Slashdot Mirror
Malware: Fighting Malicious Code
The blurb on the back cover states that the book is "intended for system administrators, network personnel, security personnel, savvy home computer users, and anyone else interested in keeping their systems safe from attackers." It may seem a minor point, but that is a very broad range of people! However, the book is comprehensive enough to merit the claim. For example, the chapter on "malicious mobile code" (or "active content") includes tips on how to configure Internet Explorer's security settings (great for savvy home users), while the information presented on using group policies, Internet Explorer 6 Administration Kit and incorporating changes into Ghost SOE images would be more appropriate for system administrators. One can argue that system/network administrators already know all this, but let's face it; there are many who don't, or who need prompting. The book is particularly strong in explaining theory, like how different types of malware work, and it reminds me of a lot of university text books in layout. Each chapter has a Conclusions section, a summary and a list of references -- great for retention of knowledge, or to help if you are studying for an exam on the chapter. There is a reasonable amount of redundant information in the book; particularly in the "defence" section of each chapter, where file integrity checkers, bootable CDs with static binaries and the like are discussed.
"Malware" is a deliberately broad term, but it suits this book, which covers not just viruses, Trojan horses and worms, but also rootkits and BIOS microcode. The scope extends a bit beyond just fighting malicious code, Skoudis goes so far as analyzing how it works, how it has developed (from other malware) and speculated on the future of malicious code.
Malware is very readable, while still being technically accurate. It does not cover everything, but Skoudis has lots of great analogies, and quotes that range from such diverse sources as Stephen Hawking, Lord of the Rings, The Matrix, Wargames, Milli Vanilli and Styx. The book is written in a conversational and at times humourous style, and I am assuming a lot of the content has been presented in Skoudis's lectures.
Despite the practical approach of the book, the content is not exactly what you might expect. Skoudis's introduction says the book will focus on practicality: "we'll discuss time-tested, real-world actions you can take to secure your systems from attack." Why then in 700 pages is there barely a mention of how to configure a firewall? I think because there are so many applications covered, and because there is so much emphasis on all the fun and cute tools (like the sysinternals ones, and netcat) that some of the less exotic and useful ones suffer in omission.
The Introduction also says the book is operating-system agnostic. Both Windows and Linux are covered, true, but that's not a very broad slice: Solaris, HPUX, BSD, Tru64 and OS X barely get a mention. Even if the book is mostly aimed at home users, there are many using OS X, and in fact many using Mac OS, Windows 98 and even non-Intel platforms.
The illustrations are limited to diagrams, tables and screenshots, and while they are nothing fancy, most are quite clear and helpful.
There is no accompanying CD with the book, but there are so many tools covered in the text, chances are that many of would be quite out-of-date by now anyhow, so you are better off downloading them yourself. Skoudis has a web-site at counterhack.net/, and co-author Lenny Zeltser has one at zeltser.com/. The web sites are not limited to discussing this book, but are more about what Ed and Lenny have written lately, and the "Crack the Hacker Challenges" on Ed's site look fun. There's a list of references at the end of each chapter, and many sources refered to in the text (especially in the last 2 chapters), though I am surprised antivirus company web sites like f-secure, Sophos and CA weren't included; I have found the analyses there at least equal in accuracy and depth to those of McAfee, Trend and Symantec.
As far as bootable CDs for forensics and network security tasks, I'm surprised Trinux and Knoppix STD didn't score a mention, though normal Knoppix and FIRE are mentioned.
The chapter on malicious mobile code covers Java and ActiveX fairly evenly, but I think more emphasis on current threats is the way to go. (Particularly as there is so much FUD surrounding adware and how to remove it.)
One very general flaw with the book is that it tends to focus on the fancier stuff not just in its selection and description of security tooks, but in the actual malware discussed. The information on Code Red II and Bugbear.B is a noticeable exception to this, but many of the other viruses that are discussed -- like Kallisti, Tristate, PHP.Pirus, and Win2k.Stream -- are anything but common.
All that said, I haven't seen any other books that provide such great explanations of rootkits, malicious mobile code or adware, but also hint at things to come like Flash/Warhol worms and microcode malware. This book fills a void in that it covers current malware (with some historical perspective) with enough analogies, scenarios and "detective work" to hold the reader's interest. Hopefully readers will be inspired by the enthusiasm that Skoudis and Zeltser obviously have for fighting malware, and will use this book as a stepping stone to learn more and beat the malware that seems all too prevalent on today's Internet.
You can purchase Malware: Fighting Malicious Code from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.
Well reviewed, my good man/woman/thing...
It's good to see a seemingly well thought out book on the topic of detection and removal of "malware".
