Malware: Fighting Malicious Code

Adam Jenkins writes "I have had a fair bit of experience with malware, from removing DOS viruses to removing rootkits on Windows servers. Currently I am working in desktop support at a university -- exactly where many of the anti-malware battles occur." With that background, he provides a review of the reprinted Malware: Fighting Malicious Code, writing "As with many things computer-related, this book might age quickly, but it has lots of sound theory that will stay relevant for a long time, even if it doesn't discuss the latest worm by name. I haven't read the author's earlier book (Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses) but he is well known as both the author of that and also for the SANS lectures he runs." Read on for the rest of Jenkins' review, or revisit Matt Linton's review. Malware: Fighting Malicious Code author Ed Skoudis with Lenny Zeltser pages 647 (paperback) publisher Prentice Hall PTR rating 9 reviewer Adam Jenkins ISBN 0131014056 summary very comprehensive guide to malware

The blurb on the back cover states that the book is "intended for system administrators, network personnel, security personnel, savvy home computer users, and anyone else interested in keeping their systems safe from attackers." It may seem a minor point, but that is a very broad range of people! However, the book is comprehensive enough to merit the claim. For example, the chapter on "malicious mobile code" (or "active content") includes tips on how to configure Internet Explorer's security settings (great for savvy home users), while the information presented on using group policies, Internet Explorer 6 Administration Kit and incorporating changes into Ghost SOE images would be more appropriate for system administrators. One can argue that system/network administrators already know all this, but let's face it; there are many who don't, or who need prompting. The book is particularly strong in explaining theory, like how different types of malware work, and it reminds me of a lot of university text books in layout. Each chapter has a Conclusions section, a summary and a list of references -- great for retention of knowledge, or to help if you are studying for an exam on the chapter. There is a reasonable amount of redundant information in the book; particularly in the "defence" section of each chapter, where file integrity checkers, bootable CDs with static binaries and the like are discussed.

"Malware" is a deliberately broad term, but it suits this book, which covers not just viruses, Trojan horses and worms, but also rootkits and BIOS microcode. The scope extends a bit beyond just fighting malicious code, Skoudis goes so far as analyzing how it works, how it has developed (from other malware) and speculated on the future of malicious code.

Malware is very readable, while still being technically accurate. It does not cover everything, but Skoudis has lots of great analogies, and quotes that range from such diverse sources as Stephen Hawking, Lord of the Rings, The Matrix, Wargames, Milli Vanilli and Styx. The book is written in a conversational and at times humourous style, and I am assuming a lot of the content has been presented in Skoudis's lectures.

Despite the practical approach of the book, the content is not exactly what you might expect. Skoudis's introduction says the book will focus on practicality: "we'll discuss time-tested, real-world actions you can take to secure your systems from attack." Why then in 700 pages is there barely a mention of how to configure a firewall? I think because there are so many applications covered, and because there is so much emphasis on all the fun and cute tools (like the sysinternals ones, and netcat) that some of the less exotic and useful ones suffer in omission.

The Introduction also says the book is operating-system agnostic. Both Windows and Linux are covered, true, but that's not a very broad slice: Solaris, HPUX, BSD, Tru64 and OS X barely get a mention. Even if the book is mostly aimed at home users, there are many using OS X, and in fact many using Mac OS, Windows 98 and even non-Intel platforms.

The illustrations are limited to diagrams, tables and screenshots, and while they are nothing fancy, most are quite clear and helpful.

There is no accompanying CD with the book, but there are so many tools covered in the text, chances are that many of would be quite out-of-date by now anyhow, so you are better off downloading them yourself. Skoudis has a web-site at counterhack.net/, and co-author Lenny Zeltser has one at zeltser.com/. The web sites are not limited to discussing this book, but are more about what Ed and Lenny have written lately, and the "Crack the Hacker Challenges" on Ed's site look fun. There's a list of references at the end of each chapter, and many sources refered to in the text (especially in the last 2 chapters), though I am surprised antivirus company web sites like f-secure, Sophos and CA weren't included; I have found the analyses there at least equal in accuracy and depth to those of McAfee, Trend and Symantec.

As far as bootable CDs for forensics and network security tasks, I'm surprised Trinux and Knoppix STD didn't score a mention, though normal Knoppix and FIRE are mentioned.

The chapter on malicious mobile code covers Java and ActiveX fairly evenly, but I think more emphasis on current threats is the way to go. (Particularly as there is so much FUD surrounding adware and how to remove it.)

One very general flaw with the book is that it tends to focus on the fancier stuff not just in its selection and description of security tooks, but in the actual malware discussed. The information on Code Red II and Bugbear.B is a noticeable exception to this, but many of the other viruses that are discussed -- like Kallisti, Tristate, PHP.Pirus, and Win2k.Stream -- are anything but common.

