Đang tải... (xem toàn văn)
Đây là bộ sách tiếng anh cho dân công nghệ thông tin chuyên về bảo mật,lập trình.Thích hợp cho những ai đam mê về công nghệ thông tin,tìm hiểu về bảo mật và lập trình.
www.it-ebooks.info Hacking Exposed ™ Malware & Rootkits Reviews “Accessible but not dumbed-down, this latest addition to the Hacking Exposed series is a stellar example of why this series remains one of the best-selling security franchises out there. System administrators and Average Joe computer users alike need to come to grips with the sophistication and stealth of modern malware, and this book calmly and clearly explains the threat.” —Brian Krebs, Reporter for The Washington Post and author of the Security Fix Blog “A harrowing guide to where the bad guys hide, and how you can find them.” —Dan Kaminsky, Director of Penetration Testing, IOActive, Inc. “The authors tackle malware, a deep and diverse issue in computer security, with common terms and relevant examples. Malware is a cold deadly tool in hacking; the authors address it openly, showing its capabilities with direct technical insight. The result is a good read that moves quickly, filling in the gaps even for the knowledgeable reader.” —Christopher Jordan, VP, Threat Intelligence, McAfee; Principal Investigator to DHS Botnet Research “Remember the end-of-semester review sessions where the instructor would go over everything from the whole term in just enough detail so you would understand all the key points, but also leave you with enough references to dig deeper where you wanted? Hacking Exposed Malware & Rootkits resembles this! A top-notch reference for novices and security professionals alike, this book provides just enough detail to explain the topics being presented, but not too much to dissuade those new to security.” —LTC Ron Dodge, U.S. Army “Hacking Exposed Malware & Rootkits provides unique insights into the techniques behind malware and rootkits. If you are responsible for security, you must read this book!” —Matt Conover, Senior Principal Software Engineer, Symantec Research Labs www.it-ebooks.info This page intentionally left blank www.it-ebooks.info HACKING EXPOSED ™ MALWARE & ROOTKITS: MALWARE & ROOTKITS SECURITY SECRETS & SOLUTIONS MICHAEL DAVIS SEAN BODMER AARON LEMASTERS New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto www.it-ebooks.info Copyright © 2010 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. ISBN: 978-0-07-159119-5 MHID: 0-07-159119-2 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-159118-8, MHID: 0-07-159118-4. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please e-mail us at bulksales@mcgraw-hill.com. Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechan- ical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DIS- CLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages result- ing therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. www.it-ebooks.info I would like to dedicate this book to my family, especially my grandfather Richard Mason, who has shown me that true leaders have faith and touch the hearts of others before they ask for a hand. —Michael A. Davis I would like to dedicate this book to my wife Emily and our two children Elizabeth and Ryan and my grandparents Mathew and Brenda Karnes—without their support I would not be here today. —Sean Bodmer For my parents Earl and Sudie, who have supported and encouraged me all my life despite the odds, and for my wife Justina. —Aaron LeMasters www.it-ebooks.info ABOUT THE AUTHORS Michael A. Davis Michael A. Davis is CEO of Savid Technologies, Inc., a national technology and security consulting firm. Michael is well-known in the open source security industry due to his porting of security tools to the Windows platforms, including tools like snort, ngrep, dsniff, and honeyd. As a member of the Honeynet Project, he works to develop data and network control mechanisms for Windows-based honeynets. Michael is also the developer of sebek for Windows, a kernel-based data collection and monitoring tool for honeynets. Michael previously worked at McAfee, Inc., a leader in antivirus protection and vulnerability management, as Senior Manager of Global Threats, where he led a team of researchers investigating confidential and cutting-edge security research. Prior to being at McAfee, Michael worked at Foundstone. Sean M. Bodmer, CISSP, CEH Sean M. Bodmer is Director of Government Programs at Savid Corporation, Inc. Sean is an active honeynet researcher, specializing in the analysis of signatures, patterns, and the behavior of malware and attackers. Most notably, he has spent several years leading the operations and analysis of advanced intrusion detection systems (honeynets) where the motives and intent of attackers and their tools can be captured and analyzed in order to generate actionable intelligence to further protect customer networks. Sean