Malware: Fighting Malicious Code

This book provides the best review of malicious software that is presently available. If you need a comprehensive reference then this is the book for you. The author is a well-known and respected security analyst and this book provides solid information at a level suitable for the system administrator. Unlike so many books of this type, it is not a camouflaged endorsement of some vendor's products or a simplistic and alarmist text. Topics covered include: - viruses, with a brief history and description of the various types and their mechanisms; - worms, again with a brief history and description of the various types and their mechanisms; - mobile code, including browser scripts, ActiveX controls, Java applets and mobile code as it occurs in email clients and distributed applications. Given the increasing amount of mobile code, this is particularly valuable; - backdoors, particularly Netcat and VNC but covering some others as well; - trojans inlcuding wrappers, source poisoning and browser co-option; - rootkits for Unix andWindows; - kernel-mode rotkits for linux and Windows; - possible modes, including BIOS and microcode attacks. "Encyclopediac" is the only description I can give, but be warned that it's not for the general reader, or for newbies.

I reviewed Ed's "Counter Hack" in Nov 2001, giving it five stars as the perfect introduction for newcomers to the security field. 2 1/2 years later I'm happy to say "Malware" delivers the same quality, clarity, and insight that made "Counter Hack" a winner. My only regret is not having read and reviewed "Malware" sooner!One of the impressive aspects of this book is the degree to which it is "future-proofed." Ed looks at current threats like worms, viruses, trojans, and user- and kernel-mode rootkits, like any author might. He then takes malicious software to the next level, from the kernel to BIOS and finally to CPU microcode. These BIOS- and microcode-level attacks are still largely theoretical (aside from BIOS-destroying code), at least as far as the public knows. When the world sees these threats emerge, "Malware" will be waiting to explain their capabilities.Ed writes exceptionally well, bringing coverage of Linux and Windows kernel internals to the masses. I enjoyed learning about the trojaned Tcpdump distribution, anti-forensics, DLL injection, and API hooking. Lenny Zeltser's chapters on malware analysis were helpful as well, and I recommend attending his reverse engineering classes. The book also shines with respect to skillful use of tables and diagrams to explain key points. The only technical inaccuracy I found was the proposition that UNIX filesystems maintain a c_time as "creation time" (p. 319 and elsewhere). c_time is "change of inode time," like changing permissions on a file. Windows' NTFS "c_time" is indeed "creation time," however. I also found myself skipping many of the author's analogies, like the king, knights, castle, etc. story in the BIOS/microcode discussion. Ed's writing is clear enough that anyone with some technical experience should be able to understand his points without falling back on analogies.I highly recommend "Malware" to anyone who wants to understand the capabilities of our digital enemies. Many other security books are vulnerability-focused, spending time explaining ways to subvert, breach, or abuse poorly designed or deployed applications. "Malware" is threat-oriented, showing the capabilities of intruders and their code. This knowledge will change the way you think about security and the trustworthiness of your systems -- especially those exposed to the harsh reality of the Internet.

