Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Malicious Mobile Code", Roger A. Grimes

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKMLMBCD.RVW 20010814 Malicious Mobile Code , Roger A. Grimes, 2001, 1-56592-682-X, U$39.95/C$59.95 %A Roger A. Grimes roger@rogeragrimes.com %C 103
    Message 1 of 1 , Oct 29, 2001
    • 0 Attachment
      BKMLMBCD.RVW 20010814

      "Malicious Mobile Code", Roger A. Grimes, 2001, 1-56592-682-X,
      U$39.95/C$59.95
      %A Roger A. Grimes roger@...
      %C 103 Morris Street, Suite A, Sebastopol, CA 95472
      %D 2001
      %G 1-56592-682-X
      %I O'Reilly & Associates, Inc.
      %O U$39.95/C$59.95 800-998-9938 fax: 707-829-0104 nuts@...
      %P 522 p.
      %T "Malicious Mobile Code: Virus Protection for Windows"

      I have to admit to a very definite bias. My co-authors and I have
      just finished a book that attempts to provide up to date virus
      protection information to sysadmins. As I understand it, ours will be
      printed about three weeks after this one.

      I also have a problem with the title. Grimes appears to be trying to
      carve himself out a niche by promoting a term that nobody else is
      currently using. And the subtitle should more properly be, "Risk
      Mitigation for Microsoft Software." However, if you are using
      Windows, there is a good deal of information is this book that, with
      some diligience and additional work on your part, can help improve
      your security.

      Grimes starts off the book by listing some fallacies that we have
      always believed. "You can't get a virus by simply reading an email."
      (OK, Microsoft has amply demonstrated that they've added virus
      capabilities to their mail software.) "Malicious code can't harm
      hardware." (Well, quibbles about terminology aside, it usually
      can't.) "A virus can't hide from a booted write-protected diskette."
      (Ummm, I'm not sure that sentence even *means* anything.)

      Melissa and the Love Bug were serious nuisances, and even worse, but
      is it really accurate to say that they shut down tens of thousands of
      networks?

      This book is intended for intermediate and advanced users and system
      administrators, and addresses only the Microsoft Windows operating
      systems. While I would agree that Windows is the system most in need
      of virus protection and help, this focus does limit the audience.
      Grimes also tries to avoid the virus/worm/replicating trojan argument
      with the use of the term malicious mobile code, and states that the
      book does not deal with attacks and security holes, but the coverage
      of trojans, RATs (Remote Access/Administration Trojans/Tools), and
      browser attacks seems to contradict that position. (In fact, the more
      detailed description of "malicious mobile code," and the MMC acronym
      that Grimes creates, seems to be amply covered under the more commonly
      used term malware.)

      Chapter one provides a very brief outline of some malware related
      concepts. Most of the chapter concentrates on the virus writing
      community, although only in a superficial way. Grimes obviously feels
      sympathetic towards virus writers, and presents their own stories
      without criticism or analysis. Some details of the MS-DOS operating
      system, as well as basic virus technologies, are given in chapter two.
      The programming particulars, and a bit of virus source code, are
      likely to be of more help to budding virus writers than to the
      defending sysadmins. There are copious errors in the information
      listed about specific viruses. Sometimes the material is careless,
      such as the assertion that Michelangelo formats hard drives (the
      original version overwrites sections of the disk, and only the disk
      booted from on the trigger date). In other places the wording is
      slipshod, such as the implication that a seldom seen screen artifact
      of the Jerusalem virus is somehow responsible for file deletion.
      (Oddly, while Grimes does not appear to have done serious research he
      has obviously read my stuff at some point: one of the examples is
      taken almost word for word from my writings. Other passages
      originating in my work are recognizable, although not quite as
      blatant.) The recovery advice is also suspect: he reiterates the
      rather dangerous suggestions to format the disk or use FDISK /MBR.

      Some very useful information about Windows, particularly the 9x, NT,
      and higher versions, is presented in chapter three. The material does
      not often deal with malware as such, and, in a number of cases,
      details are either too particular or not specific enough. A few
      "native" Windows viruses are described in chapter four, along with
      some useful general security and recovery tips. Unfortunately, the
      virus detection and recovery tips are derivative, vague, and not
      always comprehensive. Chapter five has explanations of the VBA
      (Visual Basic for Applications) macro system in Microsoft Office
      applications, and lists some common macro viruses.

