"Malicious Mobile Code", Roger A. Grimes, 2001, 1-56592-682-X,
%A Roger A. Grimes roger@...
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%I O'Reilly & Associates, Inc.
%O U$39.95/C$59.95 800-998-9938 fax: 707-829-0104 nuts@...
%P 522 p.
%T "Malicious Mobile Code: Virus Protection for Windows"
I have to admit to a very definite bias. My co-authors and I have
just finished a book that attempts to provide up to date virus
protection information to sysadmins. As I understand it, ours will be
printed about three weeks after this one.
I also have a problem with the title. Grimes appears to be trying to
carve himself out a niche by promoting a term that nobody else is
currently using. And the subtitle should more properly be, "Risk
Mitigation for Microsoft Software." However, if you are using
Windows, there is a good deal of information is this book that, with
some diligience and additional work on your part, can help improve
Grimes starts off the book by listing some fallacies that we have
always believed. "You can't get a virus by simply reading an email."
(OK, Microsoft has amply demonstrated that they've added virus
capabilities to their mail software.) "Malicious code can't harm
hardware." (Well, quibbles about terminology aside, it usually
can't.) "A virus can't hide from a booted write-protected diskette."
(Ummm, I'm not sure that sentence even *means* anything.)
Melissa and the Love Bug were serious nuisances, and even worse, but
is it really accurate to say that they shut down tens of thousands of
This book is intended for intermediate and advanced users and system
administrators, and addresses only the Microsoft Windows operating
systems. While I would agree that Windows is the system most in need
of virus protection and help, this focus does limit the audience.
Grimes also tries to avoid the virus/worm/replicating trojan argument
with the use of the term malicious mobile code, and states that the
book does not deal with attacks and security holes, but the coverage
of trojans, RATs (Remote Access/Administration Trojans/Tools), and
browser attacks seems to contradict that position. (In fact, the more
detailed description of "malicious mobile code," and the MMC acronym
that Grimes creates, seems to be amply covered under the more commonly
used term malware.)
Chapter one provides a very brief outline of some malware related
concepts. Most of the chapter concentrates on the virus writing
community, although only in a superficial way. Grimes obviously feels
sympathetic towards virus writers, and presents their own stories
without criticism or analysis. Some details of the MS-DOS operating
system, as well as basic virus technologies, are given in chapter two.
The programming particulars, and a bit of virus source code, are
likely to be of more help to budding virus writers than to the
defending sysadmins. There are copious errors in the information
listed about specific viruses. Sometimes the material is careless,
such as the assertion that Michelangelo formats hard drives (the
original version overwrites sections of the disk, and only the disk
booted from on the trigger date). In other places the wording is
slipshod, such as the implication that a seldom seen screen artifact
of the Jerusalem virus is somehow responsible for file deletion.
(Oddly, while Grimes does not appear to have done serious research he
has obviously read my stuff at some point: one of the examples is
taken almost word for word from my writings. Other passages
originating in my work are recognizable, although not quite as
blatant.) The recovery advice is also suspect: he reiterates the
rather dangerous suggestions to format the disk or use FDISK /MBR.
Some very useful information about Windows, particularly the 9x, NT,
and higher versions, is presented in chapter three. The material does
not often deal with malware as such, and, in a number of cases,
details are either too particular or not specific enough. A few
"native" Windows viruses are described in chapter four, along with
some useful general security and recovery tips. Unfortunately, the
virus detection and recovery tips are derivative, vague, and not
always comprehensive. Chapter five has explanations of the VBA
(Visual Basic for Applications) macro system in Microsoft Office
applications, and lists some common macro viruses.
Chapter six lumps trojans, worms, backdoors, and DDoS (Distributed
Denial of Service) packages together in a somewhat confusing manner.
One useful inclusion in the material is a list of RAT utilized port
numbers. The invention of real-time conferencing, or instant
messaging, appears to be credited to AOL, in chapter seven, although
various forms existed long before AOL's existence. All forms of chat
or messaging seem to be lumped together in the chapter, although it
concentrates on the technology and examples from IRC (Internet Relay
Chapter eight contains a reasonable overview of Web browser
technologies, although Grimes makes the usual mistakes, such as
confusing Secure HyperText Transfer Protocol (S-HTTP) with the https
protocol specifier actually used by Secure Sockets Layer (SSL). A
number of old program bugs and exploits are described in chapter nine.
Most relate to browsers, although some depend on HTML enabled mail
clients. The preventive measures listed, however, deal strictly with
the settings on recent versions of Microsoft's Internet Explorer, and
do not mention other browsers at all. Since Java applet bugs and
exploits have been confined to implementation errors, it is difficult
to understand why chapter ten was included in the book. Again, some
older exploits are described, and there is a bit of confusion in the
text between the applet sandbox model and the full Java security
model. Chapter eleven examines the possibility of the malicious
misuses of the ActiveX system, but first it spends a lot of time and
space presenting the one security aspect of ActiveX: digital
signatures. By doing so, Grimes is giving Microsoft way more than the
benefit of the doubt. The text does, eventually, get around to
pointing out some of the flaws in the Authenticode system, but the
structure of the chapter works to downplay the dangers.
In chapter twelve, the Microsoft chauvinism that has been evident in
prior sections ramps up to full throttle. Grimes states that it isn't
just Outlook that can be exploited for email viruses, any mail client
could be so abused. (He later has to tacitly admit that almost no
other email client has been so utilized, and none to the same extent.)
There is even a paean of praise to Windows Script Host, the
application that made the Love Bug possible. The material on virus
hoaxes, in chapter thirteen, is a bit of a mix, but does have a good
list of signs to watch for. Defence consists mainly of a generic
security planning process and a reasonable, though brief, outline of
the types of antiviral software, in chapter fourteen. Chapter fifteen
finishes off with the usual look to the future.
Overall, the content is wide-ranging, but not complete. There is
coverage of a broader range of topics than was the case with other
recent books, such as Dunham (cf. BKBVRTPR.RVW) and Schmauder (cf.
BKVRSPRF.RVW). However, depth of research and understanding of the
problem is not in evidence. The material is very questionable in view
of the number of errors Grimes makes in his retailing of details of
While some support and background content is included, the book is
written in a very field independent style: at the end of the chapter
you are simply supposed to do what Grimes tells you to, and believe
what he says.
There is virus code in the book. Not extensively, perhaps, but it is
there. Grimes justifies its presence by saying that it is not code
for an entire virus, and that he has made changes to disable it in any
case. Unfortunately, it is real code, for some important sections of
viruses, and the missing and changed bits aren't all that hard to
spot. While it would not allow wannabe vxers to compile a complete
virus right off the page, it would help any semi-competent code dweeb
write a more functional virus. And, all protestations
notwithstanding, it doesn't provide any help to the user or network
Aside from problems with the content, Grimes' organization and writing
is careless and difficult to understand. The chapters address
individual topics, and have a standard structure, but the structure is
only a template. Within each topic the flow of sections and even
paragraphs does not always course logically. The illustrations and
figures are not very informative.
This is not a good book on viruses or malware. The breadth of
coverage and detailed content on macro and email virus technology does
save it from being really awful: up to the summer of 2001 no other
book has dealt with those topics in sufficient depth. And the
MS-centrism does have one very positive advantage. If you absolutely
must use Microsoft software and applications, the prevention sections
of the various chapters do contain a lot of detail that will be useful
in reducing the risk that you face.
copyright Robert M. Slade, 2001 BKMLMBCD.RVW 20010814
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.