Malware - Fighting Malicious Code 111
AMuse writes "After taking a course at SANS from Ed Skoudis (and later hacking with him at the DefCon "Capture the Flag" contest in Las Vegas), I decided it was time to buy a copy of his latest book and see if he writes as well as he teaches. "Malware: Fighting Malicious code" is his most recent computer security book and was definitely a worthy purchase. Though the topic itself is not for novices, Skoudis does a splendid job of reviewing the basics with each chapter so that a less experienced security professional can follow along and learn. Additionally, he is very careful to show both Windows and UNIX/Linux examples of the topics, making the book accessible to a far wider crowd than some platform centric books I've read." Read on for the rest of AMuse's review.
| Malware: Fighting Malicious Code | |
| author | Ed Skoudis |
| pages | 636 |
| publisher | Prentice Hall |
| rating | 9 |
| reviewer | Matt Linton |
| ISBN | 0131014056 |
| summary | A detailed look at malicious computer code, how to examine and defend against it. |
One of the finest points of the book is that it's structured with the simplest (and most common) cyber-attacks in the initial chapters, and later in the book builds upon those concepts clearly. With each new chapter he delves deeper into the computer attack world and the increasing complexity of attacks and how to recognize, detect and counter them. Every description of an attack is paired with useful graphics and examples of code dumps or program output. As a bonus, the programs he recommends as tools in his book are the very ones he uses in his demonstrations.
Viruses, Worms and Mobile Code:
The first few chapters start out relatively light for an experienced security person. They cover viruses, worms and mobile code (the nifty high level languages like ActiveX, JavaScript and VB which are so easy to abuse). Though the information is on a light level for the pro, a novice would find these chapters packed with useful information and examples of each of many types of nasty code. After each example, the book shows how to recognize an infection, then how to prevent them in the first place.
Trojans and Backdoors
Once he's gotten the reader's feet feet wet, Skoudis begins to wade in deeper with discussion and analysis of Trojans and Backdoors. Even a pro will likely read something here that they didn't know before. As a quick example, he covers "port knocking" with spoofed hosts and sniffers as a means of evading detection of your backdoor by pesky net admins. Although these chapters include many high level concepts, Skoudis clearly demonstrates them via real world examples and references to code that you can obtain yourself and try out (On a well isolated network, of course!)
User and Kernel mode Rootkits
After a healthy dose of trojans and backdoors, the book moves on to discuss in very great detail the current status of User and Kernel mode rootkits. In my opinion, these two chapters were the most detailed and thorough in the book. All told, about 160 pages of the book are dedicated to the Windows and UNIX/Linux kernels, how they operate and of course how they can be completely taken over and replaced by an attacker. If there's any book that can leave SysAdmins awake at night in paranoid fits, this is the book and these are the chapters.
The truly nasty stuff
In the final chapters, he leaves the world of attacks that are already in the wild and discusses attacks that are yet to come. These topics include polymorphic code that alters itself with each infection to evade IDS and Antivirus signatures, tightly packaged combo attacks, potential BIOS rootkits and even microcode attacks where the CPU itself is infected with an attackers' code, hiding rootkits as soon as the power switch is flipped on.
Tying it all together
The book then ends with two very helpful chapters which detail how to establish a test lab for yourself and analyze malicious code on your own. As a bonus, there's also a chapter on real world scenarios that you can investigate yourself to see what you've learned.
Conclusion
All told, I would recommend this book for any serious security professional or SysAdmin/NetAdmin. It's also a very good read for Novice geeks but, although Skoudis does an excellent job of explaining the basics, the later chapters may be a bit too complex for someone without at least a bit of time as a power user.
You can purchase Malware: Fighting Malicious Code from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page
plenty of dodgy code in the Linux kernel! (Score:3, Interesting)
2494
bash$
Re:plenty of dodgy code in the Linux kernel! (Score:2, Insightful)
Most likely those are feature requests. It's not a good idea to take FIXME's out of context.
Re:plenty of dodgy code in the Linux kernel! (Score:4, Insightful)
14 months later, when an exploit for lpd was found and out in the wild, OpenBSD was immune. Did they KNOW that it was exploitable? No. They simply fixed something that was wrong.
Now regarding the "for newbies" comment
Though the topic itself is not for novices, Skoudis does a splendid job of reviewing the basics with each chapter
Is there any really good reason that all books must be friendly to newbies? One of the things I really dislike about current technical press is that every book I get on something, I have to deal with 30% or more that covers stuff I know.
