Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Books Media Security Privacy Operating Systems Software Windows Worms Book Reviews

Malware: Fighting Malicious Code 95

Posted by timothy from the give-thanks-for-more-opinions dept.
Adam Jenkins writes "I have had a fair bit of experience with malware, from removing DOS viruses to removing rootkits on Windows servers. Currently I am working in desktop support at a university -- exactly where many of the anti-malware battles occur." With that background, he provides a review of the reprinted Malware: Fighting Malicious Code, writing "As with many things computer-related, this book might age quickly, but it has lots of sound theory that will stay relevant for a long time, even if it doesn't discuss the latest worm by name. I haven't read the author's earlier book (Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses) but he is well known as both the author of that and also for the SANS lectures he runs." Read on for the rest of Jenkins' review, or revisit Matt Linton's review.
Malware: Fighting Malicious Code
author Ed Skoudis with Lenny Zeltser
pages 647 (paperback)
publisher Prentice Hall PTR
rating 9
reviewer Adam Jenkins
ISBN 0131014056
summary very comprehensive guide to malware

The blurb on the back cover states that the book is "intended for system administrators, network personnel, security personnel, savvy home computer users, and anyone else interested in keeping their systems safe from attackers." It may seem a minor point, but that is a very broad range of people! However, the book is comprehensive enough to merit the claim. For example, the chapter on "malicious mobile code" (or "active content") includes tips on how to configure Internet Explorer's security settings (great for savvy home users), while the information presented on using group policies, Internet Explorer 6 Administration Kit and incorporating changes into Ghost SOE images would be more appropriate for system administrators. One can argue that system/network administrators already know all this, but let's face it; there are many who don't, or who need prompting. The book is particularly strong in explaining theory, like how different types of malware work, and it reminds me of a lot of university text books in layout. Each chapter has a Conclusions section, a summary and a list of references -- great for retention of knowledge, or to help if you are studying for an exam on the chapter. There is a reasonable amount of redundant information in the book; particularly in the "defence" section of each chapter, where file integrity checkers, bootable CDs with static binaries and the like are discussed.

"Malware" is a deliberately broad term, but it suits this book, which covers not just viruses, Trojan horses and worms, but also rootkits and BIOS microcode. The scope extends a bit beyond just fighting malicious code, Skoudis goes so far as analyzing how it works, how it has developed (from other malware) and speculated on the future of malicious code.

Malware is very readable, while still being technically accurate. It does not cover everything, but Skoudis has lots of great analogies, and quotes that range from such diverse sources as Stephen Hawking, Lord of the Rings, The Matrix, Wargames, Milli Vanilli and Styx. The book is written in a conversational and at times humourous style, and I am assuming a lot of the content has been presented in Skoudis's lectures.

Despite the practical approach of the book, the content is not exactly what you might expect. Skoudis's introduction says the book will focus on practicality: "we'll discuss time-tested, real-world actions you can take to secure your systems from attack." Why then in 700 pages is there barely a mention of how to configure a firewall? I think because there are so many applications covered, and because there is so much emphasis on all the fun and cute tools (like the sysinternals ones, and netcat) that some of the less exotic and useful ones suffer in omission.

The Introduction also says the book is operating-system agnostic. Both Windows and Linux are covered, true, but that's not a very broad slice: Solaris, HPUX, BSD, Tru64 and OS X barely get a mention. Even if the book is mostly aimed at home users, there are many using OS X, and in fact many using Mac OS, Windows 98 and even non-Intel platforms.

The illustrations are limited to diagrams, tables and screenshots, and while they are nothing fancy, most are quite clear and helpful.

There is no accompanying CD with the book, but there are so many tools covered in the text, chances are that many of would be quite out-of-date by now anyhow, so you are better off downloading them yourself. Skoudis has a web-site at counterhack.net/, and co-author Lenny Zeltser has one at zeltser.com/. The web sites are not limited to discussing this book, but are more about what Ed and Lenny have written lately, and the "Crack the Hacker Challenges" on Ed's site look fun. There's a list of references at the end of each chapter, and many sources refered to in the text (especially in the last 2 chapters), though I am surprised antivirus company web sites like f-secure, Sophos and CA weren't included; I have found the analyses there at least equal in accuracy and depth to those of McAfee, Trend and Symantec.

