| |
| |
Foreword | |
| |
| |
Acknowledgments | |
| |
| |
| |
Introduction | |
| |
| |
Defining the Problem | |
| |
| |
Why Is Malicious Code So Prevalent? | |
| |
| |
Mixing Data and Executable Instructions: A Scary Combo | |
| |
| |
Malicious Users | |
| |
| |
Increasingly Homogeneous Computing Environments | |
| |
| |
Unprecedented Connectivity | |
| |
| |
Ever Larger Clueless User Base | |
| |
| |
The World Just Isn't a Friendly Place | |
| |
| |
Types of Malicious Code | |
| |
| |
Malicious Code History | |
| |
| |
Why This Book? | |
| |
| |
What To Expect | |
| |
| |
References | |
| |
| |
| |
Viruses | |
| |
| |
The Early History of Computer Viruses | |
| |
| |
Infection Mechanisms and Targets | |
| |
| |
Infecting Executable Files | |
| |
| |
Companion Infection Techniques | |
| |
| |
Infecting Boot Sectors | |
| |
| |
Infecting Document Files | |
| |
| |
Other Virus Targets | |
| |
| |
Virus Propagation Mechanisms | |
| |
| |
Removable Storage | |
| |
| |
E-Mail and Downloads | |
| |
| |
Shared Directories | |
| |
| |
Defending against Viruses | |
| |
| |
Antivirus Software | |
| |
| |
Configuration Hardening | |
| |
| |
User Education | |
| |
| |
Malware Self-Preservation Techniques | |
| |
| |
Stealthing | |
| |
| |
Polymorphism and Metamorphism | |
| |
| |
Antivirus Deactivation | |
| |
| |
Thwarting Malware Self-Preservation Techniques | |
| |
| |
Conclusions | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Worms | |
| |
| |
Why Worms? | |
| |
| |
Taking over Vast Numbers of Systems | |
| |
| |
Making Traceback More Difficult | |
| |
| |
Amplifying Damage | |
| |
| |
A Brief History of Worms | |
| |
| |
Worm Components | |
| |
| |
The Worm Warhead | |
| |
| |
Propagation Engine | |
| |
| |
Target Selection Algorithm | |
| |
| |
Scanning Engine | |
| |
| |
Payload | |
| |
| |
Bringing the Parts Together: Nimda Case Study | |
| |
| |
Impediments to Worm Spread | |
| |
| |
Diversity of Target Environment | |
| |
| |
Crashing Victims Limits Spread | |
| |
| |
Overexuberant Spread Could Congest Networks | |
| |
| |
Don't Step on Yourself! | |
| |
| |
Don't Get Stepped on By Someone Else | |
| |
| |
The Coming Super Worms | |
| |
| |
Multiplatform Worms | |
| |
| |
Multiexploit Worms | |
| |
| |
Zero-Day Exploit Worms | |
| |
| |
Fast-Spreading Worms | |
| |
| |
Polymorphic Worms | |
| |
| |
Metamorphic Worms | |
| |
| |
Truly Nasty Worms | |
| |
| |
Bigger Isn't Always Better: The Un-Super Worm | |
| |
| |
Worm Defenses | |
| |
| |
Ethical Worms? | |
| |
| |
Antivirus: A Good Idea, but Only with Other Defenses | |
| |
| |
Deploy Vendor Patches and Harden Publicly Accessible Systems | |
| |
| |
Block Arbitrary Outbound Connections | |
| |
| |
Establish Incident Response Capabilities | |
| |
| |
Don't Play with Worms, Even Ethical Ones, Unless... | |
| |
| |
Conclusions | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Malicious Mobile Code | |
| |
| |
Browser Scripts | |
| |
| |
Resource Exhaustion | |
| |
| |
Browser Hijacking | |
| |
| |
Stealing Cookies via Browser Vulnerabilities | |
| |
| |
Cross-Site Scripting Attacks | |
| |
| |
ActiveX Controls | |
| |
| |
Using ActiveX Controls | |
| |
| |
Malicious ActiveX Controls | |
| |
| |
Exploiting Nonmalicious ActiveX Controls | |
| |
| |
Defending against ActiveX Threats: Internet Explorer Settings | |
| |
| |
Java Applets | |
| |
| |
Using Java Applets | |
| |
| |
Java Applet Security Model | |
| |
| |
Malicious Java Applets | |
| |
| |
Mobile Code in E-Mail Clients | |
| |
| |
Elevated Access Privileges via E-Mail | |
| |
| |
Defending against Elevated E-Mail Access | |
| |
| |
Web Bugs and Privacy Concerns | |
| |
| |
Defending against Web Bugs | |
| |
| |
Distributed Applications and Mobile Code | |
| |
| |
Additional Defenses against Malicious Mobile Code | |
| |
| |
Antivirus Software | |
| |
| |
Behavior-Monitoring Software | |
| |
| |
Antispyware Tools | |
| |
| |
Conclusions | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Backdoors | |
| |
| |
Different Kinds of Backdoor Access | |
| |
| |
Installing Backdoors | |
| |
| |
Starting Backdoors Automatically | |
| |
| |
Setting Up Windows Backdoors to Start | |
| |
| |
Defenses: Detecting Windows Backdoor Starting Techniques | |
| |
| |
Starting UNIX Backdoors | |
| |
| |
Defenses: Detecting UNIX Backdoor Starting Techniques | |
| |
| |
All-Purpose Network Connection Gadget: Netcat | |
| |
| |
Netcat Meets Standard In and Standard Out | |
| |
| |
Netcat Backdoor Shell Listener | |
| |
| |
Limitation of Simple Netcat Backdoor Shell Listener | |
| |
| |
Shoveling a Shell with Netcat Backdoor Client | |
| |
| |
Netcat + Crypto = Cryptcat | |
| |
| |
Other Backdoor Shell Listeners | |
| |
| |