Let's presume that the reader knows "coding". (if you actually know C or C++ or java, you can reasonably read other algol based languages.). From that we can cover PRINCIPLES of bad coding and what to look for.
I tire of each book being written for kindergardeners (metaphorically). Welcome to CS504 - writing optimizing compilers. We're going to be writing a language and developing a compiler for it for several chip platforms. But first, lets go over what a loop is. Can anyone tell me? Then we'll move to variables.
Re:plenty of dodgy code in the Linux kernel! (Score:1)
Oo, oooooo! I know! It's how you tie your shoes, right? Loop, swoop and pull.
this is called "coming to terms" (Score:1)
Re:plenty of dodgy code in the Linux kernel! (Score:2)
I have to deal with 30% or more that covers stuff I know.
When reading the book for a second time, you have to deal with 80% or more that covers stuff you knew...
Imagine a book with 100% new content. You wouldn't even be able to read it, less alone understand it. As far as you're concerned, it could be written in a foreign language unknown to you, it wouldn't make any difference at all.
Every book must rely on common knowledge between author and readers, or else no communication would be possible.
No
A must own.... (Score:1, Funny)
Hate to ask... (Score:5, Insightful)
Re:Hate to ask... (Score:3, Insightful)
You tell them the simplest things to get them out of the most complex situations and they demand 'user friendly'. They want products that cure only the latest ill and demand at most one mouse click.
Wonder of wo
Re:Hate to ask... (Score:3, Insightful)
Re:Hate to ask... (Score:3, Funny)
No, the motion is denied. Qualified MS user is an oxymoron. If such a beast existed, it would be quickly hunted down as, at the behest of John Ashcroft, with dogs and helecopters. It would be thrown into a triply secure holding cell, as an example of terrorism (for the threat to the Internet that a qualified MS user would constitute) and as an example of pornography (having a countenance so hideously alien that most adults could not stomach it, and those that c
Re:Hate to ask...; What about legal remedies? (Score:5, Insightful)
In addition, what about legal remedies? It appears that many people legally "agree" to the installation of various forms of malware by mindlessly clicking through on licensing agreements. While consumer education is one possible solution, changing the law of contract might provide another solution. Obviously, these solutions are not mutually exclusive.
Many contracts are, by either statute or common law, void as a matter of public policy. This is one possible solution.
Other contracts (e.g., in the areas of consumer credit, mortgages, etc.) have required language or other provisions.
In other areas (e.g., limitations of liability, waiver of implied warranties, and again consumer credit, mortgages, etc.) there are requirements reqarding the use of clear and understandable language, prominent disclosures and even the size of the type face.
To my knowledge, none of the above possible remedies have been enacted re: click through agreements.
Re:Hate to ask...; What about legal remedies? (Score:1)
Re:Hate to ask... (Score:5, Insightful)
Re:Hate to ask... (Score:5, Interesting)
The solution is an OS that doesn't just load everything that comes along. It's the digital equivalent of walking around Times Square jabbing used hypodermics into your arm.
This isn't just a Windows thing either...Linux gives you complete freedom to fuck yourself by loading unsigned code. Of course, if you're using Linux you can run the checksums and make sure its the official code.
What it boils down to is that we need some basic validation method, which vets code that should/shouldn't be loaded, and people who don't know what they're doing shouldn't be allowed to override it.
Re:Hate to ask... (Score:4, Insightful)
Microsoft calls that Trusted Computing
Re:Hate to ask... (Score:2, Insightful)
The solution is an OS that doesn't just load everything that comes along. It's the digital equivalent of walking around Times Square jabbing used hypodermics into your arm.
Re:Hate to ask... (Score:1)
I should add that although that looks
Re:Hate to ask... (Score:2, Interesting)
You can create rules based on path, filename, hash, or certificate.
You can create either a blacklist of unrunnable binaries or a whitelist of runnable binaries.
You can choose to include all binaries or just executables (not libraries).
You can also add new file types based on extension.
You can enforce it across all users or just non-admins.
You can put your certificates in the domain
Hate to answer... (Score:3, Insightful)
Re:Hate to answer... (Score:3, Insightful)
I almost never cater to the user, but instead cater to the data model. Users always tell me how easy my programs are to use. How does this happen? Instead of trying to guess how my users think, I made my s
I beg to differ (Score:3, Funny)
Re:Hate to ask... (Score:1)
Skoudis is a great instructor, and repeatedly used the metaphore of the Castle, the Walls, the Moat, the Villagers, and the Barbarians to describe the depth of an attack down to the kernel.
