Fighting Malicious Code
by Ed Skoudis with Lenny Zeltser

Prentice Hall 2003.
ISBN 0131014056. 647 pages, index.

Reviewed by  Robert Bruen   November 8, 2003 

Malicious code - we all know what it is, right? It is that code that does bad things and causes us all so much consternation. It is viruses and worms and rootkits. It is the stuff the the antivirus community wants to fight against, but now really understand. Thank the stars for Ed Skoudis.

Malware Understood and Explained in Depth would have been a fine title for this book. In spite of what some people believe, no one will be successful fighting against malware without understanding what it is and how it is constructed. Moreover, no one gets to be an Uber Haxor without serious skills. The attacks and defenses in the digital battlefield are dependent on expertise. Being smart is major asset, but knowing how the target is constructed is the starting point. Understanding how to attack the construction is where the knowledge comes in. Creating the attack is the plane of expertise.

Without a proper understanding of how attacks are put together makes it really difficult to defend the target. The scenario is something akin to a some tribe with bows and arrows meeting an attacked with cannons and rifles. The best you can is run for cover because you do not understand how it all works.

The time has come for as many as possible to acquire an in depth understanding of the weapons used in the digital war. The creators of the attacks certainly do. Obviously many of those who use the tools are clueless, but is not all that important. Digital weapons need to be studied and understood. Skoudis, as with his earlier books, has provided and excellent source. One possible measure of the book might be the hue and cry that springs up from certain sectors of the security world.

This book covers user mode rootkits and kernels from both Linux and Windows, down to a particular address where an attacker can take over memory, among other things. Linux kernel modules and interesting potential bios attacks are explained clearly. One characteristic of book by Skoudis is the research that goes into his writing. Each chapter has a useful list of references. For example, one reference describes how to go about remote installations of Windows VNC servers.

One of my favorite chapters is the step by step instructions on malware analysis. Whether you are a defender or attacker, this is a helpful chapter. The instructions start with equipment, costs, and rationale. A checklist that spans several pages is invaluable, as is the description of the process of analyzing malware code and operation.

This is one of those highly recommended, must-have books of this year. Not only is the information contained in the book valuable, but the explanations are superb. Not a page is wasted.