|
|
Book Review: Virus Research & Defense |
|
Written by Administrator
|
|
Wednesday, 16 April 2008 |
|
 I recently finished reading The Art of Computer Virus Research and Defense and believe me that was no small task. Its easily one of the more technical books you will read. Thats a tribute to the author, Peter Szor, who in my opinion is one of the founding fathers of malware analysis. His knowledge on this subject is immense. To get the most out of the book though, you would be advised to have at least a basic understanding of C++ code, IA32 Assembly, and Windows API's. It would be even better if you had some debugging and malware profiling experience. The books aim is to provide a thorough understanding of viruses by type, infection strategy and payload strategy, while explaining antivirus techniques and mitigation options.
Before I delve into the content too much, I would like to touch on some of the shortfalls of the book. First off, its not written in a traditional manner that could be easily used as a reference. It very much reads like a wiki or personal notes, which it is in effect, however that doesn't make for easy reading. I also felt the first 3 chapters took up way too much space, which could have been used for more productive topics. I particularly hated Chapter 3, where every virus type and dependecy is simply listed out in no cohesive manner. My only other complaint would have to have been to limit the discussion of older, non-relevant viruses to a concept only and focus more on a deeper undertanding of more current threats. I would like to have seen several in depth case studies in the appendix(CodeRed, Sasser, Blaster, Bagel, Slammer, etc). I also wish it came in hard cover, because my paperback binding is already in shambles from frequent page turning and rereading  On to the good stuff. Chapter 4's discussion of Win32 viruses and coverage of the PE format was great. It helped me understand things quite a bit better, and had lots of code and memory visuals to look at. Its probaby the best section in the first half of the book. His coverage of in-memory strategies was also excellent and shows how malware can be read from memory after being injected in a process thread. I always wondered how heavily encrypted viruses were broken and now I know. They simply step through the code with a debugger until its decrypted in memory and then they dump it. That leads to another great section on malware defense techniques. Sophisticated malware will actually put in timers into the code so that it will know if someone is running it through a debugger line by line. The book also touches on poly and metamorphic shellcode and the type of heuristics that can be used to detect them. There is also a dedicated chapter to worms that is okay, and a really great chapter on exploits, vulnerabilities, and buffer overflows that is filled with all kinds of knowledge. The book also made me aware of a type of buffer overflow I hadn't known before. The "return-to-LIBC attack", where an overflow of the stack is done, but merely to pass malicious option to legitimate API calls, which is really hard to detect because there is no stack or heap execution. The second half of the book, Chapters 11-15, were just awesome. There were many strategies listed for dealing with worms via network controls. I particularly enjoyed Chapter 15, where he covered malicous code analysis using a defined methodology and mostly freely available tools. I also liked his advice on creating a sandbox with a honeyd and dns server to virtualize network interaction. There is also much more coverage of heuristic functions, which can aid in profiling malware, as well as a great section on memory scanning and disinfection. It exposed to me alot of the built in API commands that you can used to identify and remove viruses from memory. There are almost too many great things to mention in the second half of the book, as mine is heavily highlighted, so you will definitely need to read for yourself. I think this book, even being 3 years old now, still fills a niche in the market that no other book does. If you deal with malware on a weekly basis, I would recommend you adding it to your library. |
|
Last Updated ( Thursday, 17 April 2008 )
|
|
|
Another nail in the coffin for MD5 |
|
Written by Administrator
|
|
Monday, 03 December 2007 |
|
While collisions in MD5 hashes are nothing new, this most recent study by Wegner, Stevens, Lenstra (Article Link ) adds even more concern to the trustworthiness of an MD5 hash. If you can't trust a signed executable, what can you trust? I think nothing. Their technique however requires much premeditation. Its not as if you can create a collision on an existing executable. To be effective in a malicious way, it would require that you create two executables up front with the same hash. This is done by appending 832 bytes of useless data to the existing executables. As you can imagine, this would make it very easy for a criminal to create two versions of software, one with a backdoor, that have the exact same MD5 hash. Of course, it would be easy for them to get the good one signed and then create a download site with the malicious one. While this is somewhat sophisticated, i could definitely see this being utilized by the hack for money crews. It doesn't take much to get your software posted on some shareware download site. Also, I could see elite crews even trying to get drivers signed in this method. So what are we supposed to do about it? The authors of the paper suggest that SHA-1 is much more resistant to collisions and is a better alternative. Despite that, I think a search for a better hashing and signing algorithm get underway if it already hasn't. I don't think the threat is imminent by any means, but we will need something stronger in place within the next 2-3 years. |
|
Last Updated ( Tuesday, 04 December 2007 )
|
|
|
Written by Administrator
|
|
Friday, 21 September 2007 |
|
 I had the pleasure of reading Protect Your Windows Network From Perimeter To Data by Jesper Johansson and Steve Riley. Even though it lacks Vista coverage being written in 2005, it is still very relevant and useful to security professionals today. It's a book that I wish I had read sooner, as its a very good primer to security in a windows environment. Its the perfect companion to the Windows Security Resource Kit. The book's two authors are both seasoned security veterans and their IT geek humor is enjoyed throughout the book. I found myself thinking, "Yeah, I've been there before" several times and laughing at the absurdity of the situations we are frequently presented with.
Two notes of caution about this book before delving in. These guys were both Microsoft employees at the time of the writing, so yes you will see some mild MS bias throughout, but they do a good job of reminding you in the text as well. I mean really, who recommends ISA server over a FW appliance like Netscreen, Checkpoint, or ASA, other then a MS employee or a Redmond Kool-aid drinker. Also, while this book contains great nuggets of information, for someone thats been in the security industry awhile, there will be a lot of general IT security information that you can just skim through in the first few chapters. This does not take away from the book in any way, just broadens the target audience some. |
|
Last Updated ( Wednesday, 16 April 2008 )
|
|
Read more...
|
|
| | << Start < Prev 1 2 3 Next > End >>
| | Results 1 - 4 of 9 |
|