I asked outright about email viruses, when the barbarians arrive at the gate, hand their swords to the villagers, and then the villagers promptly stab themselves.
Oh yeah, and I bought the book while at the
Windows and Linux examples, yes (Score:4, Insightful)
----------
Create a WAP server [chiralsoftware.net]
Re:Windows and Linux examples, yes (Score:5, Interesting)
How can you interface an interperted language with hardware, and how do you avoid using an unsafe language to program the very VM that the interperted language would be running on top of?
Re:Windows and Linux examples, yes (Score:1)
Re:Windows and Linux examples, yes (Score:4, Insightful)
The argument of the grand-parent is not really a good one either. The fact that you cannot hack a Java application with buffer overflow (unless it's the JVM that does it) does not means that you cannot hack into a Java system. Badly coded Java code can be the target of malware (and there has been security issues with WebSpehere and Weblogic). If a security sensitive class is not final, anyone can inherit it and bypass some of it's code. Java offer many features that can help one build a secure application that is very resistant to malware, but you have to use those feature and be aware that beside buffer overflow, malware can use other technique to launch a succefull attack.
Re:Windows and Linux examples, yes (Score:2)
Yes, OS code should be well coded and pr
Re:Windows and Linux examples, yes (Score:3, Insightful)
Lisp (Re:Windows and Linux examples, yes) (Score:1, Insightful)
Transmeta (Score:3, Insightful)
Not to mention that at least partial implementations of the JVM _are_ available in hardware. Targetted JVMs come up a lot in the lists for 4th year projects at my unversity [carleton.ca], for example.
Re:Windows and Linux examples, yes (Score:2)
Re:Windows and Linux examples, yes (Score:2)
You must never call Java an interpreted language. Java is compiled into bytecodes! These bytecodes are not interpreted by an interpreter, but rather executed by a virtual machine. Altogether different!
Re:Windows and Linux examples, yes (Score:3, Interesting)
What are you incinuating, that operating systems should be written in Java?
Re:Windows and Linux examples, yes (Score:3, Funny)
"I tried writing an operating system completely in Java back in 1998."
"Oh? How'd that work out?"
"I don't know. It's still booting."
Re:Windows and Linux examples, yes (Score:2, Insightful)
Are you suggesting that malware in java isnt possible or just isn't common?
Re:Windows and Linux examples, yes (Score:1)
Of course the setup's not so crazy when you consider things like IBM big iron and independent virtualised OSes where you can hierarchically nest systems. Something like a C64 emulator inside bochs inside Linux on a heavy IBM mofo, for
Re:Windows and Linux examples, yes (Score:5, Informative)
It's certainly true that "as long as we use those tools, we're going to have those problems", but I'd go a step further and include computers and networks in your list of tools that have inherent issues.
Java is not as risk-prone as C, but that does not mean it's a security panacea. It has its own set of problems. You can say we shouldn't write code in unsafe languages, but then we wouldn't have any left.
And, to put it simply, Java applications don't run as fast as C applications. While most of the time that's not important, sometimes it is.
You can't tell people to stop using unsafe tools. That's equivalent to telling people to encase their computers in concrete and drop them in the ocean to secure them against malware. Instead, tell people where the risks lie and how to mitigate those risks. Then people will naturally gravitate toward safer tools and practices, because we are all lazy and that way we will have less work to do building adequately secure applications.
Java malware (Score:5, Insightful)
For example, the obnoxious CoolWebSearch trojan gets into computers via a hole in the MSIE Java runtime.
Further, the number of infections caused by code weaknesses is probably far less than the number caused by social weaknesses - "Click on me!"
Re:Java malware (Score:5, Funny)
Where's the link dude? You are telling me to click and the urge is overpowering me and yet you don't provide anything to click on. What kind of sadistic torture is that?
Makes it a lot better though (Score:2)
Re:Windows and Linux examples, yes (Score:5, Insightful)
You might feel safe in thinking that Java's sandbox protects from this kind of thing, but don't be too sure...what is a JVM written in? Those very unsafe languages you talk about.
The fact is, at some point, *somebody's* gotta manipulate the memory directly; somebody's gotta keep track of what's been alloc'ed and what's been free'd, and whether that's at an application level, or at the OS level, you're going to find the very languages that you deem as unsafe.
