AVIEN Malware Defense Guide for the Enterprise

AVIEN Malware Defense Guide for the Enterprise

by David Harley, Robert S. Vibert, Ken Bechtel, Michael Blanchard, Henk K. Diemer, Andrew Lee, Igor Muttik, Bojan Zdrnja
Released April 2011
Publisher(s): Syngress
ISBN: 9780080558660

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Members of AVIEN (the Anti-Virus Information Exchange Network) have been setting agendas in malware management for several years: they led the way on generic filtering at the gateway, and in the sharing of information about new threats at a speed that even anti-virus companies were hard-pressed to match. AVIEN members represent the best-protected large organizations in the world, and millions of users. When they talk, security vendors listen: so should you.

AVIEN’s sister organization AVIEWS is an invaluable meeting ground between the security vendors and researchers who know most about malicious code and anti-malware technology, and the top security administrators of AVIEN who use those technologies in real life. This new book uniquely combines the knowledge of these two groups of experts. Anyone who is responsible for the security of business information systems should be aware of this major addition to security literature.

* “Customer Power” takes up the theme of the sometimes stormy relationship between the antivirus industry and its customers, and tries to dispel some common myths. It then considers the roles of the independent researcher, the vendor-employed specialist, and the corporate security specialist.
* “Stalkers on Your Desktop” considers the thorny issue of malware nomenclature and then takes a brief historical look at how we got here, before expanding on some of the malware-related problems we face today.
* “A Tangled Web” discusses threats and countermeasures in the context of the World Wide Web.
* “Big Bad Bots” tackles bots and botnets, arguably Public Cyber-Enemy Number One.
* “Crème de la CyberCrime” takes readers into the underworld of old-school virus writing, criminal business models, and predicting future malware hotspots.
* “Defense in Depth” takes a broad look at DiD in the enterprise, and looks at some specific tools and technologies.
* “Perilous Outsorcery” offers sound advice on how to avoid the perils and pitfalls of outsourcing, incorporating a few horrible examples of how not to do it.
* “Education in Education” offers some insights into user education from an educationalist’s perspective, and looks at various aspects of security in schools and other educational establishments.
* “DIY Malware Analysis” is a hands-on, hands-dirty approach to security management, considering malware analysis and forensics techniques and tools.
* “Antivirus Evaluation & Testing” continues the D-I-Y theme, discussing at length some of the thorny issues around the evaluation and testing of antimalware software.
* “AVIEN & AVIEWS: the Future” looks at future developments in AVIEN and AVIEWS.

