Slashdot Mirror
Malware: Fighting Malicious Code
The blurb on the back cover states that the book is "intended for system administrators, network personnel, security personnel, savvy home computer users, and anyone else interested in keeping their systems safe from attackers." It may seem a minor point, but that is a very broad range of people! However, the book is comprehensive enough to merit the claim. For example, the chapter on "malicious mobile code" (or "active content") includes tips on how to configure Internet Explorer's security settings (great for savvy home users), while the information presented on using group policies, Internet Explorer 6 Administration Kit and incorporating changes into Ghost SOE images would be more appropriate for system administrators. One can argue that system/network administrators already know all this, but let's face it; there are many who don't, or who need prompting. The book is particularly strong in explaining theory, like how different types of malware work, and it reminds me of a lot of university text books in layout. Each chapter has a Conclusions section, a summary and a list of references -- great for retention of knowledge, or to help if you are studying for an exam on the chapter. There is a reasonable amount of redundant information in the book; particularly in the "defence" section of each chapter, where file integrity checkers, bootable CDs with static binaries and the like are discussed.
"Malware" is a deliberately broad term, but it suits this book, which covers not just viruses, Trojan horses and worms, but also rootkits and BIOS microcode. The scope extends a bit beyond just fighting malicious code, Skoudis goes so far as analyzing how it works, how it has developed (from other malware) and speculated on the future of malicious code.
Malware is very readable, while still being technically accurate. It does not cover everything, but Skoudis has lots of great analogies, and quotes that range from such diverse sources as Stephen Hawking, Lord of the Rings, The Matrix, Wargames, Milli Vanilli and Styx. The book is written in a conversational and at times humourous style, and I am assuming a lot of the content has been presented in Skoudis's lectures.
Despite the practical approach of the book, the content is not exactly what you might expect. Skoudis's introduction says the book will focus on practicality: "we'll discuss time-tested, real-world actions you can take to secure your systems from attack." Why then in 700 pages is there barely a mention of how to configure a firewall? I think because there are so many applications covered, and because there is so much emphasis on all the fun and cute tools (like the sysinternals ones, and netcat) that some of the less exotic and useful ones suffer in omission.
The Introduction also says the book is operating-system agnostic. Both Windows and Linux are covered, true, but that's not a very broad slice: Solaris, HPUX, BSD, Tru64 and OS X barely get a mention. Even if the book is mostly aimed at home users, there are many using OS X, and in fact many using Mac OS, Windows 98 and even non-Intel platforms.
The illustrations are limited to diagrams, tables and screenshots, and while they are nothing fancy, most are quite clear and helpful.
There is no accompanying CD with the book, but there are so many tools covered in the text, chances are that many of would be quite out-of-date by now anyhow, so you are better off downloading them yourself. Skoudis has a web-site at counterhack.net/, and co-author Lenny Zeltser has one at zeltser.com/. The web sites are not limited to discussing this book, but are more about what Ed and Lenny have written lately, and the "Crack the Hacker Challenges" on Ed's site look fun. There's a list of references at the end of each chapter, and many sources refered to in the text (especially in the last 2 chapters), though I am surprised antivirus company web sites like f-secure, Sophos and CA weren't included; I have found the analyses there at least equal in accuracy and depth to those of McAfee, Trend and Symantec.
As far as bootable CDs for forensics and network security tasks, I'm surprised Trinux and Knoppix STD didn't score a mention, though normal Knoppix and FIRE are mentioned.
The chapter on malicious mobile code covers Java and ActiveX fairly evenly, but I think more emphasis on current threats is the way to go. (Particularly as there is so much FUD surrounding adware and how to remove it.)
One very general flaw with the book is that it tends to focus on the fancier stuff not just in its selection and description of security tooks, but in the actual malware discussed. The information on Code Red II and Bugbear.B is a noticeable exception to this, but many of the other viruses that are discussed -- like Kallisti, Tristate, PHP.Pirus, and Win2k.Stream -- are anything but common.
