Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware - Fighting Malicious Code

Posted by timothy on from the best-revenge dept.

AMuse writes "After taking a course at SANS from Ed Skoudis (and later hacking with him at the DefCon "Capture the Flag" contest in Las Vegas), I decided it was time to buy a copy of his latest book and see if he writes as well as he teaches. "Malware: Fighting Malicious code" is his most recent computer security book and was definitely a worthy purchase. Though the topic itself is not for novices, Skoudis does a splendid job of reviewing the basics with each chapter so that a less experienced security professional can follow along and learn. Additionally, he is very careful to show both Windows and UNIX/Linux examples of the topics, making the book accessible to a far wider crowd than some platform centric books I've read." Read on for the rest of AMuse's review. Malware: Fighting Malicious Code author Ed Skoudis pages 636 publisher Prentice Hall rating 9 reviewer Matt Linton ISBN 0131014056 summary A detailed look at malicious computer code, how to examine and defend against it.

One of the finest points of the book is that it's structured with the simplest (and most common) cyber-attacks in the initial chapters, and later in the book builds upon those concepts clearly. With each new chapter he delves deeper into the computer attack world and the increasing complexity of attacks and how to recognize, detect and counter them. Every description of an attack is paired with useful graphics and examples of code dumps or program output. As a bonus, the programs he recommends as tools in his book are the very ones he uses in his demonstrations.

Viruses, Worms and Mobile Code: The first few chapters start out relatively light for an experienced security person. They cover viruses, worms and mobile code (the nifty high level languages like ActiveX, JavaScript and VB which are so easy to abuse). Though the information is on a light level for the pro, a novice would find these chapters packed with useful information and examples of each of many types of nasty code. After each example, the book shows how to recognize an infection, then how to prevent them in the first place.

Trojans and Backdoors Once he's gotten the reader's feet feet wet, Skoudis begins to wade in deeper with discussion and analysis of Trojans and Backdoors. Even a pro will likely read something here that they didn't know before. As a quick example, he covers "port knocking" with spoofed hosts and sniffers as a means of evading detection of your backdoor by pesky net admins. Although these chapters include many high level concepts, Skoudis clearly demonstrates them via real world examples and references to code that you can obtain yourself and try out (On a well isolated network, of course!)

User and Kernel mode Rootkits After a healthy dose of trojans and backdoors, the book moves on to discuss in very great detail the current status of User and Kernel mode rootkits. In my opinion, these two chapters were the most detailed and thorough in the book. All told, about 160 pages of the book are dedicated to the Windows and UNIX/Linux kernels, how they operate and of course how they can be completely taken over and replaced by an attacker. If there's any book that can leave SysAdmins awake at night in paranoid fits, this is the book and these are the chapters.

The truly nasty stuff In the final chapters, he leaves the world of attacks that are already in the wild and discusses attacks that are yet to come. These topics include polymorphic code that alters itself with each infection to evade IDS and Antivirus signatures, tightly packaged combo attacks, potential BIOS rootkits and even microcode attacks where the CPU itself is infected with an attackers' code, hiding rootkits as soon as the power switch is flipped on.

Tying it all together The book then ends with two very helpful chapters which detail how to establish a test lab for yourself and analyze malicious code on your own. As a bonus, there's also a chapter on real world scenarios that you can investigate yourself to see what you've learned.

Conclusion All told, I would recommend this book for any serious security professional or SysAdmin/NetAdmin. It's also a very good read for Novice geeks but, although Skoudis does an excellent job of explaining the basics, the later chapters may be a bit too complex for someone without at least a bit of time as a power user.

You can purchase Malware: Fighting Malicious Code from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page

19 of 111 comments (clear)

  1. Hate to ask... by Anonymous Coward · · Score: 5, Insightful

    When can we expect Malware: Fighting Ignorant Users? Not trying to troll, this should be step 1 in the battle.

    1. Re:Hate to ask... by javatips · · Score: 4, Insightful

      Maybe "Malware: Educating Ignorant Users" would be better.

    2. Re:Hate to ask... by SatanicPuppy · · Score: 4, Interesting

      No point in trying to educate them. A lot of this stuff is so esoteric that even relatively experienced and competent users get taken in, and new stuff comes up all the time. Is it sensible to make someone who really has no need for in depth computer knowledge sit down and cram new viruses and security vulnerabilities 2 hours a day?

      The solution is an OS that doesn't just load everything that comes along. It's the digital equivalent of walking around Times Square jabbing used hypodermics into your arm.

