| |
| |
| Foreword | |
| |
| |
| Acknowledgments | |
| |
| |
| |
| Introduction | |
| |
| |
| Defining the Problem | |
| |
| |
| Why Is Malicious Code So Prevalent? | |
| |
| |
| Mixing Data and Executable Instructions: A Scary Combo | |
| |
| |
| Malicious Users | |
| |
| |
| Increasingly Homogeneous Computing Environments | |
| |
| |
| Unprecedented Connectivity | |
| |
| |
| Ever Larger Clueless User Base | |
| |
| |
| The World Just Isn't a Friendly Place | |
| |
| |
| Types of Malicious Code | |
| |
| |
| Malicious Code History | |
| |
| |
| Why This Book? | |
| |
| |
| What To Expect | |
| |
| |
| References | |
| |
| |
| |
| Viruses | |
| |
| |
| The Early History of Computer Viruses | |
| |
| |
| Infection Mechanisms and Targets | |
| |
| |
| Infecting Executable Files | |
| |
| |
| Companion Infection Techniques | |
| |
| |
| Infecting Boot Sectors | |
| |
| |
| Infecting Document Files | |
| |
| |
| Other Virus Targets | |
| |
| |
| Virus Propagation Mechanisms | |
| |
| |
| Removable Storage | |
| |
| |
| E-Mail and Downloads | |
| |
| |
| Shared Directories | |
| |
| |
| Defending against Viruses | |
| |
| |
| Antivirus Software | |
| |
| |
| Configuration Hardening | |
| |
| |
| User Education | |
| |
| |
| Malware Self-Preservation Techniques | |
| |
| |
| Stealthing | |
| |
| |
| Polymorphism and Metamorphism | |
| |
| |
| Antivirus Deactivation | |
| |
| |
| Thwarting Malware Self-Preservation Techniques | |
| |
| |
| Conclusions | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Worms | |
| |
| |
| Why Worms? | |
| |
| |
| Taking over Vast Numbers of Systems | |
| |
| |
| Making Traceback More Difficult | |
| |
| |
| Amplifying Damage | |
| |
| |
| A Brief History of Worms | |
| |
| |
| Worm Components | |
| |
| |
| The Worm Warhead | |
| |
| |
| Propagation Engine | |
| |
| |
| Target Selection Algorithm | |
| |
| |
| Scanning Engine | |
| |
| |
| Payload | |
| |
| |
| Bringing the Parts Together: Nimda Case Study | |
| |
| |
| Impediments to Worm Spread | |
| |
| |
| Diversity of Target Environment | |
| |
| |
| Crashing Victims Limits Spread | |
| |
| |
| Overexuberant Spread Could Congest Networks | |
| |
| |
| Don't Step on Yourself! | |
| |
| |
| Don't Get Stepped on By Someone Else | |
| |
| |
| The Coming Super Worms | |
| |
| |
| Multiplatform Worms | |
| |
| |
| Multiexploit Worms | |
| |
| |
| Zero-Day Exploit Worms | |
| |
| |
| Fast-Spreading Worms | |
| |
| |
| Polymorphic Worms | |
| |
| |
| Metamorphic Worms | |
| |
| |
| Truly Nasty Worms | |
| |
| |
| Bigger Isn't Always Better: The Un-Super Worm | |
| |
| |
| Worm Defenses | |
| |
| |
| Ethical Worms? | |
| |
| |
| Antivirus: A Good Idea, but Only with Other Defenses | |
| |
| |
| Deploy Vendor Patches and Harden Publicly Accessible Systems | |
| |
| |
| Block Arbitrary Outbound Connections | |
| |
| |
| Establish Incident Response Capabilities | |
| |
| |
| Don't Play with Worms, Even Ethical Ones, Unless... | |
| |
| |
| Conclusions | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Malicious Mobile Code | |
| |
| |
| Browser Scripts | |
| |
| |
| Resource Exhaustion | |
| |
| |
| Browser Hijacking | |
| |
| |
| Stealing Cookies via Browser Vulnerabilities | |
| |
| |
| Cross-Site Scripting Attacks | |
| |
| |
| ActiveX Controls | |
