Search and Find
Service
AVIEN Malware Defense Guide for the Enterprise
of: David Harley
Elsevier Reference Monographs, 2011
ISBN: 9780080558660 , 656 Pages
Format: PDF
Copy protection: DRM
Front Cover
1
AVIEN Malware Defense Guide for the Enterprise
4
Copyright Page
5
Lead Author and Technical Editor
6
Foreword Author
7
Contributors
8
Contents
16
Foreword
28
Preface
30
Introduction
34
Chapter 1: Customer Power and AV Wannabes
37
Introduction
38
History of AVIEN and AVIEWS
38
Background: So Who Is Robert Vibert?
38
AV Vendor/Researcher Lists and Groups
39
VB 2000: A Star is Born
40
Cocktails For Two — and More
41
After the Hangover
41
One Day at a Time
41
Oh No,The Users Are Ganging Up On Us!!!
42
The Objectives of AVIEN and AVIEWS
43
AVIEN Membership Benefits
43
Alerts and Advisories
43
Peer Discussions
44
AVIEN Projects
44
Anti-virus Vendor Image
45
AVIEN & AVIEWS: Independents and Vendors in Anti-Malware Research
45
Favorite Myths
48
“Anti-virus Only Catches Known Viruses”
49
“Vendors Protect Their Own Revenue Stream, Not Their Customers”
52
“Vendors Only Know About and Detect Viruses”
53
“They Write All the Viruses”
54
“Anti-virus Should Be a Free Service: After All, There Are Free Services That Do a Better Job”
54
AV Wannabe
55
So You Want to Be a Bona Fide Computer Anti-Malware Researcher?
55
In the Beginning...
56
Anti-virus Company Analysts
57
Independent Researchers
57
Technical and Psychological Analysts
57
Corporate Anti-virus Specialist
58
What is a Researcher?
58
Researcher Skill-Set
59
What Makes a Researcher?
59
In The End
60
You Should Be Certified
61
(ISC)2
61
SSCP
63
CISSP
64
CISSP Concentrations
64
SANS GIAC/GSM Certifications
66
Other Certifications and Qualifications
69
Vendor-Dependent Training
70
McAfee
70
Sophos
71
Symantec
73
Should There Be a Vendor-independent Malware Specialist Certification?
74
Levels of Certification and Associated Knowledge Bases
75
Certified Anti-Virus Administrator (CAVA)
75
Certified Anti-virus Specialist (CAVS)
75
Certified Enterprise Anti-virus Architect (CEAVA)
76
Updating the Certifications
78
Summary
79
Solutions Fast Track
80
Frequently Asked Questions
83
Chapter 2: Stalkers on Your Desktop
87
Introduction
88
Malware Nomenclature
89
21st Century Paranoid Man
92
In The Beginning
92
The Current Threatscape
94
The Rise of Troy
95
Rootkits
96
Kernel Mode and User Mode
98
Persistency and Non-Persistency
98
Rootkit Detection
99
Words Can Hurt You
100
Spam, Spam, Spam
100
Fraudian Slips
102
Advance Fee Fraud (419s)
102
Phishing Scams
103
Or Would You Rather Be a Mule?
106
Pump and Dump Scams
110
Hoaxes and Chain Letters
112
Why Do People Pass Hoaxes and Chain Letters On?
113
Summary
114
Solutions Fast Track
114
Frequently Asked Questions
117
Chapter 3: A Tangled Web
121
Introduction
122
Attacks on the Web
122
Hacking into Web Sites
124
Index Hijacking
126
DNS Poisoning (Pharming)
131
Malware and the Web: What, Where, and How to Scan
136
What to Scan
136
Where to Scan
140
How to Scan
141
Parsing and Emulating HTML
143
Browser Vulnerabilities
146
Testing HTTP-scanning Solutions
148
Tangled Legal Web
149
Summary
151
Solutions Fast Track
151
Frequently Asked Questions
156
Chapter 4: Big Bad Botnets
159
Introduction
160
Bot Taxonomy
163
How Botnets are Used
171
DoS and DDoS ATTACKS
172
SYNs and Sensibility
173
UDP Flooding
174
ICMP Attacks
175
DNS Reflector Attacks
177
Managing DoS and DDoS Attacks
178
The Botnet as Spam Tool
178
Click Fraud
179
Click Fraud Detection
180
Bot Families
180
The Early Bot Catches the Worm
182
Pretty Park
182
SubSeven
183
GT Bot
183
TFN,Trinoo, and Stacheldraht
183
SDBot
186
Infection and Propagation
186
Rbot
188
Infection and Propagation
189
Known Vulnerability Exploits
191
Exploiting Malware Backdoors
192
Terminated Processes
193
Agobot (Gaobot) and Phatbot
194
Infection and Propagation
194
Terminated Processes
197
Spybot
198
Keystroke Logging and Data Capture
201
Mytob
201
Bot/Botnet Detection and Eradication
203
Summary
207
Solutions Fast Track
207
Frequently Asked Questions
212
Chapter 5: Cregraveme de la Cybercrime
217
Introduction
218
Old School Virus Writing
218
Generic Virus Writers
219
The Black Economy
223
Spam
224
A Word about Dialers
227
Botnets for Fun and for Profit
228
“Wicked Rose” and the NCPH Hacking Group
229
Introduction to NCPH
229
Public Knowledge of a Zero-day Word Exploit
229
The GinWui Backdoor Rootkit Payload
230
June 21, 2006-2007 - Continued US Targeted Attacks
231
Backtracking Targeted Attacks: RipGof
232
Timeline of Events
233
Introduction to Wicked Rose and NCPH
234
How Did NCPH Begin?