All that said, I haven't seen any other books that provide such great explanations of rootkits, malicious mobile code or adware, but also hint at things to come like Flash/Warhol worms and microcode malware. This book fills a void in that it covers current malware (with some historical perspective) with enough analogies, scenarios and "detective work" to hold the reader's interest. Hopefully readers will be inspired by the enthusiasm that Skoudis and Zeltser obviously have for fighting malware, and will use this book as a stepping stone to learn more and beat the malware that seems all too prevalent on today's Internet.
You can purchase Malware: Fighting Malicious Code from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.
Solaris, HPUX, BSD, Tru64 and OS X barely get a mention ... because I can barely keep the damn worms off my Tru64 box...
http://zero-to-enterprise.blogspot.com/
Seriously all you need is to use your brain and think. The problem is many users tend to install stuff without a second thought it's like inviting a stranger to your house.
I've been using IE since Win95 (with the Proxomitron and with security/privacy set to high). And I've *NEVER* had a single nontrivial web page load properly. When people talk about modern, interesting web pages, I visit them to see what it's like, and nothing happens. All the complaints about IE security? I reckon they can be solved by the user not wanting to browse the web. And that common sense is to keep using IE, not to install Firefox.
Karma cannot be described by words alone.
What a cop out.
You might as well just give them a dos disk and tell them they dont need the internet anyway.
Gentoo isn't exactly easy to get installed the first time. Particularly if you've been a Windows user for life, watching pages of compiler messages fly by isn't exactly an inviting experience.
"Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
Well aren't you the least helpful help desk guy ever? Do you think that if the so called "lusers" can't keep viri and spyware off of their Windows boxen they could possibly hope to install Gentoo?
"Hmm... I didn't know anything about my magical beige box before, but now with Gentoo I suddenly know exactly what a partition scheme and compiling are, and I haven't even popped the disk into the music slot on my computer yet!"
Being a jerk helps nothing.
What if the entire Universe were a chrooted environment with everything symlinked from the host?
That's why Gentoo is so good. When you're installing Gentoo you are *forced* to learn, and you can learn much more quickly than with RedHat or SuSE, where you're not forced to learn the low-level details of the system.
Well reviewed, my good man/woman/thing...
It's good to see a seemingly well thought out book on the topic of detection and removal of "malware".
The majority of tech calls I get from family and friends involve something malicious or just downright irritating landing on someone's computer (strangely, usually a Win32 box...well, not that strange, considering...), which I end up having to track down and de-couple...which can sometimes be a rather lengthy process, especially where the offending piece has been based on some of the older, smarter virii which spread themselves all over the place just to make sure it takes you a clean floppy or about 4 reboots to remove (re-deleting each re-replaced thing each time). *remember to breath, gazz*
I've longed for a return to the days when I used to only find a blown PSU.....like, 1996....
Good to see chapters on general system "hardening" as well as some more in-depth stuff.
Saying all that, it can be great fun cleaning out a "scr00d" system.
it's the taking apart that counts
university helpdesk does not equate to passing out linux and telling the end users to piss off.
parent is a troll, don't even bother.
I think my boss would approve. Time is money, and these lusers just waste my time when I could be sysadmining my Linux boxen.
Overall, the more people we get on Linux desktops, the less spyware problems our department will have. The learning curve is nothing in comparison, and I'd say that education is quite appropriate for a University; we're not some dumb MCSE shop.
"the less spyware problems our department will have" Until it becomes worth the time of the spyware makers to find some way to exploit Linux.
Lusers installing Gentoo eh?
Uninformed people running Linux *just because it's safer* make up the bulk of compromised web servers out there.
Sheesh. That attitude won't help help them learn either!
I reckon they can be solved by the user not wanting to browse the web
yeah, that's about the only way to keep IE safe from malware. But hell, just download Kazaa, and make sure you get XXX-Porno.jpg.exe and look at the pretty picture.
DarkMantle I been bored, so I started a blog.
I understand that the parent is likely to be a troll, but Internet Explorer can be compromised, regardless of your security preferences. An external host can easily override them. However, you may be partially correct. Traffic filtration, despite the inherent computational overhead, is often intrinsic to a secure deployment. For instance, an administrator can often mitigate self-propagating worms by simply quarantining executables at the mail server.