Table of contents

  1. Front Cover
  2. AVIEN Malware Defense Guide for the Enterprise
  3. Copyright Page
  4. Lead Author and Technical Editor
  5. Foreword Author
  6. Contributors (1/2)
  7. Contributors (2/2)
  8. Contents (1/3)
  9. Contents (2/3)
  10. Contents (3/3)
  11. Foreword
  12. Preface
  13. Introduction
  14. Chapter 1: Customer Power and AV Wannabes
    1. Introduction
    2. History of AVIEN and AVIEWS
      1. Background: So Who Is Robert Vibert?
      2. AV Vendor/Researcher Lists and Groups
      3. VB 2000: A Star is Born
        1. Cocktails For Two — and More
        2. After the Hangover
        3. One Day at a Time
      4. Oh No,The Users Are Ganging Up On Us!!!
        1. The Objectives of AVIEN and AVIEWS
        2. AVIEN Membership Benefits
        3. Alerts and Advisories
        4. Peer Discussions
        5. AVIEN Projects
    3. Anti-virus Vendor Image
      1. AVIEN & AVIEWS: Independents and Vendors in Anti-Malware Research
      2. Favorite Myths (1/2)
      3. Favorite Myths (2/2)
        1. “Anti-virus Only Catches Known Viruses”
        2. “Vendors Protect Their Own Revenue Stream, Not Their Customers”
        3. “Vendors Only Know About and Detect Viruses”
        4. “They Write All the Viruses”
        5. “Anti-virus Should Be a Free Service: After All, There Are Free Services That Do a Better Job”
    4. AV Wannabe
    5. So You Want to Be a Bona Fide Computer Anti-Malware Researcher?
      1. In the Beginning...
      2. Anti-virus Company Analysts
      3. Independent Researchers
      4. Technical and Psychological Analysts
      5. Corporate Anti-virus Specialist
      6. What is a Researcher?
      7. Researcher Skill-Set
      8. What Makes a Researcher?
      9. In The End
    6. You Should Be Certified
      1. (ISC)2
        1. SSCP
        2. CISSP
        3. CISSP Concentrations
      2. SANS GIAC/GSM Certifications
        1. Other Certifications and Qualifications
      3. Vendor-Dependent Training
        1. McAfee
        2. Sophos
        3. Symantec
      4. Should There Be a Vendor-independent Malware Specialist Certification?
      5. Levels of Certification and Associated Knowledge Bases
        1. Certified Anti-Virus Administrator (CAVA)
        2. Certified Anti-virus Specialist (CAVS)
        3. Certified Enterprise Anti-virus Architect (CEAVA)
        4. Updating the Certifications
    7. Summary
    8. Solutions Fast Track
    9. Frequently Asked Questions
  15. Chapter 2: Stalkers on Your Desktop
    1. Introduction
    2. Malware Nomenclature
    3. 21st Century Paranoid Man
      1. In The Beginning
    4. The Current Threatscape
      1. The Rise of Troy
      2. Rootkits
        1. Kernel Mode and User Mode
        2. Persistency and Non-Persistency
        3. Rootkit Detection
    5. Words Can Hurt You
      1. Spam, Spam, Spam
    6. Fraudian Slips
      1. Advance Fee Fraud (419s)
      2. Phishing Scams
      3. Or Would You Rather Be a Mule?
      4. Pump and Dump Scams
    7. Hoaxes and Chain Letters
      1. Why Do People Pass Hoaxes and Chain Letters On?
    8. Summary
    9. Solutions Fast Track
    10. Frequently Asked Questions
  16. Chapter 3: A Tangled Web
    1. Introduction
    2. Attacks on the Web
    3. Hacking into Web Sites
    4. Index Hijacking
    5. DNS Poisoning (Pharming)
    6. Malware and the Web: What, Where, and How to Scan
      1. What to Scan
      2. Where to Scan
      3. How to Scan
    7. Parsing and Emulating HTML
    8. Browser Vulnerabilities
    9. Testing HTTP-scanning Solutions
    10. Tangled Legal Web
    11. Summary
    12. Solutions Fast Track
    13. Frequently Asked Questions
  17. Chapter 4: Big Bad Botnets
    1. Introduction
    2. Bot Taxonomy (1/2)
    3. Bot Taxonomy (2/2)
    4. How Botnets are Used
      1. DoS and DDoS ATTACKS (1/2)
      2. DoS and DDoS ATTACKS (2/2)
        1. SYNs and Sensibility
        2. UDP Flooding
        3. ICMP Attacks
        4. DNS Reflector Attacks
      3. Managing DoS and DDoS Attacks
      4. The Botnet as Spam Tool
      5. Click Fraud
        1. Click Fraud Detection
    5. Bot Families
      1. The Early Bot Catches the Worm
        1. Pretty Park
        2. SubSeven
        3. GT Bot
        4. TFN,Trinoo, and Stacheldraht
      2. SDBot (1/2)
      3. SDBot (2/2)
        1. Infection and Propagation
        2. Rbot
        3. Infection and Propagation
        4. Known Vulnerability Exploits
        5. Exploiting Malware Backdoors
        6. Terminated Processes
      4. Agobot (Gaobot) and Phatbot
        1. Infection and Propagation
        2. Terminated Processes
      5. Spybot
        1. Keystroke Logging and Data Capture
    6. Mytob
    7. Bot/Botnet Detection and Eradication
    8. Summary
    9. Solutions Fast Track
    10. Frequently Asked Questions
  18. Chapter 5: Cregraveme de la Cybercrime
