The Art of Computer Virus Research and Defense [NOOK Book]

Overview

Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and ...

See more details below
The Art of Computer Virus Research and Defense

Available on NOOK devices and apps  
  • NOOK Devices
  • NOOK HD/HD+ Tablet
  • NOOK
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK Study

Want a NOOK? Explore Now

NOOK Book (eBook)
$25.49
BN.com price
(Save 42%)$43.99 List Price

Overview

Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.

Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.

Szor also offers the most thorough and practical primer on virus analysis ever published—addressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes

  • Discovering how malicious code attacks on a variety of platforms
  • Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more
  • Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic
  • Mastering empirical methods for analyzing malicious code—and what to do with what you learn
  • Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines
  • Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more
  • Using worm blocking, host-based intrusion prevention, and network-level defense strategies
Read More Show Less

Editorial Reviews

From Barnes & Noble
The Barnes & Noble Review
If you’re serious about fighting viruses, you know that detailed, reliable, up-to-date information is awfully scarce. Peter Szor has fixed that problem. As a Symantec security architect, Szor’s been creating innovative techniques for Norton Anti-Virus since 1999. His new book illuminates the field as never before.

Szor begins with attack strategies. He addresses malicious code interactions with CPUs, operating systems, file systems, file formats, and interpreted environments. He reviews how viruses infect boot records and files, and how they behave in memory. There’s detailed coverage of how today’s viruses hide, self-protect, and evolve.

Next, he systematically covers defense: algorithmic scanning, skeleton detection, exact/near-exact identification, code emulation, heuristic analysis, generic disinfectors, behavior blocking, sandboxing, memory disinfection, worm blocking, buffer overflow prevention, and much more. You’ll even walk through setting up your own anti-virus lab. This should be the first book in it. Bill Camarda, from the April 2005 Read Only

Read More Show Less

Product Details

  • ISBN-13: 9780672333903
  • Publisher: Pearson Education
  • Publication date: 2/17/2005
  • Sold by: Barnes & Noble
  • Format: eBook
  • Edition number: 1
  • Pages: 744
  • Sales rank: 1,353,361
  • File size: 14 MB
  • Note: This product may take a few minutes to download.

Meet the Author

Peter Szor is security architect for Symantec Security Response, where he has been designing and building antivirus technologies for the Norton AntiVirus product line since 1999. From 1990 to 1995, Szor wrote and maintained his own antivirus program, Pasteur. A renowned computer virus and security researcher, Szor speaks frequently at the Virus Bulletin, EICAR, ICSA, and RSA conferences, as well as the USENIX Security Symposium. He currently serves on the advisory board of Virus Bulletin magazine, and is a founding member of the AVED (AntiVirus Emergency Discussion) network.

Read More Show Less

Read an Excerpt

PrefacePrefaceWho Should Read This Book

Over the last two decades, several publications appeared on the subject of computer viruses, but only a few have been written by professionals ("insiders") of computer virus research. Although many books exist that discuss the computer virus problem, they usually target a novice audience and are simply not too interesting for the technical professionals. There are only a few works that have no worries going into the technical details, necessary to understand, to effectively defend against computer viruses.

Part of the problem is that existing books have little—if any—information about the current complexity of computer viruses. For example, they lack serious technical information on fast-spreading computer worms that exploit vulnerabilities to invade target systems, or they do not discuss recent code evolution techniques such as code metamorphism. If you wanted to get all the information I have in this book, you would need to spend a lot of time reading articles and papers that are often hidden somewhere deep inside computer virus and security conference proceedings, and perhaps you would need to dig into malicious code for years to extract the relevant details.

I believe that this book is most useful for IT and security professionals who fight against computer viruses on a daily basis. Nowadays, system administrators as well as individual home users often need to deal with computer worms and other malicious programs on their networks. Unfortunately, security courses have very little training on computer virus protection, and the general public knows very little about how to analyze and defend theirnetwork from such attacks. To make things more difficult, computer virus analysis techniques have not been discussed in any existing works in sufficient length before.

I also think that, for anybody interested in information security, being aware of what the computer virus writers have "achieved" so far is an important thing to know.