Of course, this negates one obvious threat: the LAN. If a client were to invoke a malicious application that had been imported from his or her personal computer, it could potentially infect any accessible network shares.
If you're interested in maintaining relatively absolute security, then you should probably filter any incoming electronic mail or Web data. You may also want to install scanning software locally. And, if you're an absolute BOFH, perhaps you should even remove any locally accessible media drives. Finally, ensure that your network permissions are correct, and remember that all of your precautions could be rendered irrelevant by an application or exploit that has not yet been documented.
Do you like German cars?
Do you mean you never used your computer since Win95? That makes sense then
Because otherwise, considering that 90% of browsers are IE, this would mean 90% of the world CANNOT see most web pages. So 90% of internet users actuall *fake* viewing web pages, order stuff, play games, get worms, etc.
Sounds weird doesn't it?
Both Windows and Linux are covered, true, but that's not a very broad slice: Solaris, HPUX, BSD, Tru64 and OS X barely get a mention.
There's no point in wasting time developing worms for Solaris, HPUX, Tru64, etc. The work to reward ratio is too low. Not to say writing a worm, etc. is rewarding, but that's like developing anthrax that only kills people with webbed feet.
Wow, wow. Have to reply here.
:)
In case you didn't notice it, my post was a would-be humourous duplication of my parent post, my point being that using Proxomitron/Privoxy and surfing with IE security set to high prevents many pages from loading properly and is not well-suited for the casual user.
That humourous duplication obviously went belly-up. No offense, I'll try again next year
Karma cannot be described by words alone.
I know kung fu.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Gentoo is a lot of things, but perhaps not best for a first distro. You are correct. i mean, /usr, /home, /wtf? are strange when you see them for the first time (/wtf especially). But in all seriousness, there is something that gentoo did for me that no other distro (at that point) had done for me: really taught me about linux and how/where things are (RedHat and other drop-n-go distro's didn't force me to up to that point). Gentoo really, really made me learn.
When I was a university student, the school had a site liscence for Norton Antivirus. As a student you could install it free of charge, and it would LiveUpdate as well to stay current. In fact LiveUpdate was just out and a new good thing. The key was that having a defense against a "majority" of malware as seen by most was not enough. Users still required education on what was causing their problems. Most users did not want the time to learn about security on their machine. This meant that people were hacking other boxes on campus, people were setting up malicious websites on their own machines, people were setting up malicious websites using university resources. (my favorite was a java script "Click here for a good time" and it would try to format the harddrive!!)
The university then started a newsletter that all tech support staff, department heads and administrative staff were supposed to subscribe to. This newsletter would detail technology happenings on campus, planned outages, maintence, a short security blurb, calls open/closed/pending, a blurb about not opening attachments unless you know the source, and much else.
There were always some warnings about attachments and security on the internet.
Several one-shot free classes were set up for all people at the university. Show up, learn about WHY you don't surf porn. Learn why all these things that were "bad" are considered such.
After about 2 years of this the major problems with viruses and infected attachments started noticabling dropping off to the point of very few calls were about a virus type issue..only a few a week instead of a few a day. Then I graduated.
I understand that most tech staff cannot schedule resources like a university can, but having a tech newsletter for an organization is good, as well as having tech instruction to the low level usere who don't see anything other than a magic box of fun!
Having books like this is an obvious good thing, and I may consider going and getting a copy even though I am not doing tech support anymore.
Phil
Laugh, it's good for you!
Gentoo? For general, non-geek, Windows users? Maybe something easier, such as Mandrake or Ubuntu, but if they cannot keep malware off their computers, there is probably no way they're able to install Gentoo, let alone any other Linux distribution. Rather, you should give them a suite of the following:
There. That should solve nearly all of their malware problems without having to move to another OS.
*nix may be immune to Windows worms, viruses, and other scum, but it surely isn't immune from clueless lusers. Now, I'm not a MS apologist; I am a FreeBSD user. However, if *nix gets a clueless user base and starts doing stupid things (such as running as root), then all they have to do to get thier computers hozed is for someone to download "Free Britney Spears screensavers for Linux," which turns out to be nothing more than a script that has "rm -r /*" in it. *nix may be more secure than Windows, but it isn't "foolproof," either.