Defenses against Backdoor Shell Listeners | |
| |
| |
GUIs Across the Network, Starring Virtual Network Computing | |
| |
| |
Let's Focus on VNC | |
| |
| |
VNC Network Characteristics and Server Modes | |
| |
| |
Shoveling a GUI with VNC | |
| |
| |
Remote Installation of Windows VNC | |
| |
| |
Remote GUI Defenses | |
| |
| |
Backdoors without Ports | |
| |
| |
ICMP Backdoors | |
| |
| |
Nonpromiscuous Sniffing Backdoors | |
| |
| |
Promiscuous Sniffing Backdoors | |
| |
| |
Defenses against Backdoors without Ports | |
| |
| |
Conclusions | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Trojan Horses | |
| |
| |
What's in a Name? | |
| |
| |
Playing with Windows Suffixes | |
| |
| |
Mimicking Other File Names | |
| |
| |
The Dangers of Dot "." in Your Path | |
| |
| |
Trojan Name Game Defenses | |
| |
| |
Wrap Stars | |
| |
| |
Wrapper Features | |
| |
| |
Wrapper Defenses | |
| |
| |
Trojaning Software Distribution Sites | |
| |
| |
Trojaning Software Distribution the Old-Fashioned Way | |
| |
| |
Popular New Trend: Going after Web Sites | |
| |
| |
The Tcpdump and Libpcap Trojan Horse Backdoor | |
| |
| |
Defenses against Trojan Software Distribution | |
| |
| |
Poisoning the Source | |
| |
| |
Code Complexity Makes Attack Easier | |
| |
| |
Test? What Test? | |
| |
| |
The Move Toward International Development | |
| |
| |
Defenses against Poisoning the Source | |
| |
| |
Co-opting a Browser: Setiri | |
| |
| |
Setiri Components | |
| |
| |
Setiri Communication | |
| |
| |
Setiri Defenses | |
| |
| |
Hiding Data in Executables: Stego and Polymorphism | |
| |
| |
Hydan and Executable Steganography | |
| |
| |
Hydan in Action | |
| |
| |
Hydan Defenses | |
| |
| |
Conclusions | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
User-Mode RootKits | |
| |
| |
UNIX User-mode RootKits | |
| |
| |
LRK Family | |
| |
| |
The Universal RootKit (URK) | |
| |
| |
File System Manipulation with RunEFS and the Defiler's Toolkit | |
| |
| |
A Brief Overview of the ext2 File System | |
| |
| |
UNIX RootKit Defenses | |
| |
| |
Windows User-Mode RootKits | |
| |
| |
Manipulating Windows Logon with FakeGINA | |
| |
| |
WFP: How It Works and Attacks against It | |
| |
| |
DLL Injection, API Hooking, and the AFX Windows RootKit | |
| |
| |
User-Mode RootKit Defenses on Windows | |
| |
| |
User-Mode RootKit Response on Windows | |
| |
| |
Conclusions | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Kernel-Mode RootKits | |
| |
| |
What Is the Kernel? | |
| |
| |
Kernel Manipulation Impact | |
| |
| |
The Linux Kernel | |
| |
| |
Adventures in the Linux Kernel | |
| |
| |
Methods for Manipulating the Linux Kernel | |
| |
| |
Defending the Linux Kernel | |
| |
| |
The Windows Kernel | |
| |
| |
Adventures in the Windows Kernel | |
| |
| |
Methods for Manipulating the Windows Kernel | |
| |
| |
Defending the Windows Kernel | |
| |
| |
Conclusions | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Going Deeper | |
| |
| |
Setting the Stage: Different Layers of Malware | |
| |
| |
Going Deeper: The Possibility of BIOS and Malware Microcode | |
| |
| |
The Possibility of BIOS Malware | |
| |
| |
Microcode Malware | |
| |
| |
Combo Malware | |
| |
| |
Lion: Linux Worm/RootKit Combo | |
| |
| |
Bugbear: Windows Worm/Virus/Backdoor Combo | |
| |
| |
But That's Not All (Unfortunately) | |
| |
| |
Combo Malware Defenses | |
| |
| |
Conclusions | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Scenarios | |
| |
| |
| |
A Fly in the Ointment | |
| |
| |
| |
Invasion of the Kernel Snatchers | |
| |
| |
| |
Silence of the Worms | |
| |
| |
Conclusions | |
| |
| |
Summary | |
| |
| |
| |
Malware Analysis | |
| |
| |
Building a Malware Analysis Laboratory | |
| |
| |
Caveats: Using Nonproduction Systems and Staying off of the Internet | |
| |
| |
Overall Lab Architecture | |
| |
| |
Virtualizing Everything | |
| |
| |
Malware Analysis Process | |
| |
| |
Analysis of Malware and Legitimate Software | |
| |
| |
Preparation and Verification | |
| |
| |
Loading the Specimen and Getting Ready for Analysis | |
| |
| |
Static Analysis | |
| |
| |
Dynamic Analysis | |
| |
| |
Foiling Malware Analysis with Burneye | |
| |
| |
Conclusion | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Conclusion | |
| |
| |
Useful Web Sites for Keeping Up | |
| |
| |
Packet Storm Security | |
| |
| |
Security Focus | |
| |
| |
Global Information Assurance Certification | |
| |
| |
Phrack Electronic Magazine | |
| |
| |
The Honeynet Project | |
| |
| |
Mega Security | |
| |
| |
Infosec Writers | |
| |
| |
Counterhack | |
| |
| |
Parting Thoughts | |
| |
| |
Parting Thoughts: Pessimist's Version | |
| |
| |
Parting Thoughts: Optimist's Version | |
| |
| |
Index | |