As far as bootable CDs for forensics and network security tasks, I'm surprised Trinux and Knoppix STD didn't score a mention, though normal Knoppix and FIRE are mentioned.

The chapter on malicious mobile code covers Java and ActiveX fairly evenly, but I think more emphasis on current threats is the way to go. (Particularly as there is so much FUD surrounding adware and how to remove it.)

One very general flaw with the book is that it tends to focus on the fancier stuff not just in its selection and description of security tooks, but in the actual malware discussed. The information on Code Red II and Bugbear.B is a noticeable exception to this, but many of the other viruses that are discussed -- like Kallisti, Tristate, PHP.Pirus, and Win2k.Stream -- are anything but common.

All that said, I haven't seen any other books that provide such great explanations of rootkits, malicious mobile code or adware, but also hint at things to come like Flash/Warhol worms and microcode malware. This book fills a void in that it covers current malware (with some historical perspective) with enough analogies, scenarios and "detective work" to hold the reader's interest. Hopefully readers will be inspired by the enthusiasm that Skoudis and Zeltser obviously have for fighting malware, and will use this book as a stepping stone to learn more and beat the malware that seems all too prevalent on today's Internet.

You can purchase Malware: Fighting Malicious Code from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

Malware: Fighting Malicious Code More

Malware: Fighting Malicious Code

Comments Filter:

  • Tru64? (Score:5, Funny)

    by MyIS ( 834233 ) on Thursday November 25, 2004 @04:25PM (#10920337) Homepage
    Solaris, HPUX, BSD, Tru64 and OS X barely get a mention ... because I can barely keep the damn worms off my Tru64 box...

  • All you need is common sense. (Score:5, Insightful)

    by ichigo ( 832988 ) on Thursday November 25, 2004 @04:28PM (#10920346)
    Seriously all you need is to use your brain and think. The problem is many users tend to install stuff without a second thought it's like inviting a stranger to your house.
    • you also need something non-microsoft.
      Something which doesnt let things install by themselves, and as Administrator a-la-exploit ( and theres plenty already, and probably more to come, before you "get sp2" fanboys start shouting )
    • Sadly, a whole lot of computer users don't even know how to install a program. So whenever the computer asks something, yes is chosen because it typically means the computer wants to do something and the user thinks the computer wants to do something for a good reason. e.g. Would you like to save changes to stuff.doc?

      So when the computer brings up an IE dialog box that says, "Choose yes to block pop ups", these users say yes.

      Should these users know better? I think so. Do they ever learn? I think eventually. In the meanwhile, the IT guy or the local computer shop has to deal with it. It's a sad fact, but spyware is probably the number one money maker for comptuer shops.
      • if they learned immediately, there'd be no job for the IT guy. :D
      • The IE "advanced options" is, to the average use, cryptic in the extreme. A simpler Options interface such as found in Opera and Firefox--though still beyond many users--is a huge step in the right direction. Options should address the lowest common denominator: "Do you want to allow the Internet to download software onto your computer without permission?" And like that.

        Note the word "Internet" rather than "websites." Like I said: lowest common denominator.
      • Should these users know better? I think so.
        I think not. From a certain view point it looks easy, educate the users. But most of those users that should be educated (according to many people) most are just not able to understand the basics that could make their systems more safe. Like not everybody is able to go to the university if you give them the books and sufficient time.
      • I work at a small computer shop, and spyware/adware is the #1 reason we get customers in. Most of the time people fell for the popups saying "Your computer is infected with spyware - do you want to remove it?" *click* Within an hour there are 5 different versions of coolweb installed.
    • What you need is something secure by default! Or at least something that doesn't walk around with its trousers round its ankles and a big sign saying "Get it here!"
      I can't remember the number of times I've been dragged out to a friends house because their computer has gone pear-shaped due to malware (on windows systems admittedly as the only other OS I know about is Solaris and you don't see many of those on home PCs!).
      Then installing Firefox, ZoneAlarm, Ad-Aware, Stinger, an anti-virus and a reg-clean