For years, computer virus researchers used to be "file" or "infected object" oriented. To the contrary, security professionals were excited about suspicious events only on the network level. In addition, threats such as CodeRed worm appeared to inject their code into the memory of vulnerable processes over the network, but did not "infect" objects on the disk. Today, it is important to understand all of these major perspectives—the file (storage), in-memory, and network views—and correlate the events using malicious code analysis techniques.

During the years, I have trained many computer virus and security analysts to effectively analyze and respond to malicious code threats. In this book, I have included information about anything that I ever had to deal with. For example, I have relevant examples of ancient threats, such as 8-bit viruses on the Commodore 64. You will see that techniques such as stealth technology appeared in the earliest computer viruses, and on a variety of platforms. Thus, you will be able to realize that current rootkits do not represent anything new! You will find sufficient coverage on 32-bit Windows worm threats with in-depth exploit discussions, as well as 64-bit viruses and "pocket monsters" on mobile devices. All along the way, my goal is to illustrate how old techniques "reincarnate" in new threats and demonstrate up-to-date attacks with just enough technical details.

I am sure that many of you are interested in joining the fight against malicious code, and perhaps, just like me, some of you will become inventors of defense techniques. All of you should, however, be aware of the pitfalls and the challenges of this field!

That is what this book is all about.What I Cover

The purpose of this book is to demonstrate the current state of the art of computer virus and antivirus developments and to teach you the methodology of computer virus analysis and protection. I discuss infection techniques of computer viruses from all possible perspectives: file (on storage), in-memory, and network. I classify and tell you all about the dirty little tricks of computer viruses that bad guys developed over the last two decades and tell you what has been done to deal with complexities such as code polymorphism and exploits.

The easiest way to read this book is, well, to read it from chapter to chapter. However, some of the attack chapters have content that can be more relevant after understanding techniques presented in the defense chapters. If you feel that any of the chapters are not your taste, or are too difficult or lengthy, you can always jump to the next chapter. I am sure that everybody will find some parts of this book very difficult and other parts very simple, depending on individual experience.

I expect my readers to be familiar with technology and some level of programming. There are so many things discussed in this book that it is simply impossible to cover everything in sufficient length. However, you will know exactly what you might need to learn from elsewhere to be absolutely successful against malicious threats. To help you, I have created an extensive reference list for each chapter that leads you to the necessary background information.

Indeed, this book could easily have been over 1,000 pages. However, as you can tell, I am not Shakespeare. My knowledge of computer viruses is great, not my English. Most likely, you would have no benefit of my work if this were the other way around.What I Do Not Cover

I do not cover Trojan horse programs or backdoors in great length. This book is primarily about self-replicating malicious code. There are plenty of great books available on regular malicious programs, but not on computer viruses.

I do not present any virus code in the book that you could directly use to build another virus. This book is not a "virus writing" class. My understanding, however, is that the bad guys already know about most of the techniques that I discuss in this book. So, the good guys need to learn more and start to think (but not act) like a real attacker to develop their defense!

Interestingly, many universities attempt to teach computer virus research courses by offering classes on writing viruses. Would it really help if a student could write a virus to infect millions of systems around the world? Will such students know more about how to develop defense better? Simply, the answer is no...

Instead, classes should focus on the analysis of existing malicious threats. There are so many threats out there waiting for somebody to understand them—and do something against them.

Of course, the knowledge of computer viruses is like the "Force" in Star Wars. Depending on the user of the "Force," the knowledge can turn to good or evil. I cannot force you to stay away from the "Dark Side," but I urge you to do so.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Table of Contents

About the Author.

Preface.

Acknowledgments.