| |
| |
| Using ActiveX Controls | |
| |
| |
| Malicious ActiveX Controls | |
| |
| |
| Exploiting Nonmalicious ActiveX Controls | |
| |
| |
| Defending against ActiveX Threats: Internet Explorer Settings | |
| |
| |
| Java Applets | |
| |
| |
| Using Java Applets | |
| |
| |
| Java Applet Security Model | |
| |
| |
| Malicious Java Applets | |
| |
| |
| Mobile Code in E-Mail Clients | |
| |
| |
| Elevated Access Privileges via E-Mail | |
| |
| |
| Defending against Elevated E-Mail Access | |
| |
| |
| Web Bugs and Privacy Concerns | |
| |
| |
| Defending against Web Bugs | |
| |
| |
| Distributed Applications and Mobile Code | |
| |
| |
| Additional Defenses against Malicious Mobile Code | |
| |
| |
| Antivirus Software | |
| |
| |
| Behavior-Monitoring Software | |
| |
| |
| Antispyware Tools | |
| |
| |
| Conclusions | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Backdoors | |
| |
| |
| Different Kinds of Backdoor Access | |
| |
| |
| Installing Backdoors | |
| |
| |
| Starting Backdoors Automatically | |
| |
| |
| Setting Up Windows Backdoors to Start | |
| |
| |
| Defenses: Detecting Windows Backdoor Starting Techniques | |
| |
| |
| Starting UNIX Backdoors | |
| |
| |
| Defenses: Detecting UNIX Backdoor Starting Techniques | |
| |
| |
| All-Purpose Network Connection Gadget: Netcat | |
| |
| |
| Netcat Meets Standard In and Standard Out | |
| |
| |
| Netcat Backdoor Shell Listener | |
| |
| |
| Limitation of Simple Netcat Backdoor Shell Listener | |
| |
| |
| Shoveling a Shell with Netcat Backdoor Client | |
| |
| |
| Netcat + Crypto = Cryptcat | |
| |
| |
| Other Backdoor Shell Listeners | |
| |
| |
| Defenses against Backdoor Shell Listeners | |
| |
| |
| GUIs Across the Network, Starring Virtual Network Computing | |
| |
| |
| Let's Focus on VNC | |
| |
| |
| VNC Network Characteristics and Server Modes | |
| |
| |
| Shoveling a GUI with VNC | |
| |
| |
| Remote Installation of Windows VNC | |
| |
| |
| Remote GUI Defenses | |
| |
| |
| Backdoors without Ports | |
| |
| |
| ICMP Backdoors | |
| |
| |
| Nonpromiscuous Sniffing Backdoors | |
| |
| |
| Promiscuous Sniffing Backdoors | |
| |
| |
| Defenses against Backdoors without Ports | |
| |
| |
| Conclusions | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Trojan Horses | |
| |
| |
| What's in a Name? | |
| |
| |
| Playing with Windows Suffixes | |
| |
| |
| Mimicking Other File Names | |
| |
| |
| The Dangers of Dot "." in Your Path | |
| |
| |
| Trojan Name Game Defenses | |
| |
| |
| Wrap Stars | |
| |
| |
| Wrapper Features | |
| |
| |
| Wrapper Defenses | |
| |
| |
| Trojaning Software Distribution Sites | |
| |
| |
| Trojaning Software Distribution the Old-Fashioned Way | |
| |
| |
| Popular New Trend: Going after Web Sites | |
| |
| |
| The Tcpdump and Libpcap Trojan Horse Backdoor | |
| |
| |
| Defenses against Trojan Software Distribution | |
| |
| |
| Poisoning the Source | |
| |
| |
| Code Complexity Makes Attack Easier | |
| |
| |
| Test? What Test? | |
| |
| |
| The Move Toward International Development | |
| |
| |
| Defenses against Poisoning the Source | |
| |
| |
| Co-opting a Browser: Setiri | |
| |
| |
| Setiri Components | |
| |
| |
| Setiri Communication | |
| |
| |
| Setiri Defenses | |
| |
| |
| Hiding Data in Executables: Stego and Polymorphism | |