  • Nice Review (Score:5, Interesting)

    by gazz ( 101967 ) <gaz AT schmoo DOT me DOT uk> on Thursday November 25, 2004 @04:41PM (#10920401) Homepage
    Well reviewed, my good man/woman/thing...
    It's good to see a seemingly well thought out book on the topic of detection and removal of "malware".
    The majority of tech calls I get from family and friends involve something malicious or just downright irritating landing on someone's computer (strangely, usually a Win32 box...well, not that strange, considering...), which I end up having to track down and de-couple...which can sometimes be a rather lengthy process, especially where the offending piece has been based on some of the older, smarter virii which spread themselves all over the place just to make sure it takes you a clean floppy or about 4 reboots to remove (re-deleting each re-replaced thing each time). *remember to breath, gazz*

    I've longed for a return to the days when I used to only find a blown PSU.....like, 1996....

    Good to see chapters on general system "hardening" as well as some more in-depth stuff.

    Saying all that, it can be great fun cleaning out a "scr00d" system.

  • There's a reason... (Score:3, Funny)

    by eeg3 ( 785382 ) on Thursday November 25, 2004 @04:59PM (#10920461) Homepage
    Both Windows and Linux are covered, true, but that's not a very broad slice: Solaris, HPUX, BSD, Tru64 and OS X barely get a mention.

    There's no point in wasting time developing worms for Solaris, HPUX, Tru64, etc. The work to reward ratio is too low. Not to say writing a worm, etc. is rewarding, but that's like developing anthrax that only kills people with webbed feet.
    • One of these days, when the Polar Ice caps melt, it'll be us versus them... I have *MY* Webbie killing Anthrax... You all mock me, but I SWEAR I'll have the last laugh!!!
  • I know kung fu.

  • I used to tech support (Score:5, Interesting)

    by Psychofreak ( 17440 ) on Thursday November 25, 2004 @05:07PM (#10920513) Journal
    When I was a university student, the school had a site liscence for Norton Antivirus. As a student you could install it free of charge, and it would LiveUpdate as well to stay current. In fact LiveUpdate was just out and a new good thing. The key was that having a defense against a "majority" of malware as seen by most was not enough. Users still required education on what was causing their problems. Most users did not want the time to learn about security on their machine. This meant that people were hacking other boxes on campus, people were setting up malicious websites on their own machines, people were setting up malicious websites using university resources. (my favorite was a java script "Click here for a good time" and it would try to format the harddrive!!)

    The university then started a newsletter that all tech support staff, department heads and administrative staff were supposed to subscribe to. This newsletter would detail technology happenings on campus, planned outages, maintence, a short security blurb, calls open/closed/pending, a blurb about not opening attachments unless you know the source, and much else.

    There were always some warnings about attachments and security on the internet.

    Several one-shot free classes were set up for all people at the university. Show up, learn about WHY you don't surf porn. Learn why all these things that were "bad" are considered such.

    After about 2 years of this the major problems with viruses and infected attachments started noticabling dropping off to the point of very few calls were about a virus type issue..only a few a week instead of a few a day. Then I graduated.

    I understand that most tech staff cannot schedule resources like a university can, but having a tech newsletter for an organization is good, as well as having tech instruction to the low level usere who don't see anything other than a magic box of fun!

    Having books like this is an obvious good thing, and I may consider going and getting a copy even though I am not doing tech support anymore.

    Phil
  • I've read usually don't offer anything other than: a list of tools and a small description of the man page + common tips like set up a firewall, patch your system, get an AV, be on the lookout.

    It's not common finding books that really cover a particular subject in depth.

  • Worms aren't the half of it.... (Score:3, Interesting)

    by Smiffa2001 ( 823436 ) on Thursday November 25, 2004 @05:23PM (#10920591)
    Nice review, might try to pick that up if it's stocked here in Blighty.

    As everybody else has a clean-out-a-friends-system tale, heres mine:
    The aforementioned friend/work colleague asked me to pop round and have a look at his WinXP system. It had been 'running slowly' and he 'couldn't get the internet to work'. Armed with the usual clutch of CD's in case of "bad things"(tm) I took a look. Nothing worked. Control Panel and the Device Manager being the most obivous. I check the services and discover that nearly all of the services had been disabled. After putting things as they should be, I interrogated said friend and found out that he'd followed some instructions from 'another guy' to make his system run quicker.

    Sometimes I wonder if you should have a test to operate/own a PC...
    • Sometimes I wonder if you should have a test to operate/own a PC...