      This isn't just a Windows thing either...Linux gives you complete freedom to fuck yourself by loading unsigned code. Of course, if you're using Linux you can run the checksums and make sure its the official code.

      What it boils down to is that we need some basic validation method, which vets code that should/shouldn't be loaded, and people who don't know what they're doing shouldn't be allowed to override it.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  2. Windows and Linux examples, yes by ChiralSoftware · · Score: 4, Insightful
    Of course there is malware for Windows and Linux because both are written in unsafe languages which manipulate memory directly and often cast objects to (void *) and use containers (pointers to regions of memory) which don't know their own size. I know I've posted on this before here on /., but as long as we use those tools, we're going to have those problems. It's interesting that he doesn't have any examples of Java malware, for instance.

    ----------
    Create a WAP server

    1. Re:Windows and Linux examples, yes by icypyr0 · · Score: 5, Interesting

      Please, go and program a better OS, in Java. I don't mean to flame, but honestly, do you suggest that we should start writing OSes in interperted languages like Java? That is quite simply ridiclous.

      How can you interface an interperted language with hardware, and how do you avoid using an unsafe language to program the very VM that the interperted language would be running on top of?

    2. Re:Windows and Linux examples, yes by Proaxiom · · Score: 5, Informative
      Every great athlete blames the equipment, right?

      It's certainly true that "as long as we use those tools, we're going to have those problems", but I'd go a step further and include computers and networks in your list of tools that have inherent issues.

      Java is not as risk-prone as C, but that does not mean it's a security panacea. It has its own set of problems. You can say we shouldn't write code in unsafe languages, but then we wouldn't have any left.

      And, to put it simply, Java applications don't run as fast as C applications. While most of the time that's not important, sometimes it is.

      You can't tell people to stop using unsafe tools. That's equivalent to telling people to encase their computers in concrete and drop them in the ocean to secure them against malware. Instead, tell people where the risks lie and how to mitigate those risks. Then people will naturally gravitate toward safer tools and practices, because we are all lazy and that way we will have less work to do building adequately secure applications.

    3. Re:Windows and Linux examples, yes by wandazulu · · Score: 5, Insightful

      You sound hungry, so I'll step up.

      You might feel safe in thinking that Java's sandbox protects from this kind of thing, but don't be too sure...what is a JVM written in? Those very unsafe languages you talk about.

      The fact is, at some point, *somebody's* gotta manipulate the memory directly; somebody's gotta keep track of what's been alloc'ed and what's been free'd, and whether that's at an application level, or at the OS level, you're going to find the very languages that you deem as unsafe.

      Abstract away and bytecode your way to a false sense of security, and you've done nothing but put up another curtain to lull you into a false sense of security. The fact is, this kind of thing is *always* going to be with us, whether intentional or by accident (Microsoft's whole KB).

      Think of it this way: cars are too dangerous for people to use because there's no way to stop them from running into the ditch. So we're going to develop a system by which everyone's car runs on rails, with all the latest safety systems to make sure everything is safe and secure and drive the way we think they should drive. Now you don't have to trust your own abilities, just us. And we know what's right, right?

  3. A nice example of a trojan by gandalf013 · · Score: 5, Informative

    Reflections on Trusting Trust by Ken Thompson.

  4. Trojans and backdoors by Anonymous Coward · · Score: 5, Funny

    Part 1:

    Always, and I repeat always, use a trojan when you enter through the backdoor.

  5. Fighting? by Ghoser777 · · Score: 5, Interesting

    It seems from the description like the book is more about describing malicious code and how it works, not actually battling such code and fending it off. Don't get me wrong - one must know his enemy before he can successfully beat it, but still the title seems a little misleading.

    Matt Fahrenbacher

    --
    James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
  6. Here we go by dj245 · · Score: 5, Funny
    They forgot Social Engineering project 66.35.250.150. A community web-based system designed to DDoS certain websites within moments of being posted to the main page of said website. Highly infectious. This project has a reputation of taking down innocent websites within moments of being posted to its main page, and then having the audacity to joke about it on the forums. Outsiders are warned to stay away from 66.35.250.150 and users of 66.35.250.150 as they are ill-tempered and socially awkward.

    There is no known cure or stopgap measures for the 66.35.250.150 effect.

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  7. Re:As a mac user... by millahtime · · Score: 4, Informative

    "Seriously though, is it that Mac OS X isn't as widely deployed as windows and isn't used as much for servers as linux that OS X isn't targeted by viruses/worms/trojans, or is OS X simply harder to break into and not worth the time and effort?"

