WAS £40.49   SAVE £6.07

£34.42

Description

Contents

About the Author. Preface. Acknowledgments. I. STRATEGIES OF THE ATTACKER. 1. Introduction to the Games of Nature. Early Models of Self-Replicating Structures John von Neumann: Theory of Self-Reproducing Automata Fredkin: Reproducing Structures Conway: Game of Life Core War: The Fighting Programs Genesis of Computer Viruses Automated Replicating Code: The Theory and Definition of Computer Viruses References 2. The Fascination of Malicious Code Analysis. Common Patterns of Virus Research Antivirus Defense Development Terminology of Malicious Programs Viruses Worms Logic Bombs Trojan Horses Germs Exploits Downloaders Dialers Droppers Injectors Auto-Rooters Kits (Virus Generators) Spammer Programs Flooders Keyloggers Rootkits Other Categories Joke Programs Hoaxes: Chain Letters Other Pests: Adware and Spyware Computer Malware Naming Scheme :// / . [] : # @m or @mm ! Annotated List of Officially Recognized Platform Names References 3. Malicious Code Environments. Computer Architecture Dependency CPU Dependency Operating System Dependency Operating System Version Dependency File System Dependency Cluster Viruses NTFS Stream Viruses NTFS Compression Viruses ISO Image Infection File Format Dependency COM Viruses on DOS EXE Viruses on DOS NE (New Executable) Viruses on 16-bit Windows and OS/2 LX Viruses on OS/2 PE (Portable Executable) Viruses on 32-bit Windows ELF (Executable and Linking Format) Viruses on UNIX Device Driver Viruses Object Code and LIB Viruses Interpreted Environment Dependency Macro Viruses in Microsoft Products REXX Viruses on IBM Systems DCL (DEC Command Language) Viruses on DEC/VMS Shell Scripts on UNIX (csh, ksh, and bash) VBScript (Visual Basic Script) Viruses on Windows Systems BATCH Viruses Instant Messaging Viruses in mIRC, PIRCH scripts SuperLogo Viruses JScript Viruses Perl Viruses WebTV Worms in JellyScript Embedded in HTML Mail Python Viruses VIM Viruses EMACS Viruses TCL Viruses PHP Viruses MapInfo Viruses ABAP Viruses on SAP Help File Viruses on Windows-When You Press F1... JScript Threats in Adobe PDF AppleScript Dependency ANSI Dependency Macromedia Flash ActionScript Threats HyperTalk Script Threats AutoLisp Script Viruses Registry Dependency PIF and LNK Dependency Lotus Word Pro Macro Viruses AmiPro Document Viruses Corel Script Viruses Lotus 1-2-3 Macro Dependency Windows Installation Script Dependency AUTORUN.INF and Windows INI File Dependency HTML (Hypertext Markup Language) Dependency Vulnerability Dependency Date and Time Dependency JIT Dependency: Microsoft .NET Viruses Archive Format Dependency File Format Dependency Based on Extension Network Protocol Dependency Source Code Dependency Source Code Trojans Resource Dependency on Mac and Palm Platforms Host Size Dependency Debugger Dependency Intended Threats that Rely on a Debugger Compiler and Linker Dependency Device Translator Layer Dependency Embedded Object Insertion Dependency Self-Contained Environment Dependency Multipartite Viruses Conclusion References 4. Classification of Infection Strategies. Boot Viruses Master Boot Record (MBR) Infection Techniques DOS BOOT Record (DBR) - Infection Techniques Boot Viruses That Work While Windows 95 Is Active Possible Boot Image Attacks in Network Environments File Infection Techniques Overwriting Viruses Random Overwriting Viruses Appending Viruses Prepending Viruses Classic Parasitic Viruses Cavity Viruses Fractionated Cavity Viruses Compressing Viruses Amoeba Infection Technique Embedded Decryptor Technique Embedded Decryptor and Virus Body Technique Obfuscated Tricky Jump Technique Entry-Point Obscuring (EPO) Viruses Possible Future Infection Techniques: Code Builders An In-Depth Look at Win32 Viruses The Win32 API and Platforms That Support It Infection Techniques on 32-Bit Windows Win32 and Win64 Viruses: Designed for Microsoft Windows? Conclusion References 5. Classification of In-Memory Strategies. Direct-Action Viruses Memory-Resident Viruses Interrupt Handling and Hooking Hook Routines on INT 13h (Boot Viruses) Hook Routines on INT 21h (File Viruses) Common Memory Installation Techniques Under DOS Stealth Viruses Disk Cache and System Buffer Infection Temporary Memory-Resident Viruses Swapping Viruses Viruses in Processes (in User Mode) Viruses in Kernel Mode (Windows 9x/Me) Viruses in Kernel Mode (Windows NT/2000/XP) In-Memory Injectors over Networks References 6. Basic Self-Protection Strategies. Tunneling Viruses Memory Scanning for Original Handler Tracing with Debug Interfaces Code Emulation-Based Tunneling Accessing the Disk Using Port I/O Using Undocumented Functions Armored Viruses Antidisassembly Encrypted Data Code Confusion to Avoid Analysis Opcode Mixing-Based Code Confusion Using Checksum Compressed, Obfuscated Code Antidebugging Antiheuristics Antiemulation Techniques Antigoat Viruses Aggressive Retroviruses References 7. Advanced Code Evolution Techniques and Computer Virus Generator Kits. Introduction Evolution of Code Encrypted Viruses Oligomorphic Viruses Polymorphic Viruses The 1260 Virus The Dark Avenger Mutation Engine (MtE) 32-Bit Polymorphic Viruses Metamorphic Viruses What Is a Metamorphic Virus? Simple Metamorphic Viruses More Complex Metamorphic Viruses and Permutation Techniques Mutating Other Applications: The Ultimate Virus Generator? Advanced Metamorphic Viruses: Zmist {W32, Linux}/Simile: A Metamorphic Engine Across Systems The Dark Future-MSIL Metamorphic Viruses Virus Construction Kits VCS (Virus Construction Set) GenVir VCL (Virus Creation Laboratory) PS-MPC (Phalcon-Skism Mass-Produced Code Generator) NGVCK (Next Generation Virus Creation Kit) Other Kits and Mutators How to Test a Virus Construction Tool? References 8. Classification According to Payload. No-Payload Accidentally Destructive Payload Nondestructive Payload Somewhat Destructive Payload Highly Destructive Payload Viruses That Overwrite Data Data Diddlers Viruses That Encrypt Data: The "Good," the Bad, and the Ugly Hardware Destroyers DoS (Denial of Service) Attacks Data Stealers: Making Money with Viruses Phishing Attacks Backdoor Features Conclusion References 9. Strategies of Computer Worms. Introduction The Generic Structure of Computer Worms Target Locator Infection Propagator Remote Control and Update Interface Life-Cycle Manager Payload Self-Tracking Target Locator E-Mail Address Harvesting Network Share Enumeration Attacks Network Scanning and Target Fingerprinting Infection Propagators Attacking Backdoor-Compromised Systems Peer-to-Peer Network Attacks Instant Messaging Attacks E-Mail Worm Attacks and Deception Techniques E-Mail Attachment Inserters SMTP Proxy-Based Attacks SMTP Attacks SMTP Propagation on Steroids Using MX Queries NNTP (Network News Transfer Protocol) Attacks Common Worm Code Transfer and Execution Techniques Executable Code-Based Attacks Links to Web Sites or Web Proxies HTML-Based Mail Remote Login-Based Attacks Code Injection Attacks Shell Code-Based Attacks Update Strategies of Computer Worms Authenticated Updates on the Web or Newsgroups Backdoor-Based Updates Remote Control via Signaling Peer-to-Peer Network Control Intentional and Accidental Interactions Cooperation Competition The Future: A Simple Worm Communication Protocol? Wireless Mobile Worms References 10. Exploits, Vulnerabilities, and Buffer Overflow Attacks. Introduction Definition of Blended Attack The Threat Background Types of Vulnerabilities Buffer Overflows First-Generation Attacks Second-Generation Attacks Third-Generation Attacks Current and Previous Threats The Morris Internet Worm, 1988 (Stack Overflow to Run - Shellcode) Linux/ADM, 1998 ("Copycatting" the Morris Worm) The CodeRed Outbreak, 2001 (The Code Injection Attack) Linux/Slapper Worm, 2002 (A Heap Overflow Example) W32/Slammer Worm, January 2003 (The Mini Worm) Blaster Worm, August 2003 (Shellcode-Based Attack on Win32) Generic Buffer Overflow Usage in Computer Viruses Description of W32/Badtrans.B@mm Exploits in W32/Nimda.A@mm Description of W32/Bolzano Description of VBS/Bubbleboy Description of W32/Blebla Summary References II. STRATEGIES OF THE DEFENDER. 