      From your description it appears that the test was practical-based and your friend failed. The result being he effectively revoked his own privileges as a user - usable speed, 'net connection etc.

      Sounds like the test worked just fine. Would that this self-policing outcome be the default for all ignorant people using computers and the clueless simply disconnect themselves from the Internet.

  • I found this book interesting and useful... (Score:3, Informative)

    by OneInEveryCrowd ( 62120 ) on Thursday November 25, 2004 @07:34PM (#10921088)
    ...even for non-professional home user types like me. This was also the only computer book I read straight through in a decade or so. Usually I just read the chapter or two that applies to me and then put the thing down.

    The reviewer mentioned the lack of detailed instructions for firewalling. I don't see that as a drawback at all, there are plenty of books that cover that subject in detail.

    The part I liked the most was malware analysis section. If you're the type of home user who wants to know exactly what a spyware app like Gator (or whatever they renamed it) does, this is exactly the info you need.
  • I have not read this book but I have taken Ed's SANS Track 4, Hacker Exploits, while it was in Minneapolis. He is an amazing guy. I got more information in that five days than I think I ever have in any other five day period in my life. It was pretty much an eight hour day of Ed talking (very fast) in the front of the class. The information presented kept the whole thing really interesting. If my book budget was a little bigger I would buy the book with hopes of more of the same.

    One thing the review d

  • Virus Source Code (Score:3, Informative)

    by totallygeek ( 263191 ) <sellis@totallygeek.com> on Thursday November 25, 2004 @10:12PM (#10921803) Homepage
    For anyone interested, check out the Virus Source Code Database [totallygeek.com]. For historic reasons, it is worth taking a look at, whether you are into Assembly, Pascal, C, or others on Unix, DOS, Windows, Mac, etc.

  • why no firewall? that should be obvious. (Score:4, Informative)

    by gblues ( 90260 ) on Friday November 26, 2004 @12:22AM (#10922292)
    Why then in 700 pages is there barely a mention of how to configure a firewall?

    Probably because a firewall has fuckall to do with with malware? Malware is an Application layer issue, and while Network/Transport layer security may help mitigate damage, it's not going to keep Clicky McFucktwit from opening GOODTIMES.EXE attached to his e-mail.

    Nathan

    • Malware is an Application layer issue, and while Network/Transport layer security may help mitigate damage, it's not going to keep Clicky McFucktwit from opening GOODTIMES.EXE attached to his e-mail.

      I am amazed that you would choose my family name as some sort of pseudonym for stupidity. I mean, nobody in my family would ever, in their right minds, even use EMAIL let alone click on some file called "GOODTIMES.EXE" We all know that it's "goodtimes.EXE" - next time get the case right, you pompous, self-serv
  • I don't need a 700 page book to prevent malicious code. I would guess 80%+ of all malware could be avoided by following these four words:

    Stop visiting porn sites

    It's true, the majority of people who have malware infected pc's are those who frequent porn sites. Even more malware can be avoided by using common sence and not rushing software installations. Custom installs and skimming the EULA's can spare alot of headaches (and cpu cycles).

    I'm not knocking the book. It sounds like a hardcore read for geeks, but Malware wouldn't be such a huge problem today if morality and common sence weren't in such short supply.

    • Stop visiting porn sites

      What would happen to the internet?

    • Stop visitng porn sites

      it's not quite so cut an dry. search for ANYTHING of 'questionable' nature (cracks, walkthroughs, mp3s, etc) on the web and you are likely to encounter a site that has a pop up that takes you to a pron site that when you close the window it opens three more; repeat; exponential growth. one of those sites is likely to have malware sneak in while you are busy clicking x's. granted, stop visiting porn sites intentionally would cut a lot out, but avoid porn on the interenet is no easy
  • I used to administer 4 computer labs of 25 systems each at a major university. This involved untrusted users having unsupervised anonymous physical access.

    Here's what I had set up:
    1. Set the machines to power themselves off in the afternoons and on in the morning.
    2. Set up a reasonable security policy; enough to prevent the lesser script kiddies from installing anything.
    3. Here's the key: Ghost the labs on a regular basis. Since it uses multicast, if you've got a box of floppies and a couple of monkeys to

Slashdot Top Deals

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein

Close