Malware: Fighting Malicious CodeMalicious code is a set of instructions that runs on your computer and makes your system do something that you do not want it to do. For example, it can delete sensitive configuration files from your hard drive, rendering your computer completely inoperable; infect your computer and use it as a jumping-off point to spread to all of your buddies' computers; and steal files from your machine. Malicious code in the hands of a crafty attacker is indeed powerful. It's becoming even more of a problem because many of the very same factors fueling the evolution of the computer industry are making our systems even more vulnerable to malicious code. Specifically, malicious code writers benefit from the trends toward mixing static data and executable instructions, increasingly homogenous computing environments, unprecedented connectivity, an ever-larger clueless user base, and an unfriendly world. Skoudis addressed malicious code in just one chapter of his previous book. Here, a dozen chapters focus on one of the most interesting and rapidly developing areas of computer attacks.*Chapter 11, "Defender's Toolbox," rolls together the defensive strategies described in the book. As a bonus, Skoudis gives recipes for creating your own malicious code analysis laboratory using cheap hardware and software. |
Contents
Introduction | 1 |
Defining the Problem | 2 |
Why Is Malicious Code So Prevalent? | 4 |
Types of Malicious Code | 13 |
Malicious Code History | 15 |
Why This Book? | 19 |
What To Expect | 21 |
References | 24 |
Conclusions | 247 |
Summary | 248 |
References | 249 |
Trojan Horses | 251 |
Whats in a Name? | 252 |
Wrap Stars | 267 |
Trojaning Software Distribution Sites | 270 |
Poisoning the Source | 278 |
Viruses | 25 |
The Early History of Computer Viruses | 28 |
Infection Mechanisms and Targets | 31 |
Virus Propagation Mechanisms | 48 |
Defending against Viruses | 51 |
Malware SelfPreservation Techniques | 64 |
Conclusions | 67 |
Summary | 68 |
References | 69 |
Worms | 71 |
Why Worms? | 73 |
A Brief History of Worms | 76 |
Worm Components | 79 |
Impediments to Worm Spread | 91 |
The Coming Superworms | 95 |
The UnSuper worm | 102 |
Worm Defenses | 104 |
Conclusions | 112 |
Summary | 114 |
References | 115 |
Malicious Mobile Code | 117 |
Browser Scripts | 120 |
ActiveX Controls | 143 |
Java Applets | 157 |
Mobile Code in EMail Clients | 165 |
Distributed Applications and Mobile Code | 172 |
Additional Defenses against Malicious Mobile Code | 174 |
Conclusions | 181 |
Summary | 182 |
References | 184 |
Backdoors | 187 |
Different Kinds of Backdoor Access | 189 |
Installing Backdoors | 190 |
Starting Backdoors Automatically | 191 |
Netcat | 206 |
GUIs Across the Network Starring Virtual Network Computing | 224 |
Backdoors without Ports | 234 |
Setiri | 286 |
Stego and Polymorphism | 293 |
Conclusions | 299 |
Summary | 300 |
UserMode RootKits | 303 |
UNIX UserMode RootKits | 306 |
Windows UserMode RootKits | 344 |
Conclusions | 373 |
Summary | 374 |
References | 377 |
KernelMode RootKits | 379 |
Kernel Manipulation Impact | 383 |
The Linux Kernel | 387 |
The Windows Kernel | 429 |
Summary | 458 |
References | 462 |
Going Deeper | 465 |
Different Layers of Malware | 466 |
The Possibility of BIOS and Malware Microcode | 471 |
Combo Malware | 502 |
Summary | 514 |
References | 517 |
Scenarios | 519 |
A Fly in the Ointment | 520 |
Invasion of the Kernel Snatchers | 529 |
Silence of the Worms | 541 |
Conclusions | 553 |
Summary | 554 |
Malware Analysis | 557 |
Malware Analysis Process | 564 |
Conclusion | 619 |
Summary | 620 |
References | 622 |
Conclusion | 625 |
Parting Thoughts | 631 |
637 | |