Obviously, you have never truly surfed the net until you have surfed it in pure DOS. :) Ever heard of Lynx or Arachne?
Please don't blab the standard Gentoo fan boy lines at me. I'm a Slackware user currently rolling my own system from scratch. I know low level like it's an annoying cut on the end of my finger.
/dev/dsp is now depriciated, and that the 2.6.9n kernels have an interesting typo in a config file somewhere such that the udevs don't work properly, screwing up both man and less. He just wants his computer to work. I want my computer to do as I say, there's a difference there that most people to don't seem to get.
And you know what? Suprisingly, most people don't want to forced to learn how their computer works. Most people are quite contented to have a magical beige box that periodically brings forth web pages and music.
My Dad couldn't care less that
Most computer users couldn't give a rats ass.
But you say that because you're forced to deal with low level details in Gentoo you learn fast, huh? That's not always true. Gentoo abstracts too. I personally know quite a few fan boys that can talk all about how much faster their computer is now that everything has been funrolled, but still couldn't tell me what the hell the difference between kernel and user space are.
Gentoo might be so good for you, but for the vast majority of people it's going to be no good. Just because something fits you doesn't mean it fits someone else.
What if the entire Universe were a chrooted environment with everything symlinked from the host?
I've read usually don't offer anything other than: a list of tools and a small description of the man page + common tips like set up a firewall, patch your system, get an AV, be on the lookout.
It's not common finding books that really cover a particular subject in depth.
My penguin ate my sig
Except it is not good to force everyone to learn the low-level details of the system. Anyone who thinks 1983-era computing was the heyday is utter idiot.
> I think my boss would approve
You think? Too chickenshit to tell him?
Nice review, might try to pick that up if it's stocked here in Blighty.
As everybody else has a clean-out-a-friends-system tale, heres mine:
The aforementioned friend/work colleague asked me to pop round and have a look at his WinXP system. It had been 'running slowly' and he 'couldn't get the internet to work'. Armed with the usual clutch of CD's in case of "bad things"(tm) I took a look. Nothing worked. Control Panel and the Device Manager being the most obivous. I check the services and discover that nearly all of the services had been disabled. After putting things as they should be, I interrogated said friend and found out that he'd followed some instructions from 'another guy' to make his system run quicker.
Sometimes I wonder if you should have a test to operate/own a PC...
My article above was not flamebait, not a troll. I honestly don't believe that IE is an unsafe tool when you run it with appropriate security settings. Here's a promise. Reply to this message and give me a web-page which you claim will automatically install malware. I'll visit the page and make screenshots/movie out of it. I'll make a webpage with the results. If the slashdot groupthink is correct, then my computer will be infested with malware and I'll have to reinstall it from scratch and it will serve me right. If I am correct, then my computer will remain fine. (When people post links to apparently dangerous sites, I ALWAYS follow them, and have not yet had anything bad happen to me.)
You should see a doctor about that.
this can be resumed in two topics: - Read before take any action - Don't trust on miracles.
I've had similar experiences. When the parent post is modded down to -1, to the casual reader, you go from sounding clever to sounding seriously moronic :)
Could you please post screenshots of your configuration BEFORE you go onto your epic quest? If you are willing to play gunia pig and DO get fragged we would like to know what the settings were before the experiment.
You know...
Scientific Method
Repeatability of results.
Also please include what your internet provider is, and if you have any proxy setting, personal firewalls, home network router....EVERYTHING.
I don't care to repeat the experiment, I am learning Slackware now, but I may find this infor helpful for other people I know.
Thanks for bravely volunteering yourself, your pride and your hardware.
Phil
Laugh, it's good for you!
She knows everything about computers!
Seriously!
OK, I've put my settings up on this page:
http://www.wischik.com/lu/malware/
If there are any other settings I should mention, please reply to this message.
...even for non-professional home user types like me. This was also the only computer book I read straight through in a decade or so. Usually I just read the chapter or two that applies to me and then put the thing down.
The reviewer mentioned the lack of detailed instructions for firewalling. I don't see that as a drawback at all, there are plenty of books that cover that subject in detail.