I. STRATEGIES OF THE ATTACKER.

1. Introduction to the Games of Nature.

Early Models of Self-Replicating Structures

John von Neumann: Theory of Self-Reproducing Automata

Fredkin: Reproducing Structures

Conway: Game of Life

Core War: The Fighting Programs

Genesis of Computer Viruses

Automated Replicating Code: The Theory and Definition of Computer Viruses

References

2. The Fascination of Malicious Code Analysis.

Common Patterns of Virus Research

Antivirus Defense Development

Terminology of Malicious Programs

Viruses

Worms

Logic Bombs

Trojan Horses

Germs

Exploits

Downloaders

Dialers

Droppers

Injectors

Auto-Rooters

Kits (Virus Generators)

Spammer Programs

Flooders

Keyloggers

Rootkits

Other Categories

Joke Programs

Hoaxes: Chain Letters

Other Pests: Adware and Spyware

Computer Malware Naming Scheme

<family_name>

<malware_type>://

<platform>/

.<group_name>

<infective_length>

<variant>

[<devolution>]

<modifiers>

:<locale_specifier>

#<packer>

@m or @mm

!<vendor-specific_comment>

Annotated List of Officially Recognized Platform Names

References

3. Malicious Code Environments.

Computer Architecture Dependency

CPU Dependency

Operating System Dependency

Operating System Version Dependency

File System Dependency

Cluster Viruses

NTFS Stream Viruses

NTFS Compression Viruses

ISO Image Infection

File Format Dependency

COM Viruses on DOS

EXE Viruses on DOS

NE (New Executable) Viruses on 16-bit Windows and OS/2

LX Viruses on OS/2

PE (Portable Executable) Viruses on 32-bit Windows

ELF (Executable and Linking Format) Viruses on UNIX

Device Driver Viruses

Object Code and LIB Viruses

Interpreted Environment Dependency

Macro Viruses in Microsoft Products

REXX Viruses on IBM Systems

DCL (DEC Command Language) Viruses on DEC/VMS

Shell Scripts on UNIX (csh, ksh, and bash)

VBScript (Visual Basic Script) Viruses on Windows Systems

BATCH Viruses

Instant Messaging Viruses in mIRC, PIRCH scripts

SuperLogo Viruses

JScript Viruses

Perl Viruses

WebTV Worms in JellyScript Embedded in HTML Mail

Python Viruses

VIM Viruses

EMACS Viruses

TCL Viruses

PHP Viruses

MapInfo Viruses

ABAP Viruses on SAP

Help File Viruses on Windows–When You Press F1…

JScript Threats in Adobe PDF

AppleScript Dependency

ANSI Dependency

Macromedia Flash ActionScript Threats

HyperTalk Script Threats

AutoLisp Script Viruses

Registry Dependency

PIF and LNK Dependency

Lotus Word Pro Macro Viruses

AmiPro Document Viruses

Corel Script Viruses

Lotus 1-2-3 Macro Dependency

Windows Installation Script Dependency

AUTORUN.INF and Windows INI File Dependency

HTML (Hypertext Markup Language) Dependency

Vulnerability Dependency

Date and Time Dependency

JIT Dependency: Microsoft .NET Viruses

Archive Format Dependency

File Format Dependency Based on Extension

Network Protocol Dependency

Source Code Dependency

Source Code Trojans

Resource Dependency on Mac and Palm Platforms

Host Size Dependency

Debugger Dependency

Intended Threats that Rely on a Debugger

Compiler and Linker Dependency

Device Translator Layer Dependency

Embedded Object Insertion Dependency

Self-Contained Environment Dependency

Multipartite Viruses

Conclusion

References

4. Classification of Infection Strategies.

Boot Viruses

Master Boot Record (MBR) Infection Techniques

DOS BOOT Record (DBR) - Infection Techniques

Boot Viruses That Work While Windows 95 Is Active

Possible Boot Image Attacks in Network Environments

File Infection Techniques

Overwriting Viruses

Random Overwriting Viruses

Appending Viruses

Prepending Viruses

Classic Parasitic Viruses

Cavity Viruses

Fractionated Cavity Viruses

Compressing Viruses

Amoeba Infection Technique

Embedded Decryptor Technique

Embedded Decryptor and Virus Body Technique

Obfuscated Tricky Jump Technique

Entry-Point Obscuring (EPO) Viruses

Possible Future Infection Techniques: Code Builders

An In-Depth Look at Win32 Viruses

The Win32 API and Platforms That Support It

Infection Techniques on 32-Bit Windows

Win32 and Win64 Viruses: Designed for Microsoft Windows?