Abstract away and bytecode your way to a false sense of security, and you've done nothing but put up another curtain to lull you into a false sense of security. The fact is, this kind of thing is *always* going to be with us, whether intentional [susx.ac.uk] or by accident (Microsoft's whole KB).
Think of it this way: cars are too dangerous for people to use because there's no way to stop them from running into the ditch. So we're going to develop a system by which everyone's car runs on rails, with all the latest safety systems to make sure everything is safe and secure and drive the way we think they should drive. Now you don't have to trust your own abilities, just us. And we know what's right, right?
Re:Windows and Linux examples, yes (Score:2)
And all you have to do is look at the crash statistics for Amtrack to realize that in fact, it i
Re:Windows and Linux examples, yes (Score:1)
Java, among other high level languages (lisp/ scheme [mit.edu], Objective CAML [inria.fr], Standard ML [smlnj.org], Haskell [haskell.org], etc), are memory safe because they hide the issue of memory management under the carpet by using a garbage collector. Since the language itself does not have the expressive power to deal with memory directly (some has strong type checking that guarantees even stronger memory safety properties), they're considered "safe." However, a clever hacker might handcraft in bytecode, thus bypassing the type system entirely. The
Re:Windows and Linux examples, yes (Score:1)
Java does this. The bytecode verifier is invoked on classes as they are loaded. Some JVMs offer the option to disable bytecode verification for code loaded from the bootclasspath and/or the local disk, but by default, bytecode verification is on.
Re:Windows and Linux examples, yes (Score:2, Informative)
There is some area of research about proof carrying code, which is used to type check the bytecode before it is executed. I'm not aware if it is used in practice at all, since the research is still quite primitive. If you're naively doing checksum, then a clever hacker can generate valid checksum as well. If you're doing signed applet approach, then you revert the problem to whether you want to accept code from trusted entity, instead of whether you want to trust the code based on if its semantics are malic
Re:Windows and Linux examples, yes (Score:1)
Thank you for pointing out my unqualified use of the term, "high level."
I don't think the fact that there exists a machine that executes a language more or less directly means the language is low level. If you want to, you could have designed a Java machine as well. There actually existed such a project, JavaOS on a Java Machine.
I would like to define a high-level language as a language that is capable of expressing closely what you mean to program. If you adopt this definition, then Lisp certainly is a
Re:Windows and Linux examples, yes (Score:2)
Are you stupid? Malware is about programs which are legitimately installed but do things the user didn't know they would do or want them to do. Malware works fine in Java or C# or Python of D or Eiffel or Pascal or BASIC or C or C++ or Objective-C or Assembler or K or PERL or anything.
You're thinking of viruses, worms, and security holes, which are another issue.
A nice example of a trojan (Score:5, Informative)
Trojans and backdoors (Score:5, Funny)
Always, and I repeat always, use a trojan when you enter through the backdoor.
Fighting? (Score:5, Interesting)
Matt Fahrenbacher
Re:Fighting? (Score:1)
As a mac user... (Score:3, Interesting)
Seriously though, is it that Mac OS X isn't as widely deployed as windows and isn't used as much for servers as linux that OS X isn't targeted by viruses/worms/trojans, or is OS X simply harder to break into and not worth the time and effort?
OS X has a BSD kernel... (Score:1)
Matt Fahrenbacher
Re:As a mac user... (Score:1)
Re:As a mac user... (Score:5, Informative)
OS X (based and intertwined with FreeBSD) tops the list of most secure operating systems (along with the other BSDs as already reported on
Use... (Score:5, Interesting)
Not to troll, but that's exactly right, and some people just don't have a grudge against Apple for the same reason: it's not used as much. I'm sure if by some cosmic abnormality Apple/Mac became just as used, there'd be some Mac Virii out there in force.
Use == Popularity == Painting a TARGET
Re:Use... (Score:2)
As far as worms go, I hear PowerPC is pretty difficult to code shellcode attacks into stack smashing attacks. More info anyone?
MS likes to say that the ubiquity of thei
Re:As a mac user... (Score:2)
pah. call that persecution.
try finding a plan9 [bell-labs.com] exploit.
and this one [phrack.org] doesn't count. It's a hoax.
Here we go (Score:5, Funny)
There is no known cure or stopgap measures for the 66.35.250.150 [slashdot.org] effect.
Norton Solution (Score:3, Funny)
Re:Norton Solution (Score:2)
Re:Here we go (Score:3, Offtopic)
now watch me being modded off-topic.