The majority of tech calls I get from family and friends involve something malicious or just downright irritating landing on someone's computer (strangely, usually a Win32 box...well, not that strange, considering...), which I end up having to track down and de-couple...which can sometimes be a rather lengthy process, especially where the offending piece has been based on some of the older, smarter virii which spread themselves all over the place just to make sure it takes you a clean floppy or about 4 reboots to remove (re-deleting each re-replaced thing each time). *remember to breath, gazz*
I've longed for a return to the days when I used to only find a blown PSU.....like, 1996....
Good to see chapters on general system "hardening" as well as some more in-depth stuff.
Saying all that, it can be great fun cleaning out a "scr00d" system.
it's the taking apart that counts
if they learned immediately, there'd be no job for the IT guy. :D
it's the taking apart that counts
When I was a university student, the school had a site liscence for Norton Antivirus. As a student you could install it free of charge, and it would LiveUpdate as well to stay current. In fact LiveUpdate was just out and a new good thing. The key was that having a defense against a "majority" of malware as seen by most was not enough. Users still required education on what was causing their problems. Most users did not want the time to learn about security on their machine. This meant that people were hacking other boxes on campus, people were setting up malicious websites on their own machines, people were setting up malicious websites using university resources. (my favorite was a java script "Click here for a good time" and it would try to format the harddrive!!)
The university then started a newsletter that all tech support staff, department heads and administrative staff were supposed to subscribe to. This newsletter would detail technology happenings on campus, planned outages, maintence, a short security blurb, calls open/closed/pending, a blurb about not opening attachments unless you know the source, and much else.
There were always some warnings about attachments and security on the internet.
Several one-shot free classes were set up for all people at the university. Show up, learn about WHY you don't surf porn. Learn why all these things that were "bad" are considered such.
After about 2 years of this the major problems with viruses and infected attachments started noticabling dropping off to the point of very few calls were about a virus type issue..only a few a week instead of a few a day. Then I graduated.
I understand that most tech staff cannot schedule resources like a university can, but having a tech newsletter for an organization is good, as well as having tech instruction to the low level usere who don't see anything other than a magic box of fun!
Having books like this is an obvious good thing, and I may consider going and getting a copy even though I am not doing tech support anymore.
Phil
Laugh, it's good for you!
What you need is something secure by default! Or at least something that doesn't walk around with its trousers round its ankles and a big sign saying "Get it here!"
I can't remember the number of times I've been dragged out to a friends house because their computer has gone pear-shaped due to malware (on windows systems admittedly as the only other OS I know about is Solaris and you don't see many of those on home PCs!).
Then installing Firefox, ZoneAlarm, Ad-Aware, Stinger, an anti-virus and a reg-cleaner because my friends habit of clicking on everything within arms reach whilst having no firewall or AV. Frankly I blame the combination of clueless users and non-secure apps. It's up there with leaving petrol, matches and a pyromanic in a room for getting the worst.
Nice review, might try to pick that up if it's stocked here in Blighty.
As everybody else has a clean-out-a-friends-system tale, heres mine:
The aforementioned friend/work colleague asked me to pop round and have a look at his WinXP system. It had been 'running slowly' and he 'couldn't get the internet to work'. Armed with the usual clutch of CD's in case of "bad things"(tm) I took a look. Nothing worked. Control Panel and the Device Manager being the most obivous. I check the services and discover that nearly all of the services had been disabled. After putting things as they should be, I interrogated said friend and found out that he'd followed some instructions from 'another guy' to make his system run quicker.
Sometimes I wonder if you should have a test to operate/own a PC...
My article above was not flamebait, not a troll. I honestly don't believe that IE is an unsafe tool when you run it with appropriate security settings. Here's a promise. Reply to this message and give me a web-page which you claim will automatically install malware. I'll visit the page and make screenshots/movie out of it. I'll make a webpage with the results. If the slashdot groupthink is correct, then my computer will be infested with malware and I'll have to reinstall it from scratch and it will serve me right. If I am correct, then my computer will remain fine. (When people post links to apparently dangerous sites, I ALWAYS follow them, and have not yet had anything bad happen to me.)
Perl Programmer for hire
What is the "Redhat" and "Suse" of which you speak?
I used to use a linux distribution called RedHat Linux, but sadly it is no more. I was going to switch to Suse but it longer is with us either except as an unsupported box of disks.
So far as I can tell, the only supported Linux distributions out there for consumer-level users are Mandrake, the silly Lindows things, and community-supported ones like Gentoo, Debian, and Slack. Fedora and Suse are now cruel jokes so that mega corps (RH and Novell, respectively) can sell desktops that are crippled and more expensive than WinXP.
I installed Gentoo on a Vmware guest (host running RH9.0) and I was impressed, and I did learn a bit, but after RH4.0, it's all been downhill.
---
That's like saying "If there were no accidents there'd be no job for the Ambulance driver."
Linux is not Windows