Conclusion

References

5. Classification of In-Memory Strategies.

Direct-Action Viruses

Memory-Resident Viruses

Interrupt Handling and Hooking

Hook Routines on INT 13h (Boot Viruses)

Hook Routines on INT 21h (File Viruses)

Common Memory Installation Techniques Under DOS

Stealth Viruses

Disk Cache and System Buffer Infection

Temporary Memory-Resident Viruses

Swapping Viruses

Viruses in Processes (in User Mode)

Viruses in Kernel Mode (Windows 9x/Me)

Viruses in Kernel Mode (Windows NT/2000/XP)

In-Memory Injectors over Networks

References

6. Basic Self-Protection Strategies.

Tunneling Viruses

Memory Scanning for Original Handler

Tracing with Debug Interfaces

Code Emulation—Based Tunneling

Accessing the Disk Using Port I/O

Using Undocumented Functions

Armored Viruses

Antidisassembly

Encrypted Data

Code Confusion to Avoid Analysis

Opcode Mixing—Based Code Confusion

Using Checksum

Compressed, Obfuscated Code

Antidebugging

Antiheuristics

Antiemulation Techniques

Antigoat Viruses

Aggressive Retroviruses

References

7. Advanced Code Evolution Techniques and Computer Virus Generator Kits.

Introduction

Evolution of Code

Encrypted Viruses

Oligomorphic Viruses

Polymorphic Viruses

The 1260 Virus

The Dark Avenger Mutation Engine (MtE)

32-Bit Polymorphic Viruses

Metamorphic Viruses

What Is a Metamorphic Virus?

Simple Metamorphic Viruses

More Complex Metamorphic Viruses and Permutation Techniques

Mutating Other Applications: The Ultimate Virus Generator?

Advanced Metamorphic Viruses: Zmist

{W32, Linux}/Simile: A Metamorphic Engine Across Systems

The Dark Future–MSIL Metamorphic Viruses

Virus Construction Kits

VCS (Virus Construction Set)

GenVir

VCL (Virus Creation Laboratory)

PS-MPC (Phalcon-Skism Mass-Produced Code Generator)

NGVCK (Next Generation Virus Creation Kit)

Other Kits and Mutators

How to Test a Virus Construction Tool?

References

8. Classification According to Payload.

No-Payload

Accidentally Destructive Payload

Nondestructive Payload

Somewhat Destructive Payload

Highly Destructive Payload

Viruses That Overwrite Data

Data Diddlers

Viruses That Encrypt Data: The “Good,” the Bad, and the Ugly

Hardware Destroyers

DoS (Denial of Service) Attacks

Data Stealers: Making Money with Viruses

Phishing Attacks

Backdoor Features

Conclusion

References

9. Strategies of Computer Worms .

Introduction

The Generic Structure of Computer Worms

Target Locator

Infection Propagator

Remote Control and Update Interface

Life-Cycle Manager

Payload

Self-Tracking

Target Locator

E-Mail Address Harvesting

Network Share Enumeration Attacks

Network Scanning and Target Fingerprinting

Infection Propagators

Attacking Backdoor-Compromised Systems

Peer-to-Peer Network Attacks

Instant Messaging Attacks

E-Mail Worm Attacks and Deception Techniques

E-Mail Attachment Inserters

SMTP Proxy—Based Attacks

SMTP Attacks

SMTP Propagation on Steroids Using MX Queries

NNTP (Network News Transfer Protocol) Attacks

Common Worm Code Transfer and Execution Techniques

Executable Code—Based Attacks

Links to Web Sites or Web Proxies

HTML-Based Mail

Remote Login-Based Attacks

Code Injection Attacks

Shell Code—Based Attacks

Update Strategies of Computer Worms

Authenticated Updates on the Web or Newsgroups

Backdoor-Based Updates

Remote Control via Signaling

Peer-to-Peer Network Control

Intentional and Accidental Interactions

Cooperation

Competition

The Future: A Simple Worm Communication Protocol?

