Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Review: Malicious Mobile Code

Inconsistencies and awkward definitions plague Malicious Mobile Code, according to reviewer Jay Heiser.

Malicious Mobile Code
By Roger A. Grimes

Opening this book a few days after Nimda hit, I was hoping it would provide some insight into the mechanisms that this hybrid worm used to spread itself across the 'Net. Although hostile code is one of the more serious infosec problems, book publishers haven't kept up with the significant changes in the hostile code environment brought about by ubiquitous e-mail, always-on Internet connectivity and the near universal use of Microsoft Word. With chapters on Windows, macro viruses, Java, ActiveX and e-mail, this book is aimed at a huge hole in everyone's security library. Unfortunately, like a marksman shooting in the dark, it largely misses its target.

I enjoyed the section on instant messaging, and learning a lot about a subject that I previously knew very little about. But many sections, such as the ones on Web protocols, security software and digital signatures, are full of misleading "simplifications" or errors. For instance, the author describes code as being "signed by a digital certificate." Someone who mistakenly believes that a certificate contains the private key will have difficulty making good organizational decisions on the acceptability of signed external code. The statement "IDS programs rely on signatures that need constant updating with an AV scanner" is horribly wrong -- one of many sentences that are apparently the victims of "Trojan prepositions." Note to Grimes and his editors: Honeypots can't help an admin learn where an attacker is physically located.

At the hands-on level, the book obviously reflects years of experience fighting and recovering from malware, although a recommendation to never open mail from unknown senders is totally impractical. Many useful procedures are documented, such as cleaning all copies of an infected mail message from an Exchange server. Unfortunately, the first time I tried to actually use this book at work, to provide guidance on the appropriate use of JavaScript, it fell flat. First, the assertion that JavaScript code can write to local files and the registry as well as launch applications just isn't the case (and it's in direct contradiction with the Security chapter in the O'Reilly book JavaScript: The Definitive Guide). Second, it took a great deal of searching through the book to find instructions on disabling JavaScript within Internet Explorer, and no guidance was given for Netscape. Finally, third-party software and perimeter controls for JavaScript aren't even mentioned. The priorities seem wrong when a book on mobile code glosses over JavaScript, yet devotes 17 pages to e-mail hoaxes.

A list of the characteristics of a hypothetical "good" AV product is provided, but no guidance is offered on how to evaluate products for these attributes. And while the names of the most popular vendors are provided, their offerings aren't compared. Only one product is covered, but the multi-page "review" of Symantec's suite is really just a laundry list of its features.

They say you should never judge a book by its cover; advice that is supported in this case. The title Malicious Mobile Code is based on a flawed understanding of what constitutes mobile code, and an awkward attempt to define Trojan horse is further weakened by inconsistent usage. Both of these crucial terms are used so broadly that they become practically meaningless. I went through the book with a fine-toothed comb, using orange highlighting for awkward or misleading text, pink for outright mistakes and green for interesting advice or revelations. My copy now is glowing orange, punctuated by pink stripes. I felt moved to uncap the green highlighter less than a dozen times.

Neither the technical review nor the copyediting is consistent with O'Reilly's normal standards. The poor writing and factual errors prevent this book from fulfilling the pressing need for a comprehensive guide to today's hostile code problem. The author made a great start, but the publisher dropped the ball and didn't add the value that was needed to make it what it should've been.

This was last published in January 2002

Dig Deeper on Secure software development