Malware: Fighting Malicious Code
by Zaklina Supica - Monday, 26 July 2004.
Authors: Ed Skoudis and Lenny Zeltser
Pages: 432
Publisher: Prentice Hall PTR
ISBN: 0131014056


Every computer user, whether a system administrator or a home user, needs to defend their computer from all sorts of attacks. This book brings basic knowledge about types of malicious code with definitions and practical advice. To get to know your enemy from the opposite side of Internet is the first step for a good and solid defense.

About the authors

Ed Skoudis is a computer security consultant with International Network Services. Ed's expertise includes hacker attacks and defenses, the information security industry, and computer privacy issues. He is an instructor with the SANS Institute, where he teaches popular courses on incident response and computer attack.

An interview with Ed Skoudis is available here

Lenny Zeltser is an information security consultant and an instructor at the SANS Institute, where he teaches courses in malware reverse-engineering. Lenny holds a number of professional certificates including CISSP and GSE and is currently pursuing an MBA degree at MIT.

Inside the book

Malicious code or malware is a term that we hear a lot almost every day. The book kicks off with an introduction to the term. Skoudis talks about malware code as a prevalent problem, describing malicious users and other reasons which make it possible for malware to spread. Here you encounter a simple but descriptive table presented with types of malicious code followed by malicious code history. Itís a very friendly introduction to the serious content that follows.

What follows is some basic knowledge about viruses. The author describes several infection mechanisms and techniques that a virus can take when infecting executable files, the boot sector, document and other virus targets. After the infection, virus propagation mechanisms are presented. Of course, the end of a virus story belongs to security mechanisms and some malware self-preservation techniques.

Viruses pose a constant threat so itís important to know as much as possible about them. After all, they are the foundation for worms which are the subject of the next chapter.

The third chapter is dedicated to worms, but it starts with a comparation of viruses and worms. That way one can get a better picture and find out the main differences. Skoudis starts with the definition and history of worms. If you arenít familiar with some of the worms that were, or still are notable, they are previewed in a table with their characteristics.

Each worm has components which present the building blocks implemented in it. Those are the worm warhead, the propagation engine, the target selection algorithm, the scanning engine and payload and each of them is described. Since there's no slowdown in the appearance of worm, Skoudis also talks about what we can see coming and presents ethical worms, with their pros and cons. In order to help you defend against worms here you'll find advices for defense mechanisms.

Every time you're browsing the Web or read HTML e-mail, you routinely encounter mobile code which can be malicious. The author presents browse scripts, ActiveX controls, Java applets, mobile code in e-mail clients, and mobile code in distributed applications. All of these techniques are described with simple examples. The most important security measures are summarized. This chapter is concentrated on the threat that comes in the form lightweight programs downloaded from a remote system and executed locally, and on suitable defense mechanisms.

The following illustrated threat is a backdoor program. After basic definition, different kinds of backdoor access are shown. The author writes about installing backdoors, starting them automatically in Windows and UNIX operating systems, and also detecting them.

Unlike a backdoor, the Trojan horse is a program that appears to have some useful purpose, but really masks some hidden malicious functionality. Skoudis starts by explaining the danger that file names and extensions bring. Itís very important to understand the tricks used to hide malicious code into harmless files or how attackers perform name-based attacks. Steganography, a technique of the hiding data is also described.

RootKits, discovered in chapter seven, are different from viruses and Trojan horses since they modify the operating system in order to gain access to someone not authorized to use it. Skoudis distinguishes two types of RootKits, user-mode and kernel-mode. First, he analyzes the user-mode RootKit for UNIX and Windows operating systems, including their use and defenses. One of the interesting parts of this chapter is the table that shows the development of the Linux RootKit Family.

Next the author writes about kernel-mode RootKits that get at the heart of the operating system. The main difference is that kernel-mode RootKits modify the operating system kernel. That way, the attacker can mask his presence more efficiently. First, Skoudis explains what kernel is and how it can be manipulated in general, and he touches both Windows and Linux. Here you also find some defense suggestions and its worth to pay attention.

What you see next is a display of six different levels of malware infiltration. A problem discussed here is the possibility for an attacker to alter the functioning of the BIOS and CPU themselves. The author deals with flashing BIOS, denial-of-service attacks, microcode, etc. This chapter simply describes the possibilities for an attacker that go beyond an end user or even some administrators' knowledge. But, itís very useful to know what one can expect.

What are presented next are three malware attack scenarios. These case studies include the theory presented in previous chapters. Each of the scenarios is based on common mistakes made by computer users, system administrators and security personnel. The covered scenarios are: surfing the Internet, ignored system administrator notice and buffer overflow vulnerability exploited by a worm on the Internet.

Skoudis also writes about building a malware analysis laboratory and offers some good advice about which hardware to use, and then presents a process and tools for putting malware to detailed analysis so one can determine its functionality and purpose.

At the end of the book Skoudis presents links to some useful web sites for keeping up with malware.

My 2 cents

Today's hostile computing environment doesn't allow the user to ignore the threat of malware. Each chapter of this book is devoted to one type of malware: viruses, worms, malicious code, backdoors, Trojan horses, User-lever RootKits, and kernel-level manipulation.

Anyone interested in keeping their system safe from attackers should read this book. Although it contains more beginner-level knowledge, it also has good practice examples and scenarios that can help system administrator and security personnel to develop a safe computer environment.

"Malware: Fighting Malicious Code" presents a good start for getting knowledge about malicious code. It's clearly written, easy to understand and informative.


Compromised cPanel "Account Suspended" pages redirect to exploit kit

The code redirects visitors to another URL where the Fiesta exploit kit is hosted, which then tries to detect and exploit several vulnerabilities in various software. If it succeeds, the visitors are saddled with a banking Trojan.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 27th