Slashdot Mirror
Malware - Fighting Malicious Code
AMuse writes "After taking a course at SANS from Ed Skoudis (and later hacking with him at the DefCon "Capture the Flag" contest in Las Vegas), I decided it was time to buy a copy of his latest book and see if he writes as well as he teaches. "Malware: Fighting Malicious code" is his most recent computer security book and was definitely a worthy purchase. Though the topic itself is not for novices, Skoudis does a splendid job of reviewing the basics with each chapter so that a less experienced security professional can follow along and learn. Additionally, he is very careful to show both Windows and UNIX/Linux examples of the topics, making the book accessible to a far wider crowd than some platform centric books I've read." Read on for the rest of AMuse's review.
Malware: Fighting Malicious Code
author
Ed Skoudis
pages
636
publisher
Prentice Hall
rating
9
reviewer
Matt Linton
ISBN
0131014056
summary
A detailed look at malicious computer code, how to examine and defend against it.
One of the finest points of the book is that it's structured with the simplest (and most common) cyber-attacks in the initial chapters, and later in the book builds upon those concepts clearly. With each new chapter he delves deeper into the computer attack world and the increasing complexity of attacks and how to recognize, detect and counter them. Every description of an attack is paired with useful graphics and examples of code dumps or program output. As a bonus, the programs he recommends as tools in his book are the very ones he uses in his demonstrations.
Viruses, Worms and Mobile Code: The first few chapters start out relatively light for an experienced security person. They cover viruses, worms and mobile code (the nifty high level languages like ActiveX, JavaScript and VB which are so easy to abuse). Though the information is on a light level for the pro, a novice would find these chapters packed with useful information and examples of each of many types of nasty code. After each example, the book shows how to recognize an infection, then how to prevent them in the first place.
Trojans and Backdoors Once he's gotten the reader's feet feet wet, Skoudis begins to wade in deeper with discussion and analysis of Trojans and Backdoors. Even a pro will likely read something here that they didn't know before. As a quick example, he covers "port knocking" with spoofed hosts and sniffers as a means of evading detection of your backdoor by pesky net admins. Although these chapters include many high level concepts, Skoudis clearly demonstrates them via real world examples and references to code that you can obtain yourself and try out (On a well isolated network, of course!)
User and Kernel mode Rootkits After a healthy dose of trojans and backdoors, the book moves on to discuss in very great detail the current status of User and Kernel mode rootkits. In my opinion, these two chapters were the most detailed and thorough in the book. All told, about 160 pages of the book are dedicated to the Windows and UNIX/Linux kernels, how they operate and of course how they can be completely taken over and replaced by an attacker. If there's any book that can leave SysAdmins awake at night in paranoid fits, this is the book and these are the chapters.
The truly nasty stuff In the final chapters, he leaves the world of attacks that are already in the wild and discusses attacks that are yet to come. These topics include polymorphic code that alters itself with each infection to evade IDS and Antivirus signatures, tightly packaged combo attacks, potential BIOS rootkits and even microcode attacks where the CPU itself is infected with an attackers' code, hiding rootkits as soon as the power switch is flipped on.
Tying it all together The book then ends with two very helpful chapters which detail how to establish a test lab for yourself and analyze malicious code on your own. As a bonus, there's also a chapter on real world scenarios that you can investigate yourself to see what you've learned.
Conclusion All told, I would recommend this book for any serious security professional or SysAdmin/NetAdmin. It's also a very good read for Novice geeks but, although Skoudis does an excellent job of explaining the basics, the later chapters may be a bit too complex for someone without at least a bit of time as a power user.
You can purchase Malware: Fighting Malicious Code from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page
bash$ find linux-2.6.5 -exec grep FIXME {} \; | wc -l
2494
bash$
It seems from the description like the book is more about describing malicious code and how it works, not actually battling such code and fending it off. Don't get me wrong - one must know his enemy before he can successfully beat it, but still the title seems a little misleading.
