www.ebook3000.com Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter Blind Folio: i “Malware, Rootkits & Botnets is a great inspiration for a world under the great pressure of cyber attack. This is a guideline for all information technology persons to have the understanding of today’s threat landscape.” —Oscar Chang, Chief Development Officer, Trend Micro, Inc. “As stated in the Art of War by Sun Tzu, if you know your enemies and know yourself, you can win all battles. Christopher Elisan’s book systematically demystifies the thought process of both of the malware writers and the anti-malware solution providers. Christopher is generous in sharing his security knowledge and experience in this book. He took a hands-on approach in explaining the industry lingo, common practices, the layered approach to malware analysis, and some of the tools and techniques used by both the ‘good guys’ and the ‘bad guys.’ Reading this book is how you get to know your enemies and yourself really well. I would characterize this book as compulsory reading material for all the security professionals responsible for securing hosts, applications, or networks from known and unknown security threats.” —Chee Tan, Director of Business Development, Avira Inc. “Security is often hard to simplify without sacrificing key points that are critical to the protection of data and systems. Christopher is able to take one of the most complex topics in security and simplify it without sacrifice. This book is a must-read for beginner and advanced users alike.” —Richard Kohn, Sr. Services Product Manager, Symantec “A fascinating, deep-dive into the work performed by anti-malware vendors and the daunting challenges they face in the never ending cat-and-mouse game with malware authors. Truly great insight into how pervasive and truly frightening today’s malware landscape has become.” —David Monaco, Director of Information Security, Radialpoint Inc. “Computers are our day-to-day tools in this information driven world. Be it smartphones, tablets, or laptops, more and more of our lives depend on the safe use of these life enhancing devices. How are we making sure we protect our information? Christopher explains in easy to understand language one of the most exciting fields of IT: the Anti- Virus world. Read this book to understand how to prepare for that fight. Anyone who wants to take responsibility for their own security must read this book.” —Vasco Duarte, Agile Coach, Avira Operations GmbH www.ebook3000.com 00-FM.indd 1 8/13/12 9:52:01 AM Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter Blind Folio: ii “This is one of the best books on malware today. It explains malware techniques in detail from both sides, attacker and defender, with rich sets of real-world cases. If you are a beginner, this book helps you build a solid knowledge foundation; if you are already a professional, it convinces you that what you have implemented is not good enough and you still have tough challenges ahead; if you are a CIO/IT security manager, it presents you with a clearer picture of why fighting with malware is not easy and why you may have to allocate more budget for it.” —Lixin Lu, CTO, validEDGE “Malware, Rootkits & Botnets is a great primer on malware and what you can do to protect yourself and your organization from it. If you’ve been mystified by or apprehensive about learning all of the lingo, rest assured that this book will clearly explain the basics in a way that will empower you to understand the big picture—from the sides of both the bad guys and the good guys. And once you do, you’ll be prepared to evaluate your security posture, recognize possible malware threats, and take action!” —Roger Harrison, Senior Director of WebPulse R&D, Blue Coat Systems “If you are joining (or want to learn about) the computer security industry, Malware, Rootkits & Botnets: A Beginner’s Guide is a must-read to quick start your way into learning all the jargon, concepts, and technologies that comprise the Threat Landscape. It accurately explains the history of malware and the work that goes on inside anti-malware labs in creating solutions against computer threats as they evolved.” —Jong Purisima, Antivirus Lab Manager, GFI-VIPRE “Malware, Rootkits & Botnets: A Beginner’s Guide offers an excellent introduction to the art and science of threat intelligence and malicious code analysis. Chris Elisan offers a real world, pragmatic approach that takes the reader (regardless of his or her experience level) through detailed methodology and examples that are sure to enhance the comprehension and expertise of the reader. As threat campaigns become more prevalent and sophisticated— threatening an ever increasing number of organizations globally—the ability to understand the threat landscape fluently will become nonnegotiable.” —Will Gragido, Sr. Manager, RSA Threat Watch and author of Cyber Crime and Espionage: An Analysis of Subversive Multi-Vector Threats “Fresh and insightful book outlining all the key elements of Malware analysis process today. A must have.” —Mario Vuksan, CEO, ReversingLabs www.ebook3000.com 00-FM.indd 2 8/13/12 9:52:01 AM Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter Blind Folio: ii Blind Folio: iii Malware, Rootkits & Botnets A Beginner’s Guide Christopher C. Elisan New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto www.ebook3000.com 00-FM.indd 3 8/13/12 9:52:02 AM Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter Copyright © 2013 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. ISBN: 978-0-07-179205-9 MHID: 0-07-179205-8 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-179206-6, MHID: 0-07-179206-6. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please e-mail us at Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter Blind Folio: iv Blind Folio: v Dedicated to my loving wife, Kara, whose support and understanding enabled me to skip my regular honey-do list and write this book; to my two wonderful sons, Sebastian and Noah, who inspire me to be a better person each and every day; and lastly to my parents, Ernesto and Evangeline, and brothers, Butch and Adrian, without whom I would not have been the person I am today. www.ebook3000.com 00-FM.indd 5 8/13/12 9:52:02 AM Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter About the Author Christopher Elisan is the media’s go-to expert when it comes to cybercrime, providing expert opinion about malware, botnets, and advance persistent threats for leading industry and mainstream publications, including USA Today, San Francisco Chronicle, SC Magazine, InformationWeek, Fox Business, and Dark Reading. He is also a frequent speaker at various security conferences across the United States, including HackerHalted, Toorcon, International Information Systems Security Consortium (ISC)², and B-Sides. Elisan is a seasoned reverse engineer and malware researcher. He is currently the principal malware scientist at RSA NetWitness. Elisan has a long history of digital threat and malware expertise, reversing, research, and product development. He is an early pioneer of Trend Micro’s TrendLabs. This is where he started his career as a computer virus researcher and from there held multiple technical and managerial positions. After leaving Trend Micro, Elisan held a manager-researcher role during his years with F-Secure where he established and led F-Secure’s Asia R&D and spearheaded multiple projects that include vulnerability discovery, web security, and mobile security. He then joined Damballa, Inc. as a senior threat analyst specializing in malware research. Elisan graduated with a degree in Bachelors of Science in Computer Engineering and holds the following industry certifications: Certified Ethical Hacker, Microsoft Certified Systems Engineer, Microsoft Certified System Administrator, Microsoft Certified Professional, and Certified Scrum Master. About the Technical Editors Julio Canto is a senior developer and security consultant at Hispasec Sistemas. He is the original designer and developer of the world-famous virustotal.com multiscanner service. Canto’s main focus is on the improvement of the service core, and he also participates in other software development initiatives in Hispasec Sistemas. Canto also has performed consulting, auditing tasks, and online fraud incident handling, especially those related to malware and phishing. He also gives talks about VirusTotal and malware awareness at several locations and events such as FIRST (Forum of Incident Response and Security Teams). Roberto Perdisci, a recipient of the 2012 National Science Foundation CAREER award, is an assistant professor in the Computer Science Department at the University of Georgia, Athens (UGA) and a faculty member of the UGA Institute for Artificial Intelligence. Before joining UGA, Dr. Perdisci was a postdoctoral fellow at the College of Computing of the Georgia Institute of Technology, working under the supervision of Prof. Wenke Lee. He also worked as principal scientist at Damballa, Inc., and prior to joining Damballa was a research scholar at the Georgia Tech Information Security Center and Ph.D. candidate at the University of Cagliari, Italy, with the Pattern Recognition and Applications Group. vii www.ebook3000.com 00-FM.indd 6 8/13/12 9:52:02 AM Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter Contents at a Glance Part I Establishing the Foundation 1 Getting In Gear 3 2 a Brief History of Malware 9 3 Cloak of the rootkit 39 4 rise of the Botnets 55 Part II Welcome to the Jungle 5 the threat Ecosystem 85 6 the Malware Factory 113 7 Infection Vectors 155 8 the Compromised System 185 vii www.ebook3000.com 00-FM.indd 7 8/13/12 9:52:02 AM Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter viii Malware, Rootkits and Botnets: A Beginner’s Guide Part III the Enterprise Strikes Back 9 Protecting the Organization 213 10 Detecting the threat 255 11 Mitigating the threat 273 Part IV Final thoughts 12 the Never-ending race 297 a the Bootup Process 307 B Useful Links 311 Glossary 315 Index 333 ix www.ebook3000.com 00-FM.indd 8 8/13/12 9:52:02 AM Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter Secure Beginner’s Guide / Malware, Rootkits & Botnets: A Beginner’s Guide / Christopher C. Elisan / 206-6 / Front Matter Contents ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv FOREWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Part I Establishing the Foundation 1 Getting In Gear 3 A Malware Encounter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 A Brief Overview of the Threat Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Threat to National Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Starting the Journey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 We’ve Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2 a Brief History of Malware 9 Computer Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Classification of Computer Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Early Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Classification of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Evolution of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Riskware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Classification of Riskware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 ix www.ebook3000.com 00-FM.indd 9 8/13/12 9:52:02 AM