Working with a computer that doesn't want to behave on its own is frustrating enough. Between buggy code and the blue screen of death, many of us have wanted to throw our computers against the wall. Unfortunately, not only do we need to deal with these wonderful, little problems, but we also need to deal with programs that are intentionally trying to inflict problems on or through our computers.These programs, collectively called "malware", include many different categories; however, we know them best as the "virus", "Trojan horse", "rootkits", "backdoors", and a lot of others. These malware tools (based on "mal", the Latin word for "bad" or "evil") are the bane not only of system administrators but also of the average home user who just doesn't know any better."Malware: Fighting Malicious Code" by Ed Skoudis is meant to educate the reader not only of the dangers of malware but also of ways to combat malware."To defeat your enemy, you first must know him." - Sun TzuThis phrase is the core philosophy of this book. This 647-page fighter's manual is the computer-age version of Tzu's "The Art of War", except in this case the war is between you and the low-life morons who create the programs that facilitated the need for Skoudis to write this book.I found this book to be far more fascinating than I thought it would be. After all, how exciting can a book about virii and Trojan horses really be? "Malware" is written with a surprising amount of detailed, historical facts, real-world examples, and light-hearted humor that help to keep your attention. The author also takes extra steps to differentiate between the various types of malware. After all, how many people do you know who continually (and incorrectly) use "virus", "Trojan horse", and "worm" interchangeably? How many of you are guilty of it yourselves?"Malware" covers a lot more than you would probably expect such a book to cover. Not only does it cover the more commonly-know malware, such as virii, Trojn horses, and worms, but it also covers topics like ActiveX Controls, Java applets, JavaScript, backdoors, and many others. It also contains a great deal of information on root kits, both user and kernel modes.Sections of the book even go deeper into the possibilities of malware attacks against the system BIOS and microcode.Those who expect this book to deal primarily with Windows will likely be surprised in the amount of detail that is given to UNIX (primarily Solaris) and Linux as well as Windows. In fact, each of these have their own chapters with respect to rootkits and kernel attacks. These chapters can be very dry, but there is a great deal of information in these chapters that any serious system administrator who is interested in security (as we all should be) should read.The author goes into respectable detail regarding how the various types of malware attack and propagate, not only from a basic functional point of view but also from a detailed step-by-step method to explain exactly what eac

I've read a few books on viruses, worms, and malware. This is the best by far. Prior to reading this text I considered myself pretty well versed in the subject area of all but a couple of chapters. I was pleasantly suprised to uncover a ton of new knowledge, tools, and tricks in each chapter. Now that I've finished reading this book, my only regret is that the experience is over.The 12 chapters of this book include the following major topics: Viruses, Worms, Malicious Mobile Code, Backdoors, Trojan Horses, User Mode RootKits, Kernel-Mode RootKits, Going Deeper, Scenarios, and Malware Analysis. At first glance this all seems like pretty standard fare. However, Skoudis really digs into each subject. He includes in-depth analysis of many live and current malware specimines. I even learned a lot of not so well documented things about Unix and Windows from this book.Ed is able to explain complex technical material in a way that's easy to digest and enjoyable to the reader. While it's written more for a techie, this book can also be read and appreciated by a novice. The chapters on Malicious Mobile Code and RootKits were particularly enlighning. The chapter entitled "Going Deeper" explores possibilities for malware at the BIOS and CPU microcode levels in addition to combo-malware. The chapter on "Malware Analysis" is a nice intorduction to revers engineering and analyzing malware. I attended a SANS track instructed by the the author recently. I told him how much I enjoyed reading "Counter Hack" a couple of years back. He said that "Counter Hack" was like an InfoSec 101/102 course and "Malware" is like InfoSec 103/104. I agree that this is a great follow "Counter Hack". This is not a rerun or revision of the first book. Nor is it the same exact material he teaches with SANS (which is also very good stuff). Malware is a new and fresh book that will sit on the top shelf of my InofSec bookcase with the other books that I refer to frequently. This book easily earns my highest rating and recommendation.

Utterly fascinating. It comprehensively surveys the field of malware. It clearly explains viruses, worms and Trojans. Plus, given the universal prevalence of browsers on computers these days, careful attention is given to infiltrations via buggy browsers.The authors write in an easy to follow style, aimed at the programmer. Though if you are not such, but know the rudiments of computers as a user, you can follow most of the discussion.If you have ever wondered at the brief explanations of viruses or worms that appear in the general media, or even in the technical magazines, then this is an instructive book. For example, you have probably heard of "buffer overflows". But due to the constraints of space or audience type, the explanations left you unsatisfied. Turn instead here.Some of you may look with askance upon this book. After all, haven't the authors just written a HowTo for new malware wretches? Strictly, perhaps so. But before you berate the authors, consider this. The top malware writers probably devote the bulk of their formidable intellectual creativity to malware. But if you want to guard against it, and you are a programmer or sysadmin, typically this is not your only responsibility. Without a book like this, it is much harder to come up to speed. You then face a very unlevel playing field. The only strange thing about this book is that there should be more like it, at its level of detail. If you survey the field of computer books, it can seem like there are multiple books on most topics, not matter how obscure. But on THIS topic, which is of broad, pervasive import to most users, there exists little.Until now.