Note: Supplemental materials are not guaranteed with Rental or Used book purchases.
- ISBN: 9780131014053 | 0131014056
- Cover: Paperback
- Copyright: 11/7/2003
- Real-world tools needed to prevent, detect, and handle malicious code attacks. - Computer infection from viruses, worms, Trojan Horses etc., collectively known as malware is a growing cost problem for businesses. - Discover how attackers install malware and how you can peer through their schemes to keep systems safe. - Bonus malware code analysis laboratory.
Ed Skoudis is a computer security consultant with International Network Services Lenny Zeltser is an information security consultant and an instructor at the SANS Institute where he teaches courses in malware reverse-engineering
Foreword | p. xv |
Acknowledgments | p. xxi |
Introduction | p. 1 |
Defining the Problem | p. 2 |
Why Is Malicious Code So Prevalent? | p. 4 |
Mixing Data and Executable Instructions: A Scary Combo | p. 5 |
Malicious Users | p. 9 |
Increasingly Homogeneous Computing Environments | p. 10 |
Unprecedented Connectivity | p. 11 |
Ever Larger Clueless User Base | p. 12 |
The World Just Isn't a Friendly Place | p. 12 |
Types of Malicious Code | p. 13 |
Malicious Code History | p. 15 |
Why This Book? | p. 19 |
What To Expect | p. 21 |
References | p. 24 |
Viruses | p. 25 |
The Early History of Computer Viruses | p. 28 |
Infection Mechanisms and Targets | p. 31 |
Infecting Executable Files | p. 32 |
Companion Infection Techniques | p. 33 |
Infecting Boot Sectors | p. 37 |
Infecting Document Files | p. 40 |
Other Virus Targets | p. 46 |
Virus Propagation Mechanisms | p. 48 |
Removable Storage | p. 49 |
E-Mail and Downloads | p. 50 |
Shared Directories | p. 51 |
Defending against Viruses | p. 51 |
Antivirus Software | p. 52 |
Configuration Hardening | p. 58 |
User Education | p. 63 |
Malware Self-Preservation Techniques | p. 64 |
Stealthing | p. 64 |
Polymorphism and Metamorphism | p. 64 |
Antivirus Deactivation | p. 65 |
Thwarting Malware Self-Preservation Techniques | p. 67 |
Conclusions | p. 67 |
Summary | p. 68 |
References | p. 69 |
Worms | p. 71 |
Why Worms? | p. 73 |
Taking over Vast Numbers of Systems | p. 73 |
Making Traceback More Difficult | p. 74 |
Amplifying Damage | p. 75 |
A Brief History of Worms | p. 76 |
Worm Components | p. 79 |
The Worm Warhead | p. 80 |
Propagation Engine | p. 82 |
Target Selection Algorithm | p. 84 |
Scanning Engine | p. 86 |
Payload | p. 87 |
Bringing the Parts Together: Nimda Case Study | p. 88 |
Impediments to Worm Spread | p. 91 |
Diversity of Target Environment | p. 91 |
Crashing Victims Limits Spread | p. 93 |
Overexuberant Spread Could Congest Networks | p. 93 |
Don't Step on Yourself! | p. 94 |
Don't Get Stepped on By Someone Else | p. 94 |
The Coming Super Worms | p. 95 |
Multiplatform Worms | p. 96 |
Multiexploit Worms | p. 96 |
Zero-Day Exploit Worms | p. 97 |
Fast-Spreading Worms | p. 97 |
Polymorphic Worms | p. 99 |
Metamorphic Worms | p. 101 |
Truly Nasty Worms | p. 102 |
Bigger Isn't Always Better: The Un-Super Worm | p. 102 |
Worm Defenses | p. 104 |
Ethical Worms? | p. 105 |
Antivirus: A Good Idea, but Only with Other Defenses | p. 108 |
Deploy Vendor Patches and Harden Publicly Accessible Systems | p. 109 |
Block Arbitrary Outbound Connections | p. 109 |
Establish Incident Response Capabilities | p. 110 |
