BKMLMBCD.RVW 20010814 "Malicious Mobile Code", Roger A. Grimes, 2001, 1-56592-682-X, U$39.95/C$59.95 %A Roger A. Grimes roger@rogeragrimes.com %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2001 %G 1-56592-682-X %I O'Reilly & Associates, Inc. %O U$39.95/C$59.95 800-998-9938 fax: 707-829-0104 nuts@ora.com %P 522 p. %T "Malicious Mobile Code: Virus Protection for Windows" I have to admit to a very definite bias. My co-authors and I have just finished a book that attempts to provide up to date virus protection information to sysadmins. As I understand it, ours will be printed about three weeks after this one. I also have a problem with the title. Grimes appears to be trying to carve himself out a niche by promoting a term that nobody else is currently using. And the subtitle should more properly be, "Risk Mitigation for Microsoft Software." However, if you are using Windows, there is a good deal of information is this book that, with some diligience and additional work on your part, can help improve your security. Grimes starts off the book by listing some fallacies that we have always believed. "You can't get a virus by simply reading an email." (OK, Microsoft has amply demonstrated that they've added virus capabilities to their mail software.) "Malicious code can't harm hardware." (Well, quibbles about terminology aside, it usually can't.) "A virus can't hide from a booted write-protected diskette." (Ummm, I'm not sure that sentence even *means* anything.) Melissa and the Love Bug were serious nuisances, and even worse, but is it really accurate to say that they shut down tens of thousands of networks? This book is intended for intermediate and advanced users and system administrators, and addresses only the Microsoft Windows operating systems. While I would agree that Windows is the system most in need of virus protection and help, this focus does limit the audience. Grimes also tries to avoid the virus/worm/replicating trojan argument with the use of the term malicious mobile code, and states that the book does not deal with attacks and security holes, but the coverage of trojans, RATs (Remote Access/Administration Trojans/Tools), and browser attacks seems to contradict that position. (In fact, the more detailed description of "malicious mobile code," and the MMC acronym that Grimes creates, seems to be amply covered under the more commonly used term malware.) Chapter one provides a very brief outline of some malware related concepts. Most of the chapter concentrates on the virus writing community, although only in a superficial way. Grimes obviously feels sympathetic towards virus writers, and presents their own stories without criticism or analysis. Some details of the MS-DOS operating system, as well as basic virus technologies, are given in chapter two. The programming particulars, and a bit of virus source code, are likely to be of more help to budding virus writers than to the defending sysadmins. There are copious errors in the information listed about specific viruses. Sometimes the material is careless, such as the assertion that Michelangelo formats hard drives (the original version overwrites sections of the disk, and only the disk booted from on the trigger date). In other places the wording is slipshod, such as the implication that a seldom seen screen artifact of the Jerusalem virus is somehow responsible for file deletion. (Oddly, while Grimes does not appear to have done serious research he has obviously read my stuff at some point: one of the examples is taken almost word for word from my writings. Other passages originating in my work are recognizable, although not quite as blatant.) The recovery advice is also suspect: he reiterates the rather dangerous suggestions to format the disk or use FDISK /MBR. Some very useful information about Windows, particularly the 9x, NT, and higher versions, is presented in chapter three. The material does not often deal with malware as such, and, in a number of cases, details are either too particular or not specific enough. A few "native" Windows viruses are described in chapter four, along with some useful general security and recovery tips. Unfortunately, the virus detection and recovery tips are derivative, vague, and not always comprehensive. Chapter five has explanations of the VBA (Visual Basic for Applications) macro system in Microsoft Office applications, and lists some common macro viruses. Chapter six lumps trojans, worms, backdoors, and DDoS (Distributed Denial of Service) packages together in a somewhat confusing manner. One useful inclusion in the material is a list of RAT utilized port numbers. The invention of real-time conferencing, or instant messaging, appears to be credited to AOL, in chapter seven, although various forms existed long before AOL's existence. All forms of chat or messaging seem to be lumped together in the chapter, although it concentrates on the technology and examples from IRC (Internet Relay Chat). Chapter eight contains a reasonable overview of Web browser technologies, although Grimes makes the usual mistakes, such as confusing Secure HyperText Transfer Protocol (S-HTTP) with the https protocol specifier actually used by Secure Sockets Layer (SSL). A number of old program bugs and exploits are described in chapter nine. Most relate to browsers, although some depend on HTML enabled mail clients. The preventive measures listed, however, deal strictly with the settings on recent versions of Microsoft's Internet Explorer, and do not mention other browsers at all. Since Java applet bugs and exploits have been confined to implementation errors, it is difficult to understand why chapter ten was included in the book. Again, some older exploits are described, and there is a bit of confusion in the text between the applet sandbox model and the full Java security model. Chapter eleven examines the possibility of the malicious misuses of the ActiveX system, but first it spends a lot of time and space presenting the one security aspect of ActiveX: digital signatures. By doing so, Grimes is giving Microsoft way more than the benefit of the doubt. The text does, eventually, get around to pointing out some of the flaws in the Authenticode system, but the structure of the chapter works to downplay the dangers. In chapter twelve, the Microsoft chauvinism that has been evident in prior sections ramps up to full throttle. Grimes states that it isn't just Outlook that can be exploited for email viruses, any mail client could be so abused. (He later has to tacitly admit that almost no other email client has been so utilized, and none to the same extent.) There is even a paean of praise to Windows Script Host, the application that made the Love Bug possible. The material on virus hoaxes, in chapter thirteen, is a bit of a mix, but does have a good list of signs to watch for. Defence consists mainly of a generic security planning process and a reasonable, though brief, outline of the types of antiviral software, in chapter fourteen. Chapter fifteen finishes off with the usual look to the future. Overall, the content is wide-ranging, but not complete. There is coverage of a broader range of topics than was the case with other recent books, such as Dunham (cf. BKBVRTPR.RVW) and Schmauder (cf. BKVRSPRF.RVW). However, depth of research and understanding of the problem is not in evidence. The material is very questionable in view of the number of errors Grimes makes in his retailing of details of specific viruses. While some support and background content is included, the book is written in a very field independent style: at the end of the chapter you are simply supposed to do what Grimes tells you to, and believe what he says. There is virus code in the book. Not extensively, perhaps, but it is there. Grimes justifies its presence by saying that it is not code for an entire virus, and that he has made changes to disable it in any case. Unfortunately, it is real code, for some important sections of viruses, and the missing and changed bits aren't all that hard to spot. While it would not allow wannabe vxers to compile a complete virus right off the page, it would help any semi-competent code dweeb write a more functional virus. And, all protestations notwithstanding, it doesn't provide any help to the user or network manager. Aside from problems with the content, Grimes' organization and writing is careless and difficult to understand. The chapters address individual topics, and have a standard structure, but the structure is only a template. Within each topic the flow of sections and even paragraphs does not always course logically. The illustrations and figures are not very informative. This is not a good book on viruses or malware. The breadth of coverage and detailed content on macro and email virus technology does save it from being really awful: up to the summer of 2001 no other book has dealt with those topics in sufficient depth. And the MS-centrism does have one very positive advantage. If you absolutely must use Microsoft software and applications, the prevention sections of the various chapters do contain a lot of detail that will be useful in reducing the risk that you face. copyright Robert M. Slade, 2001 BKMLMBCD.RVW 20010814