BKDDSAIW.RVW 20031128 "Defense and Detection Strategies Against Internet Worms", Jose Nazario, 2004, 1-58053-537-2, U$85.00/C$131.95 %A Jose Nazario jose@crimelabs.net %C 685 Canton St., Norwood, MA 02062 %D 2004 %G 1-58053-537-2 %I Artech House/Horizon %O U$85.00/C$131.95 800-225-9977 artech@artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1580535372/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580535372/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580535372/robsladesin03-20 %P 287 p. %T "Defense and Detection Strategies Against Internet Worms" The preface states that the book is intended for security professionals, security researchers, and academics in the field of computer science. It is obvious that the author has attempted to write the material in a scholastic tone, but the necessary rigour and structure of thought is missing. Chapter one, an introduction of sorts, provides random information of questionable utility, such as the table listing the discovery of vulnerabilities compared against the time that elapsed before those loopholes were first released in active worms: no particular pattern seems to be indicated. Part one is supposed to be a background and taxonomy. Chapter two provides us with a definition. Nazario has obviously taken the Cohenesque definition of viruses (as attaching to files) and then assumed that a worm is any self-replicating program that does *not* so bind. The definition therefore appears to include almost all current viruses, and yet the author also attempts to ascribe certain characteristics to worms, such as control and construction of a network, and communication with other worm nodes. His later examples of worms, however, include a number that do not contain any of these aspects. He lists a number of components of worms, and yet the communications, command, and intelligence elements are not inherently part of much of modern malware, usually existing simply as specialized payloads. A simplistic growth pattern (and the fact that worms can generate network traffic) is presented in chapter three, but the actual traffic patterns examined do not fully correspond to the projected graph. The history and taxonomy given in chapter four has numerous errors: even the fictional representative, the tapeworm from Brunner's "The Shockwave Rider," is introduced erroneously, since it didn't shut down the network in the book, but rather opened it. Workstations affected by the infamous Xerox PARC worm could be restarted, and a vaccine was not needed or produced. The Morris Worm was an enormous nuisance, but it hardly "crashed the Internet." (And Loveletter did the rounds in 2000, not 2001.) There is a quick precis of a number of lesser known worms, and this may be helpful as a reference, but the analysis is very limited. The construction of a worm is described in chapter five, but the outline is often at odds with that given in chapter two. Part two reviews worm trends. Chapter six reworks some of the material from five in a facile listing of infection patterns (and presents an artificial "Shockwave Rider" pattern that does not seem to have any correspondence to reality). "Targets of attack," in chapter seven, simply enumerates network connected devices. Nazario does attempt to bring in abstract concepts related to network topologies, but these have little practical bearing on worms in reality. The possible futures for worms, as expressed in chapter eight, deals mostly with existing and already used technologies. There is some effort made to model effects, but these are not fully analyzed. Part three turns to detection. Chapter nine looks at traffic analysis, but only in terms of network based intrusion detection with rudimentary appraisal. Honeypots and "dark networks" (ranges of unused IP addresses) are said to be ways to detect and trap worms, but the explanation and dissection of the topic in chapter ten is very narrow. Signature based detection, in chapter eleven, revisits network based intrusion detection, and adds a brief mention of file scanning. Part four looks at defences. Chapter twelve's review of host based defence deals primarily with system hardening, antivirus scanners, and the concept of throttling. Nazario seems very loath, in his discussion of firewalls in chapter thirteen, to admit that this is simply another type of signature. The use of scanning within application level proxies is examined in chapter fourteen, although there seems to be some confusion with circuit level proxies at points. Chapter fifteen, entitled "Attacking the Worm Network," outlines a number of active measures: except for the idea of "sticky" tarpits (after the LaBrea program model) all of them require extensive specific knowledge of individual worms. A concluding chapter is provided in sixteen. Nazario's work does address the often neglected topic of worms, and he does break away from the mass of virus books that are locked into the traditional "file and boot infectors" model. His examples are drawn from more recent events, and he does attempt to analyze network effects and complications, rather than simply looking at systems in isolation. While he is to be commended for all this, his definition is too broad to provide for serious new modelling of the problem, and his analysis fails to provide a basis for future work. Still, for those who need a more complete picture of the malware threat, this work should be considered. It does provide new information, and does attempt to address the difference between worms, viruses, and other forms of malware. In this regard, it is a significant improvement over such lackluster spacefillers as Skoudis "Malware" (cf. BKMLWFMC.RVW), the "E-mail Virus Protection Handbook" (cf. BKEMLVRS.RVW), Dunham's "Bigelow's Virus Troubleshooting Pocket Reference" (cf. BKBVRTPR.RVW), Schmauder's "Virus Proof" (cf. BKVRSPRF.RVW), and even Grimes' somewhat better "Malicious Mobile Code" (cf. BKMLMBCD.RVW). copyright Robert M. Slade, 2003 BKDDSAIW.RVW 20031128