    1. Introduction
    2. Old School Virus Writing
      1. Generic Virus Writers
    3. The Black Economy
      1. Spam
      2. A Word about Dialers
      3. Botnets for Fun and for Profit
    4. “Wicked Rose” and the NCPH Hacking Group
      1. Introduction to NCPH
      2. Public Knowledge of a Zero-day Word Exploit
      3. The GinWui Backdoor Rootkit Payload
      4. June 21, 2006-2007 - Continued US Targeted Attacks
      5. Backtracking Targeted Attacks: RipGof
      6. Timeline of Events
      7. Introduction to Wicked Rose and NCPH
    5. How Did NCPH Begin?
      1. WZT
      2. The Jiangsu Connection?
      3. The China Syndrome
    6. Lurkers in Your Crystal Ball
      1. Things That Will Not Change (Much)
        1. Social Engineering
        2. Back in Fashion
      2. Botnets
      3. The Shape of Things to Come
        1. Communication: A Common Problem
        2. Automobiles
        3. VoIP
        4. RSS
        5. Podcast
        6. Home Media Systems
        7. Cell Phones
        8. Credit Cards
        9. Operating Systems
    7. Summary
    8. Solutions Fast Track
    9. Frequently Asked Questions
  19. Chapter 6: Defense-in-depth
    1. Introduction
    2. Enterprise Defense-in-Depth
      1. Getting to Know Your Network
      2. Choosing Your Network-Knowledge Tools
      3. Designing An Effective Protection Strategy
      4. Secure Individual Hosts First
      5. Purchase Host-based Protective Software
      6. Carefully Examine All Points of Access to Hosts
    3. Malware Detection
      1. Intrusion Detection
      2. SNORT
      3. Virus Detection
      4. Generic Anti-virus
    4. Planning,Testing, Revising
      1. Develop Contingency Plans
      2. Perform an “After Action Review”
      3. Designate a Conference Room or Office as a “War Room”
      4. Personnel
      5. Look Beyond the Borders
    5. Documentation
      1. Malware Laboratory Procedures
    6. Summary
    7. Solutions Fast Track
    8. Frequently Asked Questions
  20. Chapter 7: Perilous Outsorcery
    1. Introduction
    2. Key Concepts: Outsourcing AV Services and Risk Management
    3. Key Building Blocks for Managing Outsourced Security
      1. What Do “Security Activities” Imply for a Business Manager?
      2. What does “Outsourcing AV Services” Mean?
      3. What Drives the Success or Failure of Outsourced Operational AV?
        1. First Law
        2. Second Law
        3. Third Law
        4. Fourth Law
        5. Fifth Law
        6. Sixth Law
        7. Seventh Law
      4. What Common Phases does the Project Manager Encounter when Outsourcing AV Services?
      5. What Are The Most Common Problems Seen During AV Outsourcing?
        1. Miscommunication Between Customer and Vendor
        2. Lack of Responsive and Flexible Threat/ Change Management Mechanisms
        3. Procurement and Tendering Conflicts
        4. A Vendor-Centric Worldview
        5. Overestimation of a Vendor’s Competence
    4. The Perils of Outsourcing AV Activities
      1. Why Do More and More Companies Outsource AV Services?
    5. The ‘Perilous Outsorcery’ Management Matrix
      1. The First Dimension: Use The Job Descriptions, Roles, and Functions of People You Meet
      2. The Second Dimension:AV Function Types from Risk and Systems Management Perspectives
      3. The Third Dimension:Type of Governance Role Using The RACI Model
      4. An Example of the “Perils of Outsourcing” Matrix
    6. Critical Success Factors for Surviving AV Outsourcing
      1. Sources of CSFs: the More Explicit, the Better!
      2. Open Peer Communication Lines Between Both Companies
      3. Use a Questionnaire to Match People to AV Functions
      4. Align as Soon as Possible with Monitoring Services (SOC) and Incident Management Teams
      5. Outline the AV infrastructure (as Seen by the Customer and the Vendor) and Discuss Differences
        1. Align or Prepare the Reporting on Compliance Issues of Outsourced AV Services
      6. Putting the Pieces Together
      7. Roles and Responsibilities
    7. Sample AV Skills and Experience Questionnaire for an AV Service Provider.
    8. Summary
    9. Solutions Fast Track
    10. Frequently Asked Questions
  21. Chapter 8: Education in Education
    1. Introduction
    2. User Education from an Educationalist’s Perspective
      1. Some True Stories (1/2)
      2. Some True Stories (2/2)
        1. The Grandmother
        2. The Sister
        3. The Father
        4. The Young Girl
        5. The Self-employed Professional
        6. The Unwitting Spammers
        7. And the Point is...
        8. Where Do You Come In?
    3. Security and Education in the UK
      1. Evaluating Security Advice
      2. Information Sharing and the WARP factor
      3. The Myth of Teenage Literacy
      4. Teaching Security in the Classroom (1/2)
      5. Teaching Security in the Classroom (2/2)
