Malware

Fighting Malicious Code

Ed Skoudis

Publisher: Prentice Hall, 2004, 647 pages

ISBN: 0-13-101405-6

Keywords: IT Security

Last modified: April 13, 2021, 6:16 p.m.

Synopsis

Keep your systems from being controled by the bad guys.

Ignoring the threat of malware is one of the most reckless things you can do in today's increasingly hostile computing environment. Malware is malicious code planted on your computer, and it can give the attacker a truly alarming degree of control over your system, network, and data — all without your knowledge! Written for computer pros and savvy home users by computer security expert Edward Skoudis, Malware: Fighting Malicious Code covers everything you need to know about malware, and how to defeat it!

This book devotes a full chapter to each type of malware — viruses, worms, malicious code delivered through Web browsers and e-mail clients, backdoors, Trojan horses, user-level RootKits, and kernel-level manipulation. You'll learn about the characteristics and methods of attack, evolutionary trends, and how to defend against each type of attack. Real-world examples of malware attacks help you translate thought into action, and a special defender's toolbox chapter shows how to build your own inexpensive code analysis lab to investigate new malware specimens on your own. Throughout, Skoudis' clear, engaging style makes the material approachable and enjoyable to learn. This book includes:

  • Solutions and examples that cover both UNIX® and Windows®
  • Practical, time-tested, real-world actions you can take to secure your systems
  • Instructions for building your own inexpensive malware code analysis lab so you can get familiar with attack and defensive tools harmlessly!

Malware: Fighting Malicious Code is intended for system administrators, network personnel, security personnel, savvy home computer users, and anyone else interested in keeping their systems safe from attackers.

