gets into computers via a hole in the MSIE Java runtime.

    Further, the number of infections caused by code weaknesses is probably far less than the number caused by social weaknesses - "Click on me!"

    --
    Ceci n'est pas une signature
  5. Re:Hate to ask...; What about legal remedies? by David+Hume · · Score: 4, Insightful

    When can we expect Malware: Fighting Ignorant Users? Not trying to troll, this should be step 1 in the battle.


    In addition, what about legal remedies? It appears that many people legally "agree" to the installation of various forms of malware by mindlessly clicking through on licensing agreements. While consumer education is one possible solution, changing the law of contract might provide another solution. Obviously, these solutions are not mutually exclusive.

    Many contracts are, by either statute or common law, void as a matter of public policy. This is one possible solution.

    Other contracts (e.g., in the areas of consumer credit, mortgages, etc.) have required language or other provisions.

    In other areas (e.g., limitations of liability, waiver of implied warranties, and again consumer credit, mortgages, etc.) there are requirements reqarding the use of clear and understandable language, prominent disclosures and even the size of the type face.

    To my knowledge, none of the above possible remedies have been enacted re: click through agreements.

    --
    Only Women Bleed (Sex, Sharia remix)
  6. Hate to answer... by Iscariot_ · · Score: 2, Insightful

    I think it's reasonable to say that technology should always cater to users, not the other way around. Otherwise, what's the point?

    --

    Go here for teh [sic] funny.
    1. Re:Hate to answer... by johnnyb · · Score: 2, Insightful

      I disagree. Computers are difficult to change and difficult to get to perform contextually like humans are. On the other hand, humans are easily adaptable. You'll wind up with the best results by doing a little of both, but really "catering to the users" doesn't mean much, as it depends on the user.

      I almost never cater to the user, but instead cater to the data model. Users always tell me how easy my programs are to use. How does this happen? Instead of trying to guess how my users think, I made my software really predictable. Therefore, with just a little nudge, users are able to figure everything out easily, because the software doesn't have any surprises. The users have to change their way of thinking a little, but that's easy for them to do.

      --
      Engineering and the Ultimate
  7. Re:plenty of dodgy code in the Linux kernel! by Anonymous Coward · · Score: 2, Insightful
    Dodgy code doesn't mean security vulnerabilities.

    Most likely those are feature requests. It's not a good idea to take FIXME's out of context.

  8. Lisp (Re:Windows and Linux examples, yes) by Anonymous Coward · · Score: 1, Insightful

    Why is this so far-fetched? There were/are (GUI) OSes written in Lisp which has garbage collection, dynamic typing, fully OO (if you want to use it; Lisp doesn't force you to write OO code if you don't want to). There was of course some assembler to initialize memory, CPU, etc. but most of it was is Lisp.

  9. Another recommendation for the book by Occams+Razor · · Score: 5, Insightful

    Like the rest of you, I've read a number of really dry, really dull technical books simply because I needed to know the material they cover. This is the first technical book I've read in a very long time that was actually _fun_ to read. Ed is an excellent author and speaker and the result is that he makes this an entertaining read. I have found myself reading this book just for the fun of it, not purely for the (excellent) technical content.
    I have actually put this on the must-read list for anyone doing incident handling for my employer. I can't recommend it highly enough

  10. Transmeta by IncohereD · · Score: 2, Insightful

    Isn't this exactly what Transmeta does? Introduce a translation layer between software and the processor?

    Not to mention that at least partial implementations of the JVM _are_ available in hardware. Targetted JVMs come up a lot in the lists for 4th year projects at my unversity, for example.

  11. Re:plenty of dodgy code in the Linux kernel! by MrChuck · · Score: 3, Insightful
    I dunno. I recall when some rework of lpd in OpenBSD removed a bunch of "dodgy code". It was fixed because it was wrong (unbounded copies and that sort of thing).

    14 months later, when an exploit for lpd was found and out in the wild, OpenBSD was immune. Did they KNOW that it was exploitable? No. They simply fixed something that was wrong.

    Now regarding the "for newbies" comment
    Though the topic itself is not for novices, Skoudis does a splendid job of reviewing the basics with each chapter
    Is there any really good reason that all books must be friendly to newbies? One of the things I really dislike about current technical press is that every book I get on something, I have to deal with 30% or more that covers stuff I know.

    Let's presume that the reader knows "coding". (if you actually know C or C++ or java, you can reasonably read other algol based languages.). From that we can cover PRINCIPLES of bad coding and what to look for.

    I tire of each book being written for kindergardeners (metaphorically). Welcome to CS504 - writing optimizing compilers. We're going to be writing a language and developing a compiler for it for several chip platforms. But first, lets go over what a loop is. Can anyone tell me? Then we'll move to variables.

  12. Does it really take a whole book? by walterbyrd · · Score: 2, Insightful

    Here's about all I do on the windows side.

    - keep my data in a seperate fat32 partition
    - backup regularly
    - use good AV software, keep it current
    - use zonealarm, ad-aware, and spybot (all free)
    - don't use msie, ms-mediaplayer, outlook, outlook-express, kazaa, morpheous, or any other software that's well known to invite adware/spyware. Plenty of free alternatives to all that.
    - keep a linux livecd handy.
    - delete all spam before while it's still on the server (I use ultrafunk popcorn).
    - never open email attachments from unknown sources.

    Do that, and you won't have much trouble. Probabably something I'm forgeting, but that's a good start.