Re:Here we go (Score:1)
-1, Insightfull to anyone who mentions metamoderation to me as a followup, because that's not what i'm talking about.
I hope this makes no sense.
one man's malware is another man's uber linux.... (Score:2, Insightful)
To him, any Linux is malware as it's superior to his creation, especially when it comes to security.
And of course, this is not to say that MacOS isn't; just that he doesn't see it as a "threat."
This key issue is the reason that's a cause for concern about the upcoming No Execution (NX) and DRM systems in future processors (backed by Microsoft) to "prevent execution of unauthorized code." Apparently, as it was
Re:one man's malware is another man's uber linux.. (Score:1, Interesting)
Oh the things Ffreud would have said about that.
Re:one man's malware is another man's uber linux.. (Score:2)
with all the win32 worms and viruses and other attacks including the more recent security "risks" annouced by Microsoft that affects all Windows (except Win3.xx), you have to be either an Microsoft employee or the former Iraqi Information Minister to say that Microsoft is secure compared to *nix.
Re:one man's malware is another man's uber linux.. (Score:2)
Though apparently, AC posts aren't in those statistics.
- Irony isn't bashing.
What about the socioeconomic aspects? (Score:5, Interesting)
For me, given that the scope of malware to get past our defenses seems almost infinite, it is much more interesting to look at this from other angles:
- Socioeconomic: who is paying for development of malware, and with what intentions? Healthy paranoia suggests that there is an organized agenda to take over and subvert large parts of the Net. Heck, several such agendas, probably, fighting it out.
- pseudo-Biological: can malware be modelled using biological models and can this help us fight it? I've argued in my journal that yes, this is a valid way of looking at malware, and may be the key to fighting it.
- political: given the potential (or real) power of malware to subvert and control large parts of the Net, should we ignore the inevitable political interest this will cause? If I was a spook, I'd be aiming to use malware to (a) spy on foreign governments, (b) spy on my own citizens, (c) act as a launchpad for cyberattacks.
- commercial: what value can be placed on "here is n% of the Net, to do with as you please..." Probably very high. Where there is value, a market of buyers and sellers will develop. Has probably already developed.
A Different Viewpoint (Score:5, Informative)
Disclaimer: I have neither read the book, nor have an opinion on it. My only interest in malware is not to have it :^)
Re:WAR on malicious code! (Score:2)
Another recommendation for the book (Score:5, Insightful)
I have actually put this on the must-read list for anyone doing incident handling for my employer. I can't recommend it highly enough
Shellcoder's handbook... (Score:4, Informative)
It's a complete guide to writing and understanding your own shellcodes.
I just received my copy and it looks so unique that i wonder if i should read it instead of studying for my finals
Anyone has praise (or not?) on this book?
600+ pages?! (Score:2, Interesting)
K&R: 230 pages
Mythical Man Month: 320
Practice of Programming: 260
For a reference text like a volume of ACP, more than 500 pages may make sense. For fluff like the book reviewed here, it's ridiculous.
Does it really take a whole book? (Score:3, Insightful)
- keep my data in a seperate fat32 partition
- backup regularly
- use good AV software, keep it current
- use zonealarm, ad-aware, and spybot (all free)
- don't use msie, ms-mediaplayer, outlook, outlook-express, kazaa, morpheous, or any other software that's well known to invite adware/spyware. Plenty of free alternatives to all that.
- keep a linux livecd handy.
- delete all spam before while it's still on the server (I use ultrafunk popcorn).
- never open email attachments from unknown sources.
Do that, and you won't have much trouble. Probabably something I'm forgeting, but that's a good start.
Re:Does it really take a whole book? (Score:1)
Every Day at Noon, whilst I am at work my home computer does this:
mount
tar -cf
umount
That drive "/scratch" is unmounted the rest of the day. All it does is hold my stuff. Go ahead, install malware. Unless it's psychic and knows to mount every stupid drive on my system, it won't get my data. It simply can't happen. Go ahead, nuke my OS. I don't CARE. That can be reinstalled in half an hour.
The only way that bad st
Reactive protection gives false sense of security (Score:1)
Since signature based virus protection is a reactive discipline rather than a proactive one (you are assuming that the virus is discovered before you get attacked), it is imperative that behaviour based alternatives are used.
Also while not using commodity software or other well known targets might protect you somewhat, the Witty worm decidedly dis
Re:Does it really take a whole book? (Score:1)