has worked in various systems security engineering roles for various federal government entities and private corporations over the past decade in the Washington D.C. metropolitan area. Sean has lectured across the United States at industry conferences such as DEFCON, PhreakNIC, DC3, NW3C, Carnegie Mellon CERT, and the Pentagon Security Forum, covering aspects of attacks and attacker assessment profiling to help identify the true motivations and intent behind cyber attacks. Aaron LeMasters, CISSP, GCIH, CSTP Aaron LeMasters (M.S., George Washington University) is a security researcher specializing in computer forensics, malware analysis, and vulnerability research. The first five years of his career were spent defending the undefendable DoD networks, and he is now a senior software engineer at Raytheon SI. Aaron enjoys sharing his research at both larger security conferences such as Black Hat and smaller, regional hacker cons like Outerz0ne. He prefers to pacify his short attention span with advanced research and development issues related to Windows internals, system integrity, reverse engineering, and malware analysis. He is an enthusiastic prototypist and enjoys developing tools that complement his research interests. In his spare time, Aaron plays basketball, sketches, jams on his Epiphone Les Paul, and travels frequently to New York City with his wife. www.it-ebooks.info About the Contributing Author Jason Lord Jason Lord is currently Chief Operating Officer of d3 Services, Ltd., a consulting firm providing cyber security solutions. Jason has been active in the information security field for the past 14 years, focusing on computer forensics, incident response, enterprise security, penetration testing, and malicious code analysis. During this time, Jason has responded to several hundred computer forensics and incident response cases globally. He is also an active member of the High Technology Crimes Investigation Association (HTCIA), InfraGard, and the International Systems Security Association (ISSA). About the Technical Editor Alexander Eisen is CEO of FormalTechnologies.com, an associate professor with the University of Advancing Technology, and, as a public servant, an enterprise architect for a DoD agency. Always an unconventional experimentalist, since 1999 he has played all sorts of roles—offensive and defensive, tactical and strategic—in the fields of penetration testing, enterprise incident response, forensics, RE, and security software evaluation—a career sparked by the award of an NSA-sponsored Information Assurance Fellowship for multidisciplinary research in Computer Science, Crypto, and Law. He has led over a dozen major red team and incident response efforts for the DoD and affiliated organizations, many of which have received widespread media coverage such as “Pentagon 1500 hacked.” As a core member of the National Cyber Initiative, he has researched large-scale enterprise incident response and software assurance methodologies. With certifications from the Defense Language Institute, Defense Cyber Crime Center Training Academy, (ISC)2, and the Committee on National Security Systems, he is an active member of InfraGard, AFCEA, IEEE, and various federal advisory boards. He has spoken internationally on emerging security issues at many industry conferences such as Black Hat Japan and the Ukraine IT Festival and in closed venues such as the Pentagon, and has published in trade journals on topics of national infrastructure protection and IPv6. Through teaching InfoSec curriculum and supporting UAT’s NSA Center of Academic Excellence, his passion has grown toward leveraging the talent and resources of academia to explore pioneering socioeconomic technology topics. He enjoys recruiting and mentoring aspiring youth to jumpstart their careers via Scholarship for Service programs. By night, his right-brain explores visual arts, extreme sports, roasting coffee, and engineering binaural Hang drum music. His daily life is now sustained by the support of his lovely wife Marina. Codeword: BH”96mae3ajme2ie18m emsdmal2rhbkkgppsjngcpaz24. www.it-ebooks.info This page intentionally left blank www.it-ebooks.info ix CONTENTS Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Part I Malware Case Study: Please Review This Before Our Quarterly Meeting . . . . . . . . . . 2 ▼ 1 Method of Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 This Security Stuff Might Actually Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Decrease in Operating System Vulnerabilities . . . . . . . . . . . . . . . . . . . 9 Perimeter Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Why They Want Your Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Intent Is Hard to Detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 It’s a Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Signifi cant Malware Propagation Techniques . . . . . . . . . . . . . . . . . . . . . . . . . 