| |
| |
| Hydan and Executable Steganography | |
| |
| |
| Hydan in Action | |
| |
| |
| Hydan Defenses | |
| |
| |
| Conclusions | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| User-Mode RootKits | |
| |
| |
| UNIX User-mode RootKits | |
| |
| |
| LRK Family | |
| |
| |
| The Universal RootKit (URK) | |
| |
| |
| File System Manipulation with RunEFS and the Defiler's Toolkit | |
| |
| |
| A Brief Overview of the ext2 File System | |
| |
| |
| UNIX RootKit Defenses | |
| |
| |
| Windows User-Mode RootKits | |
| |
| |
| Manipulating Windows Logon with FakeGINA | |
| |
| |
| WFP: How It Works and Attacks against It | |
| |
| |
| DLL Injection, API Hooking, and the AFX Windows RootKit | |
| |
| |
| User-Mode RootKit Defenses on Windows | |
| |
| |
| User-Mode RootKit Response on Windows | |
| |
| |
| Conclusions | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Kernel-Mode RootKits | |
| |
| |
| What Is the Kernel? | |
| |
| |
| Kernel Manipulation Impact | |
| |
| |
| The Linux Kernel | |
| |
| |
| Adventures in the Linux Kernel | |
| |
| |
| Methods for Manipulating the Linux Kernel | |
| |
| |
| Defending the Linux Kernel | |
| |
| |
| The Windows Kernel | |
| |
| |
| Adventures in the Windows Kernel | |
| |
| |
| Methods for Manipulating the Windows Kernel | |
| |
| |
| Defending the Windows Kernel | |
| |
| |
| Conclusions | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Going Deeper | |
| |
| |
| Setting the Stage: Different Layers of Malware | |
| |
| |
| Going Deeper: The Possibility of BIOS and Malware Microcode | |
| |
| |
| The Possibility of BIOS Malware | |
| |
| |
| Microcode Malware | |
| |
| |
| Combo Malware | |
| |
| |
| Lion: Linux Worm/RootKit Combo | |
| |
| |
| Bugbear: Windows Worm/Virus/Backdoor Combo | |
| |
| |
| But That's Not All (Unfortunately) | |
| |
| |
| Combo Malware Defenses | |
| |
| |
| Conclusions | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Scenarios | |
| |
| |
| |
| A Fly in the Ointment | |
| |
| |
| |
| Invasion of the Kernel Snatchers | |
| |
| |
| |
| Silence of the Worms | |
| |
| |
| Conclusions | |
| |
| |
| Summary | |
| |
| |
| |
| Malware Analysis | |
| |
| |
| Building a Malware Analysis Laboratory | |
| |
| |
| Caveats: Using Nonproduction Systems and Staying off of the Internet | |
| |
| |
| Overall Lab Architecture | |
| |
| |
| Virtualizing Everything | |
| |
| |
| Malware Analysis Process | |
| |
| |
| Analysis of Malware and Legitimate Software | |
| |
| |
| Preparation and Verification | |
| |
| |
| Loading the Specimen and Getting Ready for Analysis | |
| |
| |
| Static Analysis | |
| |
| |
| Dynamic Analysis | |
| |
| |
| Foiling Malware Analysis with Burneye | |
| |
| |
| Conclusion | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Conclusion | |
| |
| |
| Useful Web Sites for Keeping Up | |
| |
| |
| Packet Storm Security | |
| |
| |
| Security Focus | |
| |
| |
| Global Information Assurance Certification | |
| |
| |
| Phrack Electronic Magazine | |
| |
| |
| The Honeynet Project | |
| |
| |
| Mega Security | |
| |
| |
| Infosec Writers | |
| |
| |
| Counterhack | |
| |
| |
| Parting Thoughts | |
| |
| |
| Parting Thoughts: Pessimist's Version | |
| |
| |
| Parting Thoughts: Optimist's Version | |
| |
| |
| Index | |