Matt Fahrenbacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
Seriously though, is it that Mac OS X isn't as widely deployed as windows and isn't used as much for servers as linux that OS X isn't targeted by viruses/worms/trojans, or is OS X simply harder to break into and not worth the time and effort?
Quid festinatio swallonis est aetherfuga inonusti?
Africus aut Europaeus?
Please, go and program a better OS, in Java. I don't mean to flame, but honestly, do you suggest that we should start writing OSes in interperted languages like Java? That is quite simply ridiclous.
How can you interface an interperted language with hardware, and how do you avoid using an unsafe language to program the very VM that the interperted language would be running on top of?
I know I've posted on this before here on /., but as long as we use those tools, we're going to have those problems. It's interesting that he doesn't have any examples of Java malware, for instance.
What are you incinuating, that operating systems should be written in Java?
Ruby on Rails Screencast
Not to troll, but that's exactly right, and some people just don't have a grudge against Apple for the same reason: it's not used as much. I'm sure if by some cosmic abnormality Apple/Mac became just as used, there'd be some Mac Virii out there in force.
Use == Popularity == Painting a TARGET
main(0)
Malware is much more than a technical phenomenon, although it certainly was born as one.
For me, given that the scope of malware to get past our defenses seems almost infinite, it is much more interesting to look at this from other angles:
- Socioeconomic: who is paying for development of malware, and with what intentions? Healthy paranoia suggests that there is an organized agenda to take over and subvert large parts of the Net. Heck, several such agendas, probably, fighting it out.
- pseudo-Biological: can malware be modelled using biological models and can this help us fight it? I've argued in my journal that yes, this is a valid way of looking at malware, and may be the key to fighting it.
- political: given the potential (or real) power of malware to subvert and control large parts of the Net, should we ignore the inevitable political interest this will cause? If I was a spook, I'd be aiming to use malware to (a) spy on foreign governments, (b) spy on my own citizens, (c) act as a launchpad for cyberattacks.
- commercial: what value can be placed on "here is n% of the Net, to do with as you please..." Probably very high. Where there is value, a market of buyers and sellers will develop. Has probably already developed.
Ceci n'est pas une signature
Interesting that a review of a book on security that mostly deals with Unix based attacks leads you to a screed on Microsoft...
Oh the things Ffreud would have said about that.
No point in trying to educate them. A lot of this stuff is so esoteric that even relatively experienced and competent users get taken in, and new stuff comes up all the time. Is it sensible to make someone who really has no need for in depth computer knowledge sit down and cram new viruses and security vulnerabilities 2 hours a day?
The solution is an OS that doesn't just load everything that comes along. It's the digital equivalent of walking around Times Square jabbing used hypodermics into your arm.
This isn't just a Windows thing either...Linux gives you complete freedom to fuck yourself by loading unsigned code. Of course, if you're using Linux you can run the checksums and make sure its the official code.
What it boils down to is that we need some basic validation method, which vets code that should/shouldn't be loaded, and people who don't know what they're doing shouldn't be allowed to override it.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Why does every random computer book nowadays seem to have a gazillion pages? Flipping through my bookshelf and looking at typical worthwhile titles:
K&R: 230 pages
Mythical Man Month: 320
Practice of Programming: 260
For a reference text like a volume of ACP, more than 500 pages may make sense. For fluff like the book reviewed here, it's ridiculous.
Actually, Windows 2000 and up have a special section of group policy specifically for that called Software Restriction Policies.
You can create rules based on path, filename, hash, or certificate.
You can create either a blacklist of unrunnable binaries or a whitelist of runnable binaries.
You can choose to include all binaries or just executables (not libraries).
You can also add new file types based on extension.
You can enforce it across all users or just non-admins.
You can put your certificates in the domain's active directory for easy administration.
For a local system, creating hashes is easy; just find a copy of the binary and it will add it to your policies.
To set it up find 'local security policy' (you may need to show it in explorer's properties) and select 'software restriction policies.' Right-click to create a local rule set. See help for more information.