Wireless Mobile Worms

References

10. Exploits, Vulnerabilities, and Buffer Overflow Attacks.

Introduction

Definition of Blended Attack

The Threat

Background

Types of Vulnerabilities

Buffer Overflows

First-Generation Attacks

Second-Generation Attacks

Third-Generation Attacks

Current and Previous Threats

The Morris Internet Worm, 1988 (Stack Overflow to Run

- Shellcode)

Linux/ADM, 1998 (“Copycatting” the Morris Worm)

The CodeRed Outbreak, 2001 (The Code Injection Attack)

Linux/Slapper Worm, 2002 (A Heap Overflow Example)

W32/Slammer Worm, January 2003 (The Mini Worm)

Blaster Worm, August 2003 (Shellcode-Based Attack on Win32)

Generic Buffer Overflow Usage in Computer Viruses

Description of W32/Badtrans.B@mm

Exploits in W32/Nimda.A@mm

Description of W32/Bolzano

Description of VBS/Bubbleboy

Description of W32/Blebla

Summary

References

II. STRATEGIES OF THE DEFENDER.

11. Antivirus Defense Techniques.

First-Generation Scanners

String Scanning

Wildcards

Mismatches

Generic Detection

Hashing

Bookmarks

Top-and-Tail Scanning

Entry-Point and Fixed-Point Scanning

Hyperfast Disk Access

Second-Generation Scanners

Smart Scanning

Skeleton Detection

Nearly Exact Identification

Exact Identification

Algorithmic Scanning Methods

Filtering

Static Decryptor Detection

The X-RAY Method

Code Emulation

Encrypted and Polymorphic Virus Detection Using Emulation

Dynamic Decryptor Detection

Metamorphic Virus Detection Examples

Geometric Detection

Disassembling Techniques

Using Emulators for Tracing

Heuristic Analysis of 32-Bit Windows Viruses

Code Execution Starts in the Last Section

Suspicious Section Characteristics

Virtual Size Is Incorrect in PE Header

Possible “Gap” Between Sections

Suspicious Code Redirection

Suspicious Code Section Name

Possible Header Infection

Suspicious Imports from KERNEL32.DLL by Ordinal

Import Address Table Is Patched

Multiple PE Headers

Multiple Windows Headers and Suspicious KERNEL32.DLL Imports

Suspicious Relocations

Kernel Look-Up

Kernel Inconsistency

Loading a Section into the VMM Address Space

Incorrect Size of Code in Header

Examples of Suspicious Flag Combinations

Heuristic Analysis Using Neural Networks

Regular and Generic Disinfection Methods

Standard Disinfection

Generic Decryptors

How Does a Generic Disinfector Work?

How Can the Disinfector Be Sure That the File Is Infected?

Where Is the Original End of the Host File?

How Many Virus Types Can We Handle This Way?

Examples of Heuristics for Generic Repair

Generic Disinfection Examples

Inoculation

Access Control Systems

Integrity Checking

False Positives

Clean Initial State

Speed

Special Objects

Necessity of Changed Objects

Possible Solutions

Behavior Blocking

Sand-Boxing

Conclusion

References

12. Memory Scanning and Disinfection.

Introduction

The Windows NT Virtual Memory System

Virtual Address Spaces

Memory Scanning in User Mode

The Secrets of NtQuerySystemInform-ation()

Common Processes and Special System Rights

Viruses in the Win32 Subsystem

Win32 Viruses That Allocate Private Pages

Native Windows NT Service Viruses

Win32 Viruses That Use a Hidden Window Procedure

Win32 Viruses That Are Part of the Executed Image Itself

Memory Scanning and Paging

Enumerating Processes and Scanning File Images

Memory Disinfection

Terminating a Particular Process That Contains Virus Code

Detecting and Terminating Virus Threads

Patching the Virus Code in the Active Pages

How to Disinfect Loaded DLLs and Running Applications

Memory Scanning in Kernel Mode

Scanning the User Address Space of Processes

Determining NT Service API Entry Points

Important NT Functions for Kernel-Mode Memory Scanning

Process Context

Scanning the Upper 2GB of Address Space

How Can You Deactivate a Filter Driver Virus?