The part I liked the most was malware analysis section. If you're the type of home user who wants to know exactly what a spyware app like Gator (or whatever they renamed it) does, this is exactly the info you need.
"removing rootkits on Windows servers"
I believe they're called "Service Packs."
The IE "advanced options" is, to the average use, cryptic in the extreme. A simpler Options interface such as found in Opera and Firefox--though still beyond many users--is a huge step in the right direction. Options should address the lowest common denominator: "Do you want to allow the Internet to download software onto your computer without permission?" And like that.
Note the word "Internet" rather than "websites." Like I said: lowest common denominator.
Ignorance is curable, stupid is forever.
The girl looks fine in Netscape though.
I'm not anti-social, I'm anti-idiot.
I have not read this book but I have taken Ed's SANS Track 4, Hacker Exploits, while it was in Minneapolis. He is an amazing guy. I got more information in that five days than I think I ever have in any other five day period in my life. It was pretty much an eight hour day of Ed talking (very fast) in the front of the class. The information presented kept the whole thing really interesting. If my book budget was a little bigger I would buy the book with hopes of more of the same.
One thing the review didn't mention, how many times can he reference the Matrix in 647 pages?
Cocksuredness is a bad sign for someone who
chase baddies on the net.
Maybe you have something and you just don't know it.
Well...
I for one find Mac OS X to be very secure when surfing the internet. Sure I use Firefox, but even when I was using Safari. If I downloaded something I specifically clicked on the link to get it to download and it obviously let me know I was downloading something by default.
I noticed after the most recent security updates a while back it would also prompt me with a message if any executable program was running for the first time.
Which of course made me do a few more clicks but I felt better knowing that it's going to let me know something rather than a pop up in the background.
Secondly things in OS X can be gotten rid of fairly easy. There is no registry or massive amounts of dlls to hunt down to delete.
If there were anything bad it would tend to be easy to remove with the main file from the startup folder.
Lastly, by default OS X isn't going to let anything copy something into system directories or over write system files without some major intervention.
I hae done it but it required some hand crafting on the command line.
<AJ> Was empty when I there at half eight, so came back. I'm trolling slashdot now.c id=10920348&pid=10920348&threshold=-1&mode=nested& commentsort=0&op=Change
<Aviator> for what value of trolling?
<AJ> http://books.slashdot.org/comments.pl?sid=130752&
Click here or here.
What is the "Redhat" and "Suse" of which you speak?
I used to use a linux distribution called RedHat Linux, but sadly it is no more. I was going to switch to Suse but it longer is with us either except as an unsupported box of disks.
So far as I can tell, the only supported Linux distributions out there for consumer-level users are Mandrake, the silly Lindows things, and community-supported ones like Gentoo, Debian, and Slack. Fedora and Suse are now cruel jokes so that mega corps (RH and Novell, respectively) can sell desktops that are crippled and more expensive than WinXP.
I installed Gentoo on a Vmware guest (host running RH9.0) and I was impressed, and I did learn a bit, but after RH4.0, it's all been downhill.
---
Probably because a firewall has fuckall to do with with malware? Malware is an Application layer issue, and while Network/Transport layer security may help mitigate damage, it's not going to keep Clicky McFucktwit from opening GOODTIMES.EXE attached to his e-mail.
Nathan
I don't need a 700 page book to prevent malicious code. I would guess 80%+ of all malware could be avoided by following these four words:
Stop visiting porn sites
It's true, the majority of people who have malware infected pc's are those who frequent porn sites. Even more malware can be avoided by using common sence and not rushing software installations. Custom installs and skimming the EULA's can spare alot of headaches (and cpu cycles).
I'm not knocking the book. It sounds like a hardcore read for geeks, but Malware wouldn't be such a huge problem today if morality and common sence weren't in such short supply.