Don't Play with Worms, Even Ethical Ones, Unless... | p. 111 |
Conclusions | p. 112 |
Summary | p. 114 |
References | p. 115 |
Malicious Mobile Code | p. 117 |
Browser Scripts | p. 120 |
Resource Exhaustion | p. 121 |
Browser Hijacking | p. 123 |
Stealing Cookies via Browser Vulnerabilities | p. 126 |
Cross-Site Scripting Attacks | p. 132 |
ActiveX Controls | p. 143 |
Using ActiveX Controls | p. 144 |
Malicious ActiveX Controls | p. 146 |
Exploiting Nonmalicious ActiveX Controls | p. 151 |
Defending against ActiveX Threats: Internet Explorer Settings | p. 153 |
Java Applets | p. 157 |
Using Java Applets | p. 158 |
Java Applet Security Model | p. 159 |
Malicious Java Applets | p. 163 |
Mobile Code in E-Mail Clients | p. 165 |
Elevated Access Privileges via E-Mail | p. 166 |
Defending against Elevated E-Mail Access | p. 167 |
Web Bugs and Privacy Concerns | p. 169 |
Defending against Web Bugs | p. 170 |
Distributed Applications and Mobile Code | p. 172 |
Additional Defenses against Malicious Mobile Code | p. 174 |
Antivirus Software | p. 175 |
Behavior-Monitoring Software | p. 176 |
Antispyware Tools | p. 178 |
Conclusions | p. 181 |
Summary | p. 182 |
References | p. 184 |
Backdoors | p. 187 |
Different Kinds of Backdoor Access | p. 189 |
Installing Backdoors | p. 190 |
Starting Backdoors Automatically | p. 191 |
Setting Up Windows Backdoors to Start | p. 192 |
Defenses: Detecting Windows Backdoor Starting Techniques | p. 198 |
Starting UNIX Backdoors | p. 201 |
Defenses: Detecting UNIX Backdoor Starting Techniques | p. 206 |
All-Purpose Network Connection Gadget: Netcat | p. 206 |
Netcat Meets Standard In and Standard Out | p. 207 |
Netcat Backdoor Shell Listener | p. 210 |
Limitation of Simple Netcat Backdoor Shell Listener | p. 213 |
Shoveling a Shell with Netcat Backdoor Client | p. 214 |
Netcat + Crypto = Cryptcat | p. 215 |
Other Backdoor Shell Listeners | p. 216 |
Defenses against Backdoor Shell Listeners | p. 217 |
GUIs Across the Network, Starring Virtual Network Computing | p. 224 |
Let's Focus on VNC | p. 227 |
VNC Network Characteristics and Server Modes | p. 229 |
Shoveling a GUI with VNC | p. 230 |
Remote Installation of Windows VNC | p. 231 |
Remote GUI Defenses | p. 233 |
Backdoors without Ports | p. 234 |
ICMP Backdoors | p. 234 |
Nonpromiscuous Sniffing Backdoors | p. 236 |
Promiscuous Sniffing Backdoors | p. 239 |
Defenses against Backdoors without Ports | p. 243 |
Conclusions | p. 247 |
Summary | p. 248 |
References | p. 249 |
Trojan Horses | p. 251 |
What's in a Name? | p. 252 |
Playing with Windows Suffixes | p. 253 |
Mimicking Other File Names | p. 257 |
The Dangers of Dot "." in Your Path | p. 262 |
Trojan Name Game Defenses | p. 265 |
Wrap Stars | p. 267 |
Wrapper Features | p. 268 |
Wrapper Defenses | p. 270 |
Trojaning Software Distribution Sites | p. 270 |
Trojaning Software Distribution the Old-Fashioned Way | p. 271 |
Popular New Trend: Going after Web Sites | p. 271 |
The Tcpdump and Libpcap Trojan Horse Backdoor | p. 273 |
Defenses against Trojan Software Distribution | p. 276 |
Poisoning the Source | p. 278 |
Code Complexity Makes Attack Easier | p. 279 |
Test? What Test? | p. 281 |
The Move Toward International Development | p. 283 |
Defenses against Poisoning the Source | p. 284 |
Co-opting a Browser: Setiri | p. 286 |