236
WZT
239
The Jiangsu Connection?
239
The China Syndrome
239
Lurkers in Your Crystal Ball
241
Things That Will Not Change (Much)
241
Social Engineering
241
Back in Fashion
243
Botnets
244
The Shape of Things to Come
244
Communication: A Common Problem
244
Automobiles
246
VoIP
247
RSS
248
Podcast
248
Home Media Systems
249
Cell Phones
250
Credit Cards
252
Operating Systems
253
Summary
254
Solutions Fast Track
254
Frequently Asked Questions
257
Chapter 6: Defense-in-depth
261
Introduction
262
Enterprise Defense-in-Depth
263
Getting to Know Your Network
265
Choosing Your Network-Knowledge Tools
265
Designing An Effective Protection Strategy
267
Secure Individual Hosts First
267
Purchase Host-based Protective Software
268
Carefully Examine All Points of Access to Hosts
269
Malware Detection
270
Intrusion Detection
270
SNORT
272
Virus Detection
276
Generic Anti-virus
277
Planning,Testing, Revising
279
Develop Contingency Plans
280
Perform an “After Action Review”
280
Designate a Conference Room or Office as a “War Room”
281
Personnel
282
Look Beyond the Borders
283
Documentation
284
Malware Laboratory Procedures
285
Summary
288
Solutions Fast Track
288
Frequently Asked Questions
290
Chapter 7: Perilous Outsorcery
293
Introduction
294
Key Concepts: Outsourcing AV Services and Risk Management
296
Key Building Blocks for Managing Outsourced Security
297
What Do “Security Activities” Imply for a Business Manager?
298
What does “Outsourcing AV Services” Mean?
299
What Drives the Success or Failure of Outsourced Operational AV?
301
First Law
302
Second Law
302
Third Law
302
Fourth Law
302
Fifth Law
303
Sixth Law
305
Seventh Law
306
What Common Phases does the Project Manager Encounter when Outsourcing AV Services?
306
What Are The Most Common Problems Seen During AV Outsourcing?
308
Miscommunication Between Customer and Vendor
308
Lack of Responsive and Flexible Threat/ Change Management Mechanisms
310
Procurement and Tendering Conflicts
310
A Vendor-Centric Worldview
311
Overestimation of a Vendor’s Competence
311
The Perils of Outsourcing AV Activities
312
Why Do More and More Companies Outsource AV Services?
313
The ‘Perilous Outsorcery’ Management Matrix
316
The First Dimension: Use The Job Descriptions, Roles, and Functions of People You Meet
316
The Second Dimension:AV Function Types from Risk and Systems Management Perspectives
317
The Third Dimension:Type of Governance Role Using The RACI Model
318
An Example of the “Perils of Outsourcing” Matrix
320
Critical Success Factors for Surviving AV Outsourcing
321
Sources of CSFs: the More Explicit, the Better!
322
Open Peer Communication Lines Between Both Companies
323
Use a Questionnaire to Match People to AV Functions
325
Align as Soon as Possible with Monitoring Services (SOC) and Incident Management Teams
326
Outline the AV infrastructure (as Seen by the Customer and the Vendor) and Discuss Differences
327
Align or Prepare the Reporting on Compliance Issues of Outsourced AV Services
328
Putting the Pieces Together
329
Roles and Responsibilities
331
Sample AV Skills and Experience Questionnaire for an AV Service Provider.