      Chapter six lumps trojans, worms, backdoors, and DDoS (Distributed
      Denial of Service) packages together in a somewhat confusing manner.
      One useful inclusion in the material is a list of RAT utilized port
      numbers. The invention of real-time conferencing, or instant
      messaging, appears to be credited to AOL, in chapter seven, although
      various forms existed long before AOL's existence. All forms of chat
      or messaging seem to be lumped together in the chapter, although it
      concentrates on the technology and examples from IRC (Internet Relay
      Chat).

      Chapter eight contains a reasonable overview of Web browser
      technologies, although Grimes makes the usual mistakes, such as
      confusing Secure HyperText Transfer Protocol (S-HTTP) with the https
      protocol specifier actually used by Secure Sockets Layer (SSL). A
      number of old program bugs and exploits are described in chapter nine.
      Most relate to browsers, although some depend on HTML enabled mail
      clients. The preventive measures listed, however, deal strictly with
      the settings on recent versions of Microsoft's Internet Explorer, and
      do not mention other browsers at all. Since Java applet bugs and
      exploits have been confined to implementation errors, it is difficult
      to understand why chapter ten was included in the book. Again, some
      older exploits are described, and there is a bit of confusion in the
      text between the applet sandbox model and the full Java security
      model. Chapter eleven examines the possibility of the malicious
      misuses of the ActiveX system, but first it spends a lot of time and
      space presenting the one security aspect of ActiveX: digital
      signatures. By doing so, Grimes is giving Microsoft way more than the
      benefit of the doubt. The text does, eventually, get around to
      pointing out some of the flaws in the Authenticode system, but the
      structure of the chapter works to downplay the dangers.

      In chapter twelve, the Microsoft chauvinism that has been evident in
      prior sections ramps up to full throttle. Grimes states that it isn't
      just Outlook that can be exploited for email viruses, any mail client
      could be so abused. (He later has to tacitly admit that almost no
      other email client has been so utilized, and none to the same extent.)
      There is even a paean of praise to Windows Script Host, the
      application that made the Love Bug possible. The material on virus
      hoaxes, in chapter thirteen, is a bit of a mix, but does have a good
      list of signs to watch for. Defence consists mainly of a generic
      security planning process and a reasonable, though brief, outline of
      the types of antiviral software, in chapter fourteen. Chapter fifteen
      finishes off with the usual look to the future.

      Overall, the content is wide-ranging, but not complete. There is
      coverage of a broader range of topics than was the case with other
      recent books, such as Dunham (cf. BKBVRTPR.RVW) and Schmauder (cf.
      BKVRSPRF.RVW). However, depth of research and understanding of the
      problem is not in evidence. The material is very questionable in view
      of the number of errors Grimes makes in his retailing of details of
      specific viruses.

      While some support and background content is included, the book is
      written in a very field independent style: at the end of the chapter
      you are simply supposed to do what Grimes tells you to, and believe
      what he says.

      There is virus code in the book. Not extensively, perhaps, but it is
      there. Grimes justifies its presence by saying that it is not code
      for an entire virus, and that he has made changes to disable it in any
      case. Unfortunately, it is real code, for some important sections of
      viruses, and the missing and changed bits aren't all that hard to
      spot. While it would not allow wannabe vxers to compile a complete
      virus right off the page, it would help any semi-competent code dweeb
      write a more functional virus. And, all protestations
      notwithstanding, it doesn't provide any help to the user or network
      manager.

      Aside from problems with the content, Grimes' organization and writing
      is careless and difficult to understand. The chapters address
      individual topics, and have a standard structure, but the structure is
      only a template. Within each topic the flow of sections and even
      paragraphs does not always course logically. The illustrations and
      figures are not very informative.

      This is not a good book on viruses or malware. The breadth of
      coverage and detailed content on macro and email virus technology does
      save it from being really awful: up to the summer of 2001 no other
      book has dealt with those topics in sufficient depth. And the
      MS-centrism does have one very positive advantage. If you absolutely
      must use Microsoft software and applications, the prevention sections
      of the various chapters do contain a lot of detail that will be useful
      in reducing the risk that you face.

      copyright Robert M. Slade, 2001 BKMLMBCD.RVW 20010814


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.