Dealing with Read-Only Kernel Memory

Kernel-Mode Memory Scanning on 64-Bit Platforms

Possible Attacks Against Memory Scanning

Conclusion and Future Work

References

13. Worm-Blocking Techniques and Host-Based Intrusion Prevention.

Introduction

Script Blocking and SMTP Worm Blocking

New Attacks to Block: CodeRed, Slammer

Techniques to Block Buffer Overflow Attacks

Code Reviews

Compiler-Level Solutions

Operating System-Level Solutions and Run-Time Extensions

Subsystem Extensions–Libsafe

Kernel Mode Extensions

Program Shepherding

Worm-Blocking Techniques

Injected Code Detection

Send Blocking: An Example of Blocking Self-Sending Code

Exception Handler Validation

Other Return-to-LIBC Attack Mitigation Techniques

“GOT” and “IAT” Page Attributes

High Number of Connections and Connection Errors

Possible Future Worm Attacks

A Possible Increase of Retroworms

“Slow” Worms Below the Radar

Polymorphic and Metamorphic Worms

Largescale Damage

Automated Exploit Discovery–Learning from the Environment

Conclusion

References

14. Network-Level Defense Strategies.

Introduction

Using Router Access Lists

Firewall Protection

Network-Intrusion Detection Systems

Honeypot Systems

Counterattacks

Early Warning Systems

Worm Behavior Patterns on the Network

Capturing the Blaster Worm

Capturing the Linux/Slapper Worm

Capturing the W32/Sasser.D Worm

Capturing the Ping Requests of the W32/Welchia Worm

Detecting W32/Slammer and Related Exploits

Conclusion

References

15. Malicious Code Analysis Techniques.

Your Personal Virus Analysis Laboratory

How to Get the Software?

Information, Information, Information

Architecture Guides

Knowledge Base

Dedicated Virus Analysis on VMWARE

The Process of Computer Virus Analysis

Preparation

Unpacking

Disassembling and Decryption

Dynamic Analysis Techniques

Maintaining a Malicious Code Collection

Automated Analysis: The Digital Immune System

References

16. Conclusion.

Further Reading

Information on Security and Early Warnings

Security Updates

Computer Worm Outbreak Statistics

Computer Virus Research Papers

Contact Information for Antivirus Vendors

Antivirus Testers and Related Sites

Index.

Read More Show Less

Preface

Preface

Who Should Read This Book

Over the last two decades, several publications appeared on the subject of computer viruses, but only a few have been written by professionals ("insiders") of computer virus research. Although many books exist that discuss the computer virus problem, they usually target a novice audience and are simply not too interesting for the technical professionals. There are only a few works that have no worries going into the technical details, necessary to understand, to effectively defend against computer viruses.

Part of the problem is that existing books have little—if any—information about the current complexity of computer viruses. For example, they lack serious technical information on fast-spreading computer worms that exploit vulnerabilities to invade target systems, or they do not discuss recent code evolution techniques such as code metamorphism. If you wanted to get all the information I have in this book, you would need to spend a lot of time reading articles and papers that are often hidden somewhere deep inside computer virus and security conference proceedings, and perhaps you would need to dig into malicious code for years to extract the relevant details.

I believe that this book is most useful for IT and security professionals who fight against computer viruses on a daily basis. Nowadays, system administrators as well as individual home users often need to deal with computer worms and other malicious programs on their networks. Unfortunately, security courses have very little training on computer virus protection, and the general public knows very little about how to analyze and defend their network from such attacks. To make things more difficult, computer virus analysis techniques have not been discussed in any existing works in sufficient length before.

I also think that, for anybody interested in information security, being aware of what the computer virus writers have "achieved" so far is an important thing to know.

For years, computer virus researchers used to be "file" or "infected object" oriented. To the contrary, security professionals were excited about suspicious events only on the network level. In addition, threats such as CodeRed worm appeared to inject their code into the memory of vulnerable processes over the network, but did not "infect" objects on the disk. Today, it is important to understand all of these major perspectives—the file (storage), in-memory, and network views—and correlate the events using malicious code analysis techniques.