332
Summary
337
Solutions Fast Track
337
Frequently Asked Questions
340
Chapter 8: Education in Education
343
Introduction
344
User Education from an Educationalist’s Perspective
345
Some True Stories
349
The Grandmother
350
The Sister
351
The Father
351
The Young Girl
351
The Self-employed Professional
352
The Unwitting Spammers
352
And the Point is...
352
Where Do You Come In?
353
Security and Education in the UK
356
Evaluating Security Advice
357
Information Sharing and the WARP factor
357
The Myth of Teenage Literacy
360
Teaching Security in the Classroom
361
Duty of Care
367
Surfing the Darkside Economy
368
Duty of Care Issues (Again)
369
Cross-Curricular Security
370
Technical Areas Checklist
373
Not Exactly a Case Study:The Julie Amero Affair
375
Summary
378
Solutions Fast Track
378
Frequently Asked Questions
381
Chapter 9: DIY Malware Analysis
385
Introduction
386
Anti-Malware Tools of the Trade 101
386
The Basics: Identifying a Malicious File
387
Process and Network Service Detection Tools
395
Web-based Inspection and Virus Analysis Tools
403
AV Vendors Accept Submissions
403
Using an Online Malware Inspection Sandbox
410
Using Packet Analyzers to Gather Information
419
Results of Running windump at the Command Line to Show Proper Syntax Formatting
420
Examining Your Malware Sample with Executable Inspection Tools
424
Using Vulnerability Assessment and Port Scanning Tools
430
Advanced Tools: An Overview of Windows Code Debuggers
437
Advanced Analysis and Forensics
441
Advanced Malware Analysis
442
Static (Code) Analysis
442
Packers and Memory Dumping
444
Quick Assessment
447
Disassembling Malware
449
Debugging Malware
450
Dynamic (Behavior) Analysis
452
Isolated Environments
452
Behavior Monitoring
454
Forensic Analysis
456
Collecting Volatile Data
457
Rootkits
458
Collecting Process and Network Data
459
Collecting Non-volatile Data
461
Determining the Initial Vector
461
A Lesson from History
462
Case Study: An IRCbot-infected Machine
464
Summary
468
Solutions Fast Track
468
Frequently Asked Questions
473
Chapter 10: Antimalware Evaluation and Testing
477
Introduction
478
Antimalware Product Evaluation
479
Configurability
481
Cost
481
Ease of Use
483
Functionality
484
Performance
484
Support Issues
487
Upgrades and Updates
488
Information Flow and Documentation
488
Evaluation Checklist
489
Core Issues
490
Testing Antimalware Products
498
Replicating Malware
500
Why is Sample Verification Important?
500
Polymorphic Replicative Malware
502
Environment
504
In the Wild Testing
504
Non-Replicating Malware
506
Is It or Isn’t It?
506
Does it work?
510
Time To Update Testing
512
Defining the Problems
512
Problem 1:Time to Update as a Measure of Protection Capability
513
Problem 2: Baseline Setting for Heuristic/Proactive Detections
514
Problem 3:Time of Release vs.Time of First Detection
517
Frozen Update (Retrospective) Testing
519
A Few Words on False Positives
520
A Checklist of Do’s and Don’ts in Testing
520
First of All, Here’s What Not to Do!
521
How to Do it Right!
522
Non-detection Testing Parameters
522
Conclusion
523
Independent Testing and Certification Bodies
523
VB100 Awards
524
ICSA Labs (a Division of Cybertrust)
525
Checkmark Certification
525
Anti-virus Level 1
525
Anti-virus Level 2
526
Trojan
526
Anti-Spyware
526
AV-Test.org
526
AV-Comparatives.org
526
Summary
527
Solutions Fast Track
529
Frequently Asked Questions
532
Chapter 11: AVIEN and AVIEWS: the Future
535
Appendix A: Resources
539
Introduction
540
Customer Power
541
Stalkers on Your Desktop
541
A Tangled Web
543
Big Bad Bots
544
Cragraveme de la CyberCrime
544
Defense in Depth
545
Perilous Outsorcery
545
Education in Education
545
DIY Malware Analysis
547
Antivirus Evaluation and Testing
548
Additional Resources
548
Books
548
Additional Resources
549
Linux:
550
Macintosh:
550
Network Tools:
550
SANS:
551
Security Focus Newsletters
551
Appendix B: Glossary
553
Introduction
554
Index
563
All prices incl. VAT