14 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 File Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Modern Malware Propagation Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 StormWorm (Malware Sample: trojan.peacomm) . . . . . . . . . . . . . . . . 22 Metamorphism (Malware Sample: W32.Evol, W32.Simile) . . . . . . . . 24 Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Dynamic Domain Name Services (Malware Sample: W32.Reatle.E@mm) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Fast Flux (Malware Sample: trojan.peacomm) . . . . . . . . . . . . . . . . . . . 29 Malware Propagation Injection Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Malicious Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Peer-To-Peer (P2P) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 www.it-ebooks.info [...]... so does the malware that infected her machine Today’s malware is taking over or emulating the insider role by bypassing external defenses, executing on machines, and running within the insider’s user account, enabling the malware to attack, control, and access the same resources as the insider So in Hacking Exposed Malware & Rootkits, we focus on the capabilities and techniques used by malware in today’s... or equivalent Risk Rating: The preceding three values averaged to give the overall risk rating ABOUT THE WEBSITE Since malware and rootkits are being released all the time, you can find the latest tools and techniques on the Hacking Exposed Malware & Rootkits website at http://www malwarehackingexposed.com The website contains the code snippets and tools mentioned in the book as well as some never-before... global scale In addition, these criminals have developed their own black market in malware Just as with any other economy, you can find an entire black market where criminal organizations trade and sell the latest malware tools Malware has even become a service Criminals will develop customized malware for clients or rent malware as a www.it-ebooks.info Foreword service—services that include support,...x Hacking Exposed Malware & Rootkits Samples from the Companion Website Summary 47 48 ▼ 2 Malware Functionality 49 What Malware Does Once It’s Installed Pop-Ups ... professionally Do not let your machine become another zombie in the endless malware army xxi www.it-ebooks.info xxii Hacking Exposed Malware & Rootkits Navigation We have used the popular Hacking Exposed format for this book; every attack technique is highlighted in the margin like this: This Is an Attack Icon Making it easy to identify specific malware types and methodologies Every attack is countered with practical,... 174 174 175 178 178 179 www.it-ebooks.info xi xii Hacking Exposed Malware & Rootkits Virtual Machine Rootkit Techniques Rootkits in the Matrix: How Did We Get Here?! What Is a Virtual Rootkit? Types of Virtual Rootkits Detecting the Virtual Environment ... they gave him a sense of political power and freedom he was denied in Bulgaria.” Malware and rootkits are not about ego or protest— they’re about money Malware authors want money, and the easiest way to get it is to steal it from you Their intent with the programs they have written has changed dramatically Malware and rootkits are now precision-theft tools, not billboards for shouting their accolades... attacks using malware can also disrupt the cyber activities of other countries; for instance, consider the cyber distributed denial of service attacks on Georgia and Estonia, which were organized and launched by malware Malware has become the common element in almost all attacks we see today To defend your networks, regardless of who the attackers are, you must understand and defend against malware I was... and that amount does not include any potential notifications, compliance violations, or legal costs that are the result of the malware capturing personally identifiable information 6 www.it-ebooks.info 1 d of tho n Me ctio nfe I 7 www.it-ebooks.info 8 Hacking Exposed Malware & Rootkits T oday’s threat landscape is more hostile than ever before Recent advances in phishing and spam have shown that the... Authors of malware and rootkits realized that they could generate revenue for themselves by utilizing the malware they were creating to steal sensitive data, such as your online banking username and password, commit click fraud, and sell remote control of infected workstations to spammers as spam relays They could actually receive a return on investment from the time they put into writing their malware . blank www.it-ebooks.info HACKING EXPOSED ™ MALWARE & ROOTKITS: MALWARE & ROOTKITS SECURITY SECRETS & SOLUTIONS MICHAEL DAVIS SEAN BODMER AARON. Dodge, U.S. Army “Hacking Exposed Malware & Rootkits provides unique insights into the techniques behind malware and rootkits. If you are responsible