Crimeware: Understanding New Attacks and Defenses
by M. Jakobsson and Z. Ramzan

Addison-Wesley 2008.
ISBN 978-0-321-50195-0. USD 49.99, USD 42.95

Reviewed by  Richard Austin   7/15/08 

There's a worrisome fact about malware revealed by recent threat reports, intelligence summaries, etc. that track malware development and prevalence: its motivation has changed. The days of general maliciousness, curiosity and 15-minutes-of-Internet-fame are gone, only to be replaced by a calculated focus on financial gain.

The authors reflect this change in their term crimeware which they define as "malware written by criminals whose goals are not fame but wealth, and whose software does not constitute practical jokes to the victims but loss of money, information" (p.515).

The book opens its frightening journey into crimeware with an introductory chapter that surveys the subject through a menagerie of crimeware types (keyloggers, rootkits, etc), distribution vectors and how crimeware is used in its nefarious practice.

The second chapter, contributed by Gary McGraw, provides a useful taxonomy of coding errors that give rise to the vulnerabilities which crimeware authors are quick to exploit. His organization of the problems into a "Trinity of Trouble" (connectivity, complexity and extensibility) and "The Seven Pernicious Kingdoms" are valuable organizing principles that I hope other authors will adopt.

The next 14 chapters are written by various authors, giving rise to some unevenness in writing style and quality as well as duplication of material, but it does allow each topic to be covered by experts in the field. In addition to coverage of the "usual suspects" such as botnets, browser crimeware and rootkits, there are chapters covering emerging topics such as "Crimeware in firmware" (Chapter 5) and "Virtual Worlds and Fraud" (Chapter 9).

An especially interesting chapter is "Crimeware Business Models" (Chapter 12) which describes how the business side of crimeware works and explains how crimeware infections are translated into the cold, hard cash rewards for its creators.

Chapter 13 on "The Educational Aspect of Security" takes a hard look at why security education efforts fail and presents a cartoon-based approach that holds promise in advancing awareness training for the masses beyond today's poorly understood lists of "do's and don'ts" to an educational message that just might affect how people behave.

The final chapter covers "The Future of Crimeware" and looks forward to how crimeware might extend into areas such as terrorware, exploit social networking as its preferred infection vector and take aim at critical pieces of infrastructure.

There is a bibliography of almost 500 references that provide a wealth of further information and additional details on its topics.

Although this is a profoundly disturbing book, it is one that practicing security professionals would do well to read and understand. We have become desensitized to malware and may think that anti-virus, anti-spyware, and a good awareness makes us immune to its effects. The message that shines clearly through this book is that there are a large number of talented and creative computing professionals out there who are deeply cognizant of the types of defenses we have put in place. They are continually probing and innovating to find ways to slip their creations past our barriers in pursuit of direct monetary rewards. Thanks to Jakobsson and Ramzan, we have been warned.

Before beginning life as an itinerant university instructor and security consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rda7838 at Kennesaw dot edu