      6. Duty of Care
      7. Surfing the Darkside Economy
      8. Duty of Care Issues (Again)
      9. Cross-Curricular Security
      10. Technical Areas Checklist
    4. Not Exactly a Case Study:The Julie Amero Affair
    5. Summary
    6. Solutions Fast Track
    7. Frequently Asked Questions
  22. Chapter 9: DIY Malware Analysis
    1. Introduction
    2. Anti-Malware Tools of the Trade 101
    3. The Basics: Identifying a Malicious File (1/2)
    4. The Basics: Identifying a Malicious File (2/2)
    5. Process and Network Service Detection Tools (1/2)
    6. Process and Network Service Detection Tools (2/2)
    7. Web-based Inspection and Virus Analysis Tools
      1. AV Vendors Accept Submissions
      2. Using an Online Malware Inspection Sandbox (1/2)
      3. Using an Online Malware Inspection Sandbox (2/2)
    8. Using Packet Analyzers to Gather Information
      1. Results of Running windump at the Command Line to Show Proper Syntax Formatting
    9. Examining Your Malware Sample with Executable Inspection Tools (1/2)
    10. Examining Your Malware Sample with Executable Inspection Tools (2/2)
    11. Using Vulnerability Assessment and Port Scanning Tools (1/2)
    12. Using Vulnerability Assessment and Port Scanning Tools (2/2)
    13. Advanced Tools: An Overview of Windows Code Debuggers
    14. Advanced Analysis and Forensics
    15. Advanced Malware Analysis
      1. Static (Code) Analysis
      2. Packers and Memory Dumping (1/2)
      3. Packers and Memory Dumping (2/2)
        1. Quick Assessment
        2. Disassembling Malware
        3. Debugging Malware
      4. Dynamic (Behavior) Analysis
        1. Isolated Environments
        2. Behavior Monitoring
    16. Forensic Analysis
      1. Collecting Volatile Data
        1. Rootkits
        2. Collecting Process and Network Data
      2. Collecting Non-volatile Data (1/2)
      3. Collecting Non-volatile Data (2/2)
        1. Determining the Initial Vector
        2. A Lesson from History
        3. Case Study: An IRCbot-infected Machine
    17. Summary
    18. Solutions Fast Track
    19. Frequently Asked Questions
  23. Chapter 10: Antimalware Evaluation and Testing
    1. Introduction
    2. Antimalware Product Evaluation
      1. Configurability
      2. Cost
      3. Ease of Use
      4. Functionality
      5. Performance
      6. Support Issues
        1. Upgrades and Updates
        2. Information Flow and Documentation
    3. Evaluation Checklist
      1. Core Issues (1/2)
      2. Core Issues (2/2)
    4. Testing Antimalware Products
      1. Replicating Malware
        1. Why is Sample Verification Important?
        2. Polymorphic Replicative Malware
      2. Environment
      3. In the Wild Testing
      4. Non-Replicating Malware (1/2)
      5. Non-Replicating Malware (2/2)
        1. Is It or Isn’t It?
        2. Does it work?
      6. Time To Update Testing (1/2)
      7. Time To Update Testing (2/2)
        1. Defining the Problems
        2. Problem 1:Time to Update as a Measure of Protection Capability
        3. Problem 2: Baseline Setting for Heuristic/Proactive Detections
        4. Problem 3:Time of Release vs.Time of First Detection
      8. Frozen Update (Retrospective) Testing
      9. A Few Words on False Positives
      10. A Checklist of Do’s and Don’ts in Testing
        1. First of All, Here’s What Not to Do!
        2. How to Do it Right!
        3. Non-detection Testing Parameters
      11. Conclusion
    5. Independent Testing and Certification Bodies
      1. VB100 Awards
      2. ICSA Labs (a Division of Cybertrust)
      3. Checkmark Certification
        1. Anti-virus Level 1
        2. Anti-virus Level 2
        3. Trojan
        4. Anti-Spyware
      4. AV-Test.org
      5. AV-Comparatives.org
    6. Summary
    7. Solutions Fast Track
    8. Frequently Asked Questions
  24. Chapter 11: AVIEN and AVIEWS: the Future
  25. Appendix A: Resources
    1. Introduction
    2. Customer Power
    3. Stalkers on Your Desktop
    4. A Tangled Web
    5. Big Bad Bots
    6. Cragraveme de la CyberCrime
    7. Defense in Depth
    8. Perilous Outsorcery
    9. Education in Education
    10. DIY Malware Analysis
    11. Antivirus Evaluation and Testing
    12. Additional Resources
      1. Books
      2. Additional Resources
        1. Linux:
        2. Macintosh:
        3. Network Tools:
        4. SANS:
        5. Security Focus Newsletters
  26. Appendix B: Glossary
    1. Introduction (1/2)
    2. Introduction (2/2)
  27. Index (1/3)
  28. Index (2/3)
  29. Index (3/3)

Product information

  • Title: AVIEN Malware Defense Guide for the Enterprise
  • Author(s): David Harley, Robert S. Vibert, Ken Bechtel, Michael Blanchard, Henk K. Diemer, Andrew Lee, Igor Muttik, Bojan Zdrnja
  • Release date: April 2011
  • Publisher(s): Syngress
  • ISBN: 9780080558660