    OS X (based and intertwined with FreeBSD) tops the list of most secure operating systems (along with the other BSDs as already reported on /.). Although the Unix examples apply to OS X as Unix is really BSD-Unix. They may not point out mac but the same rules apply.

    --
    Evolution or ID?
  8. Use... by boisepunk · · Score: 5, Interesting
    "...is it that Mac OS X isn't as widely deployed as windows and isn't used as much..."

    Not to troll, but that's exactly right, and some people just don't have a grudge against Apple for the same reason: it's not used as much. I'm sure if by some cosmic abnormality Apple/Mac became just as used, there'd be some Mac Virii out there in force.

    Use == Popularity == Painting a TARGET

    --
    main(0)
  9. What about the socioeconomic aspects? by heironymouscoward · · Score: 5, Interesting

    Malware is much more than a technical phenomenon, although it certainly was born as one.

    For me, given that the scope of malware to get past our defenses seems almost infinite, it is much more interesting to look at this from other angles:

    - Socioeconomic: who is paying for development of malware, and with what intentions? Healthy paranoia suggests that there is an organized agenda to take over and subvert large parts of the Net. Heck, several such agendas, probably, fighting it out.

    - pseudo-Biological: can malware be modelled using biological models and can this help us fight it? I've argued in my journal that yes, this is a valid way of looking at malware, and may be the key to fighting it.

    - political: given the potential (or real) power of malware to subvert and control large parts of the Net, should we ignore the inevitable political interest this will cause? If I was a spook, I'd be aiming to use malware to (a) spy on foreign governments, (b) spy on my own citizens, (c) act as a launchpad for cyberattacks.

    - commercial: what value can be placed on "here is n% of the Net, to do with as you please..." Probably very high. Where there is value, a market of buyers and sellers will develop. Has probably already developed.

    --
    Ceci n'est pas une signature
  10. A Different Viewpoint by Mikkeles · · Score: 4, Informative
    Another review, by Rob Slade, of this book is available here (amongst other places). He comes to a somewhat different conclusion:
    The text is much more verbose than it really needs to be, and
    sensational rather than precise. There is a lot of specific detail in
    some areas, particularly for those interested in UNIX system
    internals, but the material on malware itself tends to be careless,
    and the author is obviously much keener on attacking than defending.
    This work does not offer much help to those who want to fight
    malicious code.

    Disclaimer: I have neither read the book, nor have an opinion on it. My only interest in malware is not to have it :^)

    --
    Great minds think alike; fools seldom differ.
  11. Java malware by heironymouscoward · · Score: 4, Insightful

    Using "safe" languages just displaces the problem.

    For example, the obnoxious CoolWebSearch trojan gets into computers via a hole in the MSIE Java runtime.

    Further, the number of infections caused by code weaknesses is probably far less than the number caused by social weaknesses - "Click on me!"

    --
    Ceci n'est pas une signature
    1. Re:Java malware by sapped · · Score: 4, Funny

      Further, the number of infections caused by code weaknesses is probably far less than the number caused by social weaknesses - "Click on me!"

      Where's the link dude? You are telling me to click and the urge is overpowering me and yet you don't provide anything to click on. What kind of sadistic torture is that?

  12. Re:Hate to ask...; What about legal remedies? by David+Hume · · Score: 4, Insightful

    When can we expect Malware: Fighting Ignorant Users? Not trying to troll, this should be step 1 in the battle.


    In addition, what about legal remedies? It appears that many people legally "agree" to the installation of various forms of malware by mindlessly clicking through on licensing agreements. While consumer education is one possible solution, changing the law of contract might provide another solution. Obviously, these solutions are not mutually exclusive.

    Many contracts are, by either statute or common law, void as a matter of public policy. This is one possible solution.

    Other contracts (e.g., in the areas of consumer credit, mortgages, etc.) have required language or other provisions.

    In other areas (e.g., limitations of liability, waiver of implied warranties, and again consumer credit, mortgages, etc.) there are requirements reqarding the use of clear and understandable language, prominent disclosures and even the size of the type face.

    To my knowledge, none of the above possible remedies have been enacted re: click through agreements.

    --
    Only Women Bleed (Sex, Sharia remix)
  13. Another recommendation for the book by Occams+Razor · · Score: 5, Insightful

    Like the rest of you, I've read a number of really dry, really dull technical books simply because I needed to know the material they cover. This is the first technical book I've read in a very long time that was actually _fun_ to read. Ed is an excellent author and speaker and the result is that he makes this an entertaining read. I have found myself reading this book just for the fun of it, not purely for the (excellent) technical content.
    I have actually put this on the must-read list for anyone doing incident handling for my employer. I can't recommend it highly enough