During the years, I have trained many computer virus and security analysts to effectively analyze and respond to malicious code threats. In this book, I have included information about anything that I ever had to deal with. For example, I have relevant examples of ancient threats, such as 8-bit viruses on the Commodore 64. You will see that techniques such as stealth technology appeared in the earliest computer viruses, and on a variety of platforms. Thus, you will be able to realize that current rootkits do not represent anything new! You will find sufficient coverage on 32-bit Windows worm threats with in-depth exploit discussions, as well as 64-bit viruses and "pocket monsters" on mobile devices. All along the way, my goal is to illustrate how old techniques "reincarnate" in new threats and demonstrate up-to-date attacks with just enough technical details.

I am sure that many of you are interested in joining the fight against malicious code, and perhaps, just like me, some of you will become inventors of defense techniques. All of you should, however, be aware of the pitfalls and the challenges of this field!

That is what this book is all about.

What I Cover

The purpose of this book is to demonstrate the current state of the art of computer virus and antivirus developments and to teach you the methodology of computer virus analysis and protection. I discuss infection techniques of computer viruses from all possible perspectives: file (on storage), in-memory, and network. I classify and tell you all about the dirty little tricks of computer viruses that bad guys developed over the last two decades and tell you what has been done to deal with complexities such as code polymorphism and exploits.

The easiest way to read this book is, well, to read it from chapter to chapter. However, some of the attack chapters have content that can be more relevant after understanding techniques presented in the defense chapters. If you feel that any of the chapters are not your taste, or are too difficult or lengthy, you can always jump to the next chapter. I am sure that everybody will find some parts of this book very difficult and other parts very simple, depending on individual experience.

I expect my readers to be familiar with technology and some level of programming. There are so many things discussed in this book that it is simply impossible to cover everything in sufficient length. However, you will know exactly what you might need to learn from elsewhere to be absolutely successful against malicious threats. To help you, I have created an extensive reference list for each chapter that leads you to the necessary background information.

Indeed, this book could easily have been over 1,000 pages. However, as you can tell, I am not Shakespeare. My knowledge of computer viruses is great, not my English. Most likely, you would have no benefit of my work if this were the other way around.

What I Do Not Cover

I do not cover Trojan horse programs or backdoors in great length. This book is primarily about self-replicating malicious code. There are plenty of great books available on regular malicious programs, but not on computer viruses.

I do not present any virus code in the book that you could directly use to build another virus. This book is not a "virus writing" class. My understanding, however, is that the bad guys already know about most of the techniques that I discuss in this book. So, the good guys need to learn more and start to think (but not act) like a real attacker to develop their defense!

Interestingly, many universities attempt to teach computer virus research courses by offering classes on writing viruses. Would it really help if a student could write a virus to infect millions of systems around the world? Will such students know more about how to develop defense better? Simply, the answer is no...

Instead, classes should focus on the analysis of existing malicious threats. There are so many threats out there waiting for somebody to understand them—and do something against them.

Of course, the knowledge of computer viruses is like the "Force" in Star Wars. Depending on the user of the "Force," the knowledge can turn to good or evil. I cannot force you to stay away from the "Dark Side," but I urge you to do so.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Customer Reviews

Average Rating 5
( 1 )
Rating Distribution

5 Star

(1)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted July 11, 2005

    definitive text

    Szor's book appears to be the current definitive text on antivirus methods. The breadth of coverage of methods is good. So too is the level of detail. The book makes you appreciate how hard the task is of finding these darned viruses. In general, you are trying to discern malware intent in an arbitrary file. Where this file is often binary. But, as Szor is careful to explain, there can certainly be source code viruses as well. These could be in Postscript, PDF or scripting files. He also points out that the Microsoft Office data files are really binary programs, that run under the Microsoft Office applications. The book shows the considerable level of ingenuity on both sides of this struggle. As in how antivirus companies like Symantec often run a suspected virus in an emulator, stepping through the code. But in response, some viruses try to detect if they are being run inside an emulator. How they do this is very crafty and simple. It is examples of tactics like this that give the book its worth.

    1 out of 1 people found this review helpful.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)