SEO Copywriter. Just Say ON
Let's break this down and address both of your points:-
;). Anyway, on a #2 PC installation was as simple as start process, switch over the KVM to the main box, play a game or read Slashdot or the next bit of the install guide then check back every 15 minutes or so to see how it's doing. The long stages were timed to start overnight or while I was at work. Press go to work... Come home, check results. for a reasonably savvy user (I'm a windows programmer) Gentoo is a little fluffy bunny. I learned more about Linux by installing Gentoo than I had in 6+ months of dabbling with Redhat over a 5 year period - theoretically I'm in favour of Linux however every time I played with it I'd hit a brick wall doing something or another then give up until the next set of Linux CDs appeared in the newsagents. I'm also 10x more confident around the command line as a result of setting everything up myself. every mistake I made setting up Gentoo was as a direct result of not reading the instructions fully. The user community is exceptionally friendly & helpful. for a subset of potential Linux switchers Gentoo is the best option by miles, I'm in that subset & I'm delighted with it.
Gentoo isn't exactly easy to get installed the first time.
But it's a damn sight easier than it has any right to be. The instruction guide is exemplary. I wouldn't be pushing a Windows (L)user at Gentoo. Let them play with Mandrake, SUSE or someting similarly automated & quick to install.
Particularly if you've been a Windows user for life, watching pages of compiler messages fly by isn't exactly an inviting experience.
I installed Gentoo on my backup PC - and in all honesty that's the way to go, I wouldn't want my main computer out of action for as long as it takes to compile a GUI Gentoo
What are you listening to? (http://megamanic.blogetery.com/)
LOL.
Reminds me of a sysadmin at a place where I used to work.
Me: My CD drive is broken.
admin: Why do you need a CD drive?
Me: My space bar doesn't work.
admin: Why do you need a spacebar?
And so on....
-- Using the preview button since 2005
Porn sites have NOTHING to do with malware.
Searching for "hacked" "free" porn-site acces MAY result in a malware infection; but that has nothing to do with the content (porn), but with the site owner.
I can setup a site containing bible-excerpts which loads an army of malware onto your PC.
Would you then say : "Stop reading the bible !" ?
Because something is not accepted as "moral", it does not lead to malware/death/hell/an AOL installation simply because of that.
I love me some arachne
on a good connection, arachne on a 386 is actually not bad
I agree, except I'm 15, and had just been rejected, had a fairly serious neck injury, and a lot of painkillers.
Gotta have something to keep it all coming during the holidays, so I figured, why not continue making my life hell? For the next week, I compiled it, having to repeat often, because the power kept going out.
The documentation made it easy though, and after recompiling the kernel a few times, to get my config perfect, I had it running.
But yes, it taught me a huge amount about Linux....6 months with RH8 doesn't teach you as much as you learn by compiling the base Gentoo install (w/ X, Gnome, KDE, OO.org, AbiWord, etc. etc).
Up until that point, I was primarily a Windows user (with Cygwin of course). I still wouldn't recommend it to people new to Linux (although.....portage...so hard to resist...), but Knoppix/Mandrake/others are meant for that spot.
Doesn't mean I don't love Gentoo though.
I used to administer 4 computer labs of 25 systems each at a major university. This involved untrusted users having unsupervised anonymous physical access.
Here's what I had set up:
1. Set the machines to power themselves off in the afternoons and on in the morning.
2. Set up a reasonable security policy; enough to prevent the lesser script kiddies from installing anything.
3. Here's the key: Ghost the labs on a regular basis. Since it uses multicast, if you've got a box of floppies and a couple of monkeys to help you put the disks in, it doesn't take much longer to ghost a whole lab than it does to do 1 machine.
Any OS that has 90% market share will get their share..
Sure, *nix may be a bit more secure by nature, but it wont stop users from hosing up their home directory by clicking 'yes'...
---- Booth was a patriot ----
This is someone's only computer. They need it right now to be usable for what they do. They are not a computer scientist; they could care less how it works, simply that it does. Much as you use your car, but don't really want to get involved with selecting your valve timings and fuel mixtures.
"Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
That sure seems like a lot of work - changing numerous IE settings in numerous places - and installing a third party program (proxomitron) that from recollection is no longer supported by its author, then loading a large un-tested configuration file to this program.
Why not just use Firefox????
Is there something I'm missing here?
"They are not a computer scientist; they could care less how it works, simply that it does."
But it doesn't with spyware on it. They dont care how to remove spyware or how it works, simply that it doesn't work on their system.
GENTOO FOR THEM!