Setiri Components | p. 286 |
Setiri Communication | p. 287 |
Setiri Defenses | p. 290 |
Hiding Data in Executables: Stego and Polymorphism | p. 293 |
Hydan and Executable Steganography | p. 294 |
Hydan in Action | p. 296 |
Hydan Defenses | p. 298 |
Conclusions | p. 299 |
Summary | p. 300 |
References | p. 301 |
User-Mode RootKits | p. 303 |
UNIX User-mode RootKits | p. 306 |
LRK Family | p. 309 |
The Universal RootKit (URK) | p. 322 |
File System Manipulation with RunEFS and the Defiler's Toolkit | p. 326 |
A Brief Overview of the ext2 File System | p. 327 |
UNIX RootKit Defenses | p. 335 |
Windows User-Mode RootKits | p. 344 |
Manipulating Windows Logon with FakeGINA | p. 347 |
WFP: How It Works and Attacks against It | p. 351 |
DLL Injection, API Hooking, and the AFX Windows RootKit | p. 359 |
User-Mode RootKit Defenses on Windows | p. 370 |
User-Mode RootKit Response on Windows | p. 373 |
Conclusions | p. 373 |
Summary | p. 374 |
References | p. 377 |
Kernel-Mode RootKits | p. 379 |
What Is the Kernel? | p. 379 |
Kernel Manipulation Impact | p. 383 |
The Linux Kernel | p. 387 |
Adventures in the Linux Kernel | p. 388 |
Methods for Manipulating the Linux Kernel | p. 397 |
Defending the Linux Kernel | p. 420 |
The Windows Kernel | p. 429 |
Adventures in the Windows Kernel | p. 429 |
Methods for Manipulating the Windows Kernel | p. 444 |
Defending the Windows Kernel | p. 454 |
Conclusions | p. 458 |
Summary | p. 458 |
References | p. 462 |
Going Deeper | p. 465 |
Setting the Stage: Different Layers of Malware | p. 466 |
Going Deeper: The Possibility of BIOS and Malware Microcode | p. 471 |
The Possibility of BIOS Malware | p. 471 |
Microcode Malware | p. 484 |
Combo Malware | p. 502 |
Lion: Linux Worm/RootKit Combo | p. 504 |
Bugbear: Windows Worm/Virus/Backdoor Combo | p. 508 |
But That's Not All (Unfortunately) | p. 513 |
Combo Malware Defenses | p. 513 |
Conclusions | p. 514 |
Summary | p. 514 |
References | p. 517 |
Scenarios | p. 519 |
A Fly in the Ointment | p. 520 |
Invasion of the Kernel Snatchers | p. 529 |
Silence of the Worms | p. 541 |
Conclusions | p. 553 |
Summary | p. 554 |
Malware Analysis | p. 557 |
Building a Malware Analysis Laboratory | p. 557 |
Caveats: Using Nonproduction Systems and Staying off of the Internet | p. 558 |
Overall Lab Architecture | p. 558 |
Virtualizing Everything | p. 561 |
Malware Analysis Process | p. 564 |
Analysis of Malware and Legitimate Software | p. 566 |
Preparation and Verification | p. 567 |
Loading the Specimen and Getting Ready for Analysis | p. 574 |
Static Analysis | p. 576 |
Dynamic Analysis | p. 594 |
Foiling Malware Analysis with Burneye | p. 615 |
Conclusion | p. 619 |
Summary | p. 620 |
References | p. 622 |
Conclusion | p. 625 |
Useful Web Sites for Keeping Up | p. 625 |
Packet Storm Security | p. 626 |
Security Focus | p. 627 |
Global Information Assurance Certification | p. 627 |
Phrack Electronic Magazine | p. 628 |
The Honeynet Project | p. 629 |
Mega Security | p. 630 |
Infosec Writers | p. 630 |
Counterhack | p. 631 |
Parting Thoughts | p. 631 |
Parting Thoughts: Pessimist's Version | p. 632 |
Parting Thoughts: Optimist's Version | p. 634 |
Index | p. 637 |
Table of Contents provided by Ingram. All Rights Reserved. |
What is included with this book?
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.