All that said, I haven't seen any other books that provide such great explanations of rootkits, malicious mobile code or adware, but also hint at things to come like Flash/Warhol worms and microcode malware. This book fills a void in that it covers current malware (with some historical perspective) with enough analogies, scenarios and "detective work" to hold the reader's interest. Hopefully readers will be inspired by the enthusiasm that Skoudis and Zeltser obviously have for fighting malware, and will use this book as a stepping stone to learn more and beat the malware that seems all too prevalent on today's Internet.

You can purchase Malware: Fighting Malicious Code from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

All you need is common sense.

[ichigo]

Seriously all you need is to use your brain and think. The problem is many users tend to install stuff without a second thought it's like inviting a stranger to your house.

Re:All you need is common sense.

[SlimFastForYou]

Sadly, a whole lot of computer users don't even know how to install a program. So whenever the computer asks something, yes is chosen because it typically means the computer wants to do something and the user thinks the computer wants to do something for a good reason. e.g. Would you like to save changes to stuff.doc?

So when the computer brings up an IE dialog box that says, "Choose yes to block pop ups", these users say yes.

Should these users know better? I think so. Do they ever learn? I think eventually. In the meanwhile, the IT guy or the local computer shop has to deal with it. It's a sad fact, but spyware is probably the number one money maker for comptuer shops.

Re:Malware is a Windows problem

[TheGavster]

Gentoo isn't exactly easy to get installed the first time. Particularly if you've been a Windows user for life, watching pages of compiler messages fly by isn't exactly an inviting experience.

Re:Malware is a Windows problem

[goofyheadedpunk]

Well aren't you the least helpful help desk guy ever? Do you think that if the so called "lusers" can't keep viri and spyware off of their Windows boxen they could possibly hope to install Gentoo?

"Hmm... I didn't know anything about my magical beige box before, but now with Gentoo I suddenly know exactly what a partition scheme and compiling are, and I haven't even popped the disk into the music slot on my computer yet!"

Being a jerk helps nothing.

Re:Malware is a Windows problem

[rafikki]

"the less spyware problems our department will have" Until it becomes worth the time of the spyware makers to find some way to exploit Linux.

MOD PARENT UP.

Gentoo is a lot of things, but perhaps not best for a first distro. You are correct. i mean, /usr, /home, /wtf? are strange when you see them for the first time (/wtf especially). But in all seriousness, there is something that gentoo did for me that no other distro (at that point) had done for me: really taught me about linux and how/where things are (RedHat and other drop-n-go distro's didn't force me to up to that point). Gentoo really, really made me learn.

Re:Malware is a Windows problem

[linguae]

If a student or member of faculty comes in with malware problems for the first time, I fix it for them and I give them a Gentoo Linux install CD to go away with.

Gentoo? For general, non-geek, Windows users? Maybe something easier, such as Mandrake or Ubuntu, but if they cannot keep malware off their computers, there is probably no way they're able to install Gentoo, let alone any other Linux distribution. Rather, you should give them a suite of the following:

• AdAware
• Spybot Search and Destroy
• Hijack This
• a decent firewall
• a decent anti-virus application
• Firefox
• A pamphlet about computer security

There. That should solve nearly all of their malware problems without having to move to another OS.

Linux is an OS immune to these kinds of problems.

*nix may be immune to Windows worms, viruses, and other scum, but it surely isn't immune from clueless lusers. Now, I'm not a MS apologist; I am a FreeBSD user. However, if *nix gets a clueless user base and starts doing stupid things (such as running as root), then all they have to do to get thier computers hozed is for someone to download "Free Britney Spears screensavers for Linux," which turns out to be nothing more than a script that has "rm -r /*" in it. *nix may be more secure than Windows, but it isn't "foolproof," either.

...and a more intuitive configuration UI

[TFGeditor]

The IE "advanced options" is, to the average use, cryptic in the extreme. A simpler Options interface such as found in Opera and Firefox--though still beyond many users--is a huge step in the right direction. Options should address the lowest common denominator: "Do you want to allow the Internet to download software onto your computer without permission?" And like that.

Note the word "Internet" rather than "websites." Like I said: lowest common denominator.

Malware Prevention Is Simple

[rinkjustice]

I don't need a 700 page book to prevent malicious code. I would guess 80%+ of all malware could be avoided by following these four words:

Stop visiting porn sites

It's true, the majority of people who have malware infected pc's are those who frequent porn sites. Even more malware can be avoided by using common sence and not rushing software installations. Custom installs and skimming the EULA's can spare alot of headaches (and cpu cycles).

I'm not knocking the book. It sounds like a hardcore read for geeks, but Malware wouldn't be such a huge problem today if morality and common sence weren't in such short supply.