11. Antivirus Defense Techniques. First-Generation Scanners String Scanning Wildcards Mismatches Generic Detection Hashing Bookmarks Top-and-Tail Scanning Entry-Point and Fixed-Point Scanning Hyperfast Disk Access Second-Generation Scanners Smart Scanning Skeleton Detection Nearly Exact Identification Exact Identification Algorithmic Scanning Methods Filtering Static Decryptor Detection The X-RAY Method Code Emulation Encrypted and Polymorphic Virus Detection Using Emulation Dynamic Decryptor Detection Metamorphic Virus Detection Examples Geometric Detection Disassembling Techniques Using Emulators for Tracing Heuristic Analysis of 32-Bit Windows Viruses Code Execution Starts in the Last Section Suspicious Section Characteristics Virtual Size Is Incorrect in PE Header Possible "Gap" Between Sections Suspicious Code Redirection Suspicious Code Section Name Possible Header Infection Suspicious Imports from KERNEL32.DLL by Ordinal Import Address Table Is Patched Multiple PE Headers Multiple Windows Headers and Suspicious KERNEL32.DLL Imports Suspicious Relocations Kernel Look-Up Kernel Inconsistency Loading a Section into the VMM Address Space Incorrect Size of Code in Header Examples of Suspicious Flag Combinations Heuristic Analysis Using Neural Networks Regular and Generic Disinfection Methods Standard Disinfection Generic Decryptors How Does a Generic Disinfector Work? How Can the Disinfector Be Sure That the File Is Infected? Where Is the Original End of the Host File? How Many Virus Types Can We Handle This Way? Examples of Heuristics for Generic Repair Generic Disinfection Examples Inoculation Access Control Systems Integrity Checking False Positives Clean Initial State Speed Special Objects Necessity of Changed Objects Possible Solutions Behavior Blocking Sand-Boxing Conclusion References 12. Memory Scanning and Disinfection. Introduction The Windows NT Virtual Memory System Virtual Address Spaces Memory Scanning in User Mode The Secrets of NtQuerySystemInform-ation() Common Processes and Special System Rights Viruses in the Win32 Subsystem Win32 Viruses That Allocate Private Pages Native Windows NT Service Viruses Win32 Viruses That Use a Hidden Window Procedure Win32 Viruses That Are Part of the Executed Image Itself Memory Scanning and Paging Enumerating Processes and Scanning File Images Memory Disinfection Terminating a Particular Process That Contains Virus Code Detecting and Terminating Virus Threads Patching the Virus Code in the Active Pages How to Disinfect Loaded DLLs and Running Applications Memory Scanning in Kernel Mode Scanning the User Address Space of Processes Determining NT Service API Entry Points Important NT Functions for Kernel-Mode Memory Scanning Process Context Scanning the Upper 2GB of Address Space How Can You Deactivate a Filter Driver Virus? Dealing with Read-Only Kernel Memory Kernel-Mode Memory Scanning on 64-Bit Platforms Possible Attacks Against Memory Scanning Conclusion and Future Work References 13. Worm-Blocking Techniques and Host-Based Intrusion Prevention. Introduction Script Blocking and SMTP Worm Blocking New Attacks to Block: CodeRed, Slammer Techniques to Block Buffer Overflow Attacks Code Reviews Compiler-Level Solutions Operating System-Level Solutions and Run-Time Extensions Subsystem Extensions-Libsafe Kernel Mode Extensions Program Shepherding Worm-Blocking Techniques Injected Code Detection Send Blocking: An Example of Blocking Self-Sending Code Exception Handler Validation Other Return-to-LIBC Attack Mitigation Techniques "GOT" and "IAT" Page Attributes High Number of Connections and Connection Errors Possible Future Worm Attacks A Possible Increase of Retroworms "Slow" Worms Below the Radar Polymorphic and Metamorphic Worms Largescale Damage Automated Exploit Discovery-Learning from the Environment Conclusion References 14. Network-Level Defense Strategies. Introduction Using Router Access Lists Firewall Protection Network-Intrusion Detection Systems Honeypot Systems Counterattacks Early Warning Systems Worm Behavior Patterns on the Network Capturing the Blaster Worm Capturing the Linux/Slapper Worm Capturing the W32/Sasser.D Worm Capturing the Ping Requests of the W32/Welchia Worm Detecting W32/Slammer and Related Exploits Conclusion References 15. Malicious Code Analysis Techniques. Your Personal Virus Analysis Laboratory How to Get the Software? Information, Information, Information Architecture Guides Knowledge Base Dedicated Virus Analysis on VMWARE The Process of Computer Virus Analysis Preparation Unpacking Disassembling and Decryption Dynamic Analysis Techniques Maintaining a Malicious Code Collection Automated Analysis: The Digital Immune System References 16. Conclusion. Further Reading Information on Security and Early Warnings Security Updates Computer Worm Outbreak Statistics Computer Virus Research Papers Contact Information for Antivirus Vendors Antivirus Testers and Related Sites Index.

Back