Table of Contents

  1. Introduction
    • Defining the Problem
    • Why Is Malicious Code So Prevalent?
      • Mixing Data and Executable Instructions: A Scary Combo
      • Malicious Users
      • Increasingly Homogeneous Computing Environment
      • Unprecedented Connectivity
      • Ever Larger Clueless User Base
      • The World Just Isn't a Friendly Place
    • Types of Malicious Code
    • Malicious Code History
    • Why This Book?
    • What To Expect
    • References
  2. Viruses
    • The Early History of Computer Viruses
    • Infection Mechanisms and Targets
      • Infecting Executable Files
      • Companion Infection Techniques
      • Infecting Boot Sectors
      • Infecting Document Files
      • Other Virus Targets
    • Virus Propagation Mechanisms
      • Removable Storage
      • E-Mail and Downloads
      • Shared Directories
    • Defending against Viruses
      • Antivirus Software
      • Configuration Hardening
      • User Education
    • Malware Self-Preservation Techniques
      • Stealthing
      • Polymorphism and Metamorphism
      • Antivirus Deactivation
      • Thwarting Malware Self-Preservation Techniques
    • Conclusions
    • Summary
    • References
  3. Worms
    • Why Worms?
      • Taking over Vast Numbers of Systems
      • Making Traceback More Difficult
      • Amplifying Damage
    • A Brief History of Worms
    • Worm Components
      • The Worm Warhead
      • Propagation Engine
      • Target Selection Algorithm
      • Scanning Engine
      • Payload
      • Bringing the Parts Together: Nimda Case Study
    • Impediments to Worm Spread
      • Diversity of Target Environment
      • Crashing Victims Limits Spread
      • Overexuberant Spread Could Congest Networks
      • Don't Step On Yourself!
      • Don't Get Stepped on By Someone Else
    • The Coming Superworms
      • Multiplatform Worms
      • Multiexploit Worms
      • Zero-Day Exploit Worms
      • Fast-Spreading Worms
      • Polymorphic Worms
      • Metamorphic Worms
      • Truly Nasty Worms
    • Bigger Isn't Always Better: The Un-Superworm
    • Worm Defenses
      • Ethical Worms?
      • Antivirus: A Good Idea, but Only with Other Defenses
      • Deploy Vendor Patches and Harden Publicly Accessible Systems
      • Block Arbitrary Outbound Connections
      • Establish Incident Response Capabilities
      • Don't Play with Worms, Even Ethical Ones, Unless…
    • Conclusions
    • Summary
    • References
  4. Malicious Mobile Code
    • Browser Scripts
      • Resource Exhaustion
      • Browser Hijacking
      • Stealing Cookies via Browser Vulnerabilities
      • Cross-Site Scripting Attacks
    • ActiveX Controls
      • Using ActiveX Controls
      • Malicious ActiveX Controls
      • Exploiting Non-Malicious ActiveX Controls
      • Defending against ActiveX Threats: Internet Explorer Settings
    • Java Applets
      • Using Java Applets
      • Java Applet Security Model
      • Malicious Java Applets
    • Mobile Code in E-Mail Clients
      • Elevated Access Privileges via E-Mail
      • Defending against Elevated E-Mail Access
      • Web Bugs and Privacy Concerns
      • Defending against Web Bugs
    • Distributed Applications and Mobile Code
    • Additional Defenses against Malicious Mobile Code
      • Antivirus Software
      • Behavior-Monitoring Software
      • Antispyware Tools
    • Conclusions
    • Summary
    • References
  5. Backdoors
    • Different Kinds of Backdoor Access
    • Installing Backdoors
    • Starting Backdoors Automatically
      • Setting Up Windows Backdoors to Start
      • Defenses: Detecting Windows Backdoor Starting Techniques
      • Starting UNIX Backdoors
      • Defenses: Detecting UNIX Backdoor Starting Techniques
    • All-Purpose Network Connection Gadget: Netcat
      • Netcat Meets Standard In and Standard Out
      • Netcat Backdoor Shell Listener
      • Limitations of Simple Netcat Backdoor Shell Listener
      • Shoveling a Shell with Netcat Backdoor Client
      • Netcat + Crypto = Cryptcat
      • Other Backdoor Shell Listeners
      • Defenses against Backdoor Shell Listeners
    • GUIs Across the Network, Starring Virtual Network Computing
      • Let's Focus on VNC
      • VNC Network Characteristics and Server Modes
      • Shoveling a GUI on VNC
      • Remote Installation of Windows VNC
      • Remote GUI Defenses
    • Backdoors without Ports
      • ICMP Backdoors
      • Nonpromiscuous Sniffing Backdoors
      • Promiscuous Sniffing Backdoors
      • Defenses against Backdoors without Ports
    • Conclusions
    • Summary
    • References
  6. Trojan Horses
    • What's in a Name?
      • Playing with Window Suffixes
      • Mimicking Other File Names
      • The Dangers of Dot "." in Your Path
      • Trojan Names Game Defenses
    • Wrap Stars
      • Wrapper Features
      • Wrapper Defenses
    • Trojaning Software Distribution Sites
      • Trojaning Software Distribution the Old-Fashioned Way
      • Popular New Trend: Going after Web Sites
      • The Tcpdump and Libpcap Trojan Horse Backdoor
      • Defenses against Trojan Software Distribution
    • Poisoning the Source
      • Code Complexity Makes Attack Easier
      • Test? What Test?
      • The Move Toward International Development
      • Defenses against Poisoning the Source
    • Co-opting a Browser: Setiri
      • Setiri Components
      • Setiri Communication
      • Setiri Defenses
    • Hiding Data in Executables: Stego and Polymorphism
      • Hydan and Executable Steganography
      • Hydan in Action
      • Hydan Defenses
    • Conclusions
    • Summary
    • References
  7. User-Mode RootKits
    • UNIX User-Mode RootKits
      • LRK Family
      • The Universal RootKit (URK)
      • File System Manipulation with RunEFS and the Defiler's Toolkit
      • A Brief Overview of the ext2 File System
      • UNIX RootKit Defenses
    • Windows User-Mode RootKits
      • Manipulating Windows Logon with FakeGINA
      • WFP: How It Works and Attacks against It
      • DLL Injection, API Hooking, and the AFX Windows RootKit
      • User-Mode RootKit Defenses on Windows
      • User-Mode RootKit Responses on Windows
    • Conclusions
    • Summary
    • References
  8. Kernel-Mode RootKits
    • What Is the Kernel?
    • Kernel Manipulation Impact
    • The Linux Kernel
      • Adventures in the Linux Kernel
      • Methods for Manipulating the Linux Kernel
      • Defending the Linux Kernel
    • The Windows Kernel
      • Adventures in the Windows Kernel
      • Methods for Manipulating the Windows Kernel
      • Defending the Windows Kernel
    • Conclusions
    • Summary
    • References
  9. Going Deeper
    • Setting the Stage: Different Layers of Malware
    • Going Deeper: The Possibility of BIOS and Malware Microcode
      • The Possibility of BIOS Malware
      • Microcode Malware
    • Combo Malware
      • Lion: Linux Worm/RootKit Combo
      • Bugbear: Windows Worm/Virus/Backdoor Combo
      • But That's Not All (Unfortunately)
      • Combo Malware Defenses
    • Conclusions
    • Summary
    • References
  10. Scenarios
    • Scenario 1: A Fly in the Ointment
    • Scenario 2: Invasion of the Kernel Snatchers
    • Scenario 3: Silence of the Worms
    • Conclusions
    • Summary
  11. Malware Analysis
    • Building a Malware Analysis Laboratory
      • Caveats: Using Nonproduction Systems and Staying off of the Internet
      • Overall Lab Architecture
      • Virtualizing Everything
    • Malware Analysis Process
      • Analysis of Malware and Legitimate Software
      • Preparation and Verification
      • Loading the Specimen and Getting Ready for Analysis
      • Static Analysis
      • Dynamic Analysis
      • Foiling Malware Analysis with Burneye
    • Conclusion
    • Summary
    • References
  12. Conclusion
    • Useful Web Sites for Keeping Up
      • Packet Storm Security
      • Security Focus
      • Global Information Assurance Certification
      • Phrack Electronic Magazine
      • The Honeynet Project
      • Mega Security
      • Infosec Writers
      • Counterhack
    • Parting Thoughts
      • Parting Thoughts: Pessimist's Version
      • Parting Thoughts: Optimist's Version