March 30, 2010

Security Book Review: Mobile Malware Attacks and Defense

Mobile Malware Attacks and Defense
Author: Ken Dunham et. al.
Editorial: Syngress
Publication date: November 14, 2008
ISBN-10: 1597492981
ISBN-13: 978-1597492980

Summary: An historical reference of mobile malware and threats, plus a technical introduction to its analysis and in-depth inspection.

Score: 4/5

Security threats on mobile platforms are one of the key topics and
main targets for the next couple of years, given the ubiquity and popularity of these devices, plus their advanced capabilities and use of sensitive application: micro payments, online banking and e-commerce, access to "the cloud", etc.

This book is one of the few references, if not the only one (till very recently), focused on the multiple security aspects of the mobile ecosystem. As such, it constitutes a great historical reference about what mobile malware (referred as MM) and threats were until its publication, in late 2008.

The book starts by introducing mobile malware, although it can be a bit confusing for the novice reader, as it mixes up attacks, tools and threats (most them Bluetooth based), and for example, WiFi is not even mentioned (yet). The next chapter (ch 2) provides an interesting overview on how mobile malware shows up in a terminal from a user perspective, including the most common behaviors and the kind of interaction expected from the user. It would be great to have a detailed explanation of the propagation method, as with CommWarrior, for all the samples analyzed in this chapter.

The next three chapters (ch 3-5) are a really valuable historical reference about mobile malware, including its timeline, how it has evolved since 2000 till 2008, the types of threats, categorized by malware families, the most significant or famous specimens, such as Cabir in the Bluetooth side, plus an extensive taxonomy of mobile malware and threats based on the infection strategy, distribution and payload. Although some tables, with more than 400 references, could have been moved to an appendix to facilitate the reading, this set of chapters summarizes how mobile malware seriously started, back in 2004, and evolved over time. The comparison of different pieces of malware, and the extra analysis of the most relevant specimens, together with the technical details they used to survive, makes this section of the book a very good "encyclopedia".

Then, the book reflects the influence of multiple authors, presenting different unconnected and independent chapters. The phishing, SMSishing and Vishing chapter moves out of the mobile space, covering lots of details about these threats on traditional environments, such as common web browser based solutions, and the usage and purpose of the network captures attached is still not clear to me. I still remember my surprise from a technical perspective when I read that the transmitted data between the client and the verification server could not be identified, as they were using an SSL connection: "What about using a HTTP(S) interception proxy?" Finally, it includes an extensive phishing academic research mainly based on Bayesian networks and a distributed framework, which on my opinion, is clearly out of the scope of the book.

The more technical chapters come next; chapter 7 focuses on the core elements for the most widely used mobile platforms, their protection mechanisms and how they have been bypassed in the past, covering mainly Windows Mobile (WM), iPhone, Symbian, BlackBerry and J2ME (Java). It includes a extremely short summary on prevention and exploitation. This is complemented by the techniques, methods and tools available for the analysis of mobile malware (ch 8), the in-depth details for the disassembly and debugging of associated binaries (ch 10), plus the strategy and main constraints to perform a forensic analysis on this type of devices (chapters 8 and 9). This is by far the most relevant technical portion of the book.

The book follows the old and useful Syngress layout tradition of adding a few common sections at the end of each chapter to reinforce the material covered: Summary, Solutions Fast Track, and FAQ.

The first portion of the book (ch 1-5) will be an eye opener for a non-technical audience; highly recommended, together with the last chapter (ch 11) focused on the defensive side and how to mitigate all the threats covered along the book. The second portion for the book (ch 7-10) is focused on security professionals, mainly incident handlers and forensic analyst that need to deal with the technical aspects of mobile attacks and infections.

Due to the new mobile threats and issues that turned up in 2009 for the advanced smartphone platforms (like iPhone or Android), and the trend for new and more dangerous specimens expected in 2010, a second volume or edition would be a must.

UPDATE: Amazon review (first one).

Labels: , ,

March 27, 2010

Security Book Review: The IDA PRO Book

The IDA PRO Book
Author: Chris Eagle
Editorial: No Starch Press
Publication date: August 12, 2008
ISBN-10: 1593271786
ISBN-13: 978-1593271787

Summary: Do you really want to master the art of disassembly? Start here!

Score: 5/5

Honestly, when picking up a book that is focused on a single tool, as in this case, my main concerns are: how linked (and limited) the content is
to the tool and its capabilities, if the book can become obsolete soon with new versions of the tool, and what else the material offers to the specific field out of the tool.

In this case, it is fair to say that IDA Pro ( is the most popular disassembly tool (and debugger now) in the market during the last decade, so covering it is like going deeper into the field of malware analysis, software reverse engineer and
vulnerability research. Beginners can start playing with the evaluation version, while professionals have been using the Pro version for a long time.

Apart from that, the moment I realize Chris Eagle was the book author, it added some excitement to the mix. I know Chris when we released the Scan of the Month 32 challenge on the Honeynet Project (, back in 2004. The challenge was focused on analyzing a home-made malware binary, called RaDa, and Chris was the winner (; he even developed an IDA Pro script to unpack the binary and solve it.

Therefore, the book title does not make any justice to its contents :), as this is not only The IDA PRO Book or the unofficial guide, but the modern software disassembly
(static binary analysis) masterpiece and The IDA Pro Bible.

The first two chapters are a must for anyone starting in the world of reversing and disassembly. Something I really liked about the introductory chapters is how the author establishes the relationships between the different functionality available in IDA, and other (more traditional) single tools offering similar capabilities.

Then, the book goes in depth into IDA, getting started, covering the interactive interface and navigation capabilities, including the well-known and the most hidden features, explaining how to manage data types, structures and projects, the beauty of cross-references and graphs, and how to extend and customize IDA for extra advanced analysis (libraries, IDC scripts, plugins, modules, etc). It offers the advance readers the required skills and tools to move their analysis activities to the next level.

Every chapter is preceded by a great introduction explaining what is it about, and when and why this chapter is important for the analyst. Chapters do not simply move over the different menus and capabilities of IDA Pro, but describe them within a context based on the author experience after years of binary analysis, going in depth into the essence and goal of a given feature, the way to use it and the common drawbacks. Chris also uses his experience to highlight what is the most typical finding and tool output in various scenarios and why.

The book ends up with a few chapters that challenge the reader to put in action the skills learned throughout the book into real-world applications. Finally, it covers the new debugging capabilities (dynamic binary analysis) available since IDA version 4.5. For those starting in the field, appendix A points out the differences between the free and the commercial IDA version, and how these may influence your interest on specific book chapters.

The book is highly recommended to both beginners and intermediate/advanced users and professionals, and definitely it is a dense (like the tool it covers) but very easy to read book that becomes a reference in your bookshelves the minute it reaches your hands. Besides that, its contents won't easily become obsolete with new IDA Pro version. It is not a book to read in a couple of nights; this is the kind of "practical" book that I strongly recommend to read with a computer and a running copy of IDA handy, so that you can test all the tips and tricks and practice the topics being discussed.

UPDATE: Amazon review.

Labels: , ,