What This Book Doesn t Cover

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes
	Table of Contents
	Preface

In the bigger scheme of computer security, malicious mobile code is just a part. Microsoft Windows running on a PC is but one of a myriad of operating system choices. There are many more other types of security threats than I can adequately cover. The following PC security topics are not covered in this book:

Non-Microsoft platforms and applications

This book only addresses threats against the IBM-compatible personal computer world, and particularly attacks against Microsoft operating systems and applications. This book focuses on DOS, Windows, Office, Outlook, and Internet Explorer. There are thousands of threats to the Macintosh, Unix, and open source world that aren't covered here. As Linux gains in popularity, so do the number of malicious programs written for the platform. Many of the attacks mentioned here easily apply to other systems (for example, a cross-platform macro virus), but the other platforms aren't the focus of the text.

Direct hack attacks

This book doesn't cover security attacks directly attempted by hackers. A malicious person telnetting to port 25 to forge an email address isn't covered in this book, but if a worm or virus does the same thing, it's covered. This book deals with programs written to do dirty work solely by using its own prewritten code. A hacker may need to initially release his creation, but after that, the code is on its own.

Host-side attacks

With a few necessary exceptions, this book is focused on client-side attacks. In the client/server computer world, there are hosts and clients . Hosts serve up the data and programs to which we attach our clients. A web server is a host. The Internet browser that connects to it is the client portion. Many hack attacks are directed at compromising host system security. This book focuses on the threats to Windows clients. We will even discuss Windows NT server, but we will focus on attacks that occur when it is operating a client process, like browsing the Internet.

Host-based denial of service attacks

One of the fastest growing threats in the connected computer world is the denial of service (DoS) attack. Hackers can send malformed information or requests to a remote computer system and cause it to spike its processor utilization to 100 percent and lock up, thereby completely denying future service requests to legitimate users. With Windows NT, some denial of service attacks are as easy as sending a single data packet to a previously unused TCP/IP port. Vendors are now investing significant time in mature error processing to help prevent service denials because of bad requests. While, denial of service attacks focused on Internet hosts are not covered in this book, malicious Java applets or other mobile creations that cause denial of service problems are.

Probe scans

The Department of Defense (DoD) has released many worldwide bulletins warning about the threat of automated probe scanners. These tools automate the process of testing for different security weaknesses in a company's Internet boundary protection. Typically, they test for the presence of different TCP/IP service ports or for the signature of a particular software program with known weaknesses. Hackers point the probe-scanning program to a particular host IP address and it will report the holes waiting for exploitation. The DoD says a company's only defense is to run regular probes on itself, find the holes, and patch them before the hackers do. This book doesn't focus on probe scanners . However, some malicious mobile programs use a limited set of probe scans to exploit different weaknesses and spread.

Internet server holes

Dan Farmer, a Unix security expert and cocreator of the security probe tool, SATAN, testified in front of House of Representatives in 1996 that two- thirds to three-fourths of the web sites he visited (including government and secure banking sites) could easily be broken into. Hackers are regularly breaking into Internet web sites that should be completely secure. While this book does focus on many of the Internet-client, browser-based threats, it doesn't focus on the holes in the server side of the Internet. It is well known that computer systems serving up Internet applications and data are full of security bugs that allow malicious hackers to gain unauthorized access or implement denial of service attacks.

NT security holes

The Microsoft Windows NT operating system has entire web sites and mailing lists dedicated to the daily announcement of the newest security hole. My favorite information resource for high-tech NT security violations is the NT bugtraq mailing list (http://www.ntbugtraq.com). Be aware that subject matter is high on technical detail and not a place where a newbie can easily follow the discussions. If you visit, you will learn that NT's default security settings, "out of the box," aren't all that secure. I'll leave the coverage of NT security exploits to others.

Unix, Linux, the TCP/IP protocol, and application holes and bugs

While much of the attention capturing headlines these days concerns malicious mobile code and NT's lack of absolute security, even more security weaknesses are found in the Unix world. Linux, Sendmail, TCP/IP, buffer overflows, and the Network File System (NFS) have provided hundreds of ways to take administrative root control of any system. If you just listen to the popular computer press you would wrongly assume that NT is the only weak software out there. There are already dozens of books covering these types of exploits.