Uh-oh, it looks like your Internet Explorer is out of date.

For a better shopping experience, please upgrade now.

The Art of Computer Virus Research and Defense

The Art of Computer Virus Research and Defense

5.0 1
by Peter Szor

See All Formats & Editions

ISBN-10: 0321304543

ISBN-13: 9780321304544

Pub. Date: 02/17/2005

Publisher: Addison-Wesley

"Of all the computer-related books I've read recently, this one influenced my thoughts about security the most. There is very little trustworthy information about computer viruses. Peter Szor is one of the best virus analysts in the world and has the perfect credentials to write this book."

—Halvar Flake, Reverse Engineer, SABRE


"Of all the computer-related books I've read recently, this one influenced my thoughts about security the most. There is very little trustworthy information about computer viruses. Peter Szor is one of the best virus analysts in the world and has the perfect credentials to write this book."

—Halvar Flake, Reverse Engineer, SABRE Security GmbH

Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.

Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.

Szor also offers the most thorough and practical primer on virus analysis ever published—addressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes

  • Discovering how malicious code attacks on a variety of platforms

  • Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more

  • Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic

  • Mastering empirical methods for analyzing malicious code—and what to do with what you learn

  • Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines

  • Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more

  • Using worm blocking, host-based intrusion prevention, and network-level defense strategies

Product Details

Publication date:
Symantec Press Series
Product dimensions:
7.00(w) x 8.90(h) x 1.50(d)

Table of Contents

About the Author.




1. Introduction to the Games of Nature.

Early Models of Self-Replicating Structures

John von Neumann: Theory of Self-Reproducing Automata

Fredkin: Reproducing Structures

Conway: Game of Life

Core War: The Fighting Programs

Genesis of Computer Viruses

Automated Replicating Code: The Theory and Definition of Computer Viruses


2. The Fascination of Malicious Code Analysis.

Common Patterns of Virus Research

Antivirus Defense Development

Terminology of Malicious Programs



Logic Bombs

Trojan Horses








Kits (Virus Generators)

Spammer Programs




Other Categories

Joke Programs

Hoaxes: Chain Letters

Other Pests: Adware and Spyware

Computer Malware Naming Scheme







@m or @mm


Annotated List of Officially Recognized Platform Names


3. Malicious Code Environments.

Computer Architecture Dependency

CPU Dependency

Operating System Dependency

Operating System Version Dependency

File System Dependency

Cluster Viruses

NTFS Stream Viruses

NTFS Compression Viruses

ISO Image Infection

File Format Dependency

COM Viruses on DOS

EXE Viruses on DOS

NE (New Executable) Viruses on 16-bit Windows and OS/2

LX Viruses on OS/2

PE (Portable Executable) Viruses on 32-bit Windows

ELF (Executable and Linking Format) Viruses on UNIX

Device Driver Viruses

Object Code and LIB Viruses

Interpreted Environment Dependency

Macro Viruses in Microsoft Products

REXX Viruses on IBM Systems

DCL (DEC Command Language) Viruses on DEC/VMS

Shell Scripts on UNIX (csh, ksh, and bash)

VBScript (Visual Basic Script) Viruses on Windows Systems

BATCH Viruses

Instant Messaging Viruses in mIRC, PIRCH scripts

SuperLogo Viruses

JScript Viruses

Perl Viruses

WebTV Worms in JellyScript Embedded in HTML Mail

Python Viruses

VIM Viruses

EMACS Viruses

TCL Viruses

PHP Viruses

MapInfo Viruses

ABAP Viruses on SAP

Help File Viruses on Windows–When You Press F1…

JScript Threats in Adobe PDF

AppleScript Dependency

ANSI Dependency

Macromedia Flash ActionScript Threats

HyperTalk Script Threats

AutoLisp Script Viruses

Registry Dependency

PIF and LNK Dependency

Lotus Word Pro Macro Viruses

AmiPro Document Viruses

Corel Script Viruses

Lotus 1-2-3 Macro Dependency

Windows Installation Script Dependency

AUTORUN.INF and Windows INI File Dependency

HTML (Hypertext Markup Language) Dependency

Vulnerability Dependency

Date and Time Dependency

JIT Dependency: Microsoft .NET Viruses

Archive Format Dependency

File Format Dependency Based on Extension

Network Protocol Dependency

Source Code Dependency

Source Code Trojans

Resource Dependency on Mac and Palm Platforms

Host Size Dependency

Debugger Dependency

Intended Threats that Rely on a Debugger

Compiler and Linker Dependency

Device Translator Layer Dependency

Embedded Object Insertion Dependency

Self-Contained Environment Dependency

Multipartite Viruses



4. Classification of Infection Strategies.

Boot Viruses

Master Boot Record (MBR) Infection Techniques

DOS BOOT Record (DBR) - Infection Techniques

Boot Viruses That Work While Windows 95 Is Active

Possible Boot Image Attacks in Network Environments

File Infection Techniques

Overwriting Viruses

Random Overwriting Viruses

Appending Viruses

Prepending Viruses

Classic Parasitic Viruses

Cavity Viruses

Fractionated Cavity Viruses

Compressing Viruses

Amoeba Infection Technique

Embedded Decryptor Technique

Embedded Decryptor and Virus Body Technique

Obfuscated Tricky Jump Technique

Entry-Point Obscuring (EPO) Viruses

Possible Future Infection Techniques: Code Builders

An In-Depth Look at Win32 Viruses

The Win32 API and Platforms That Support It

Infection Techniques on 32-Bit Windows

Win32 and Win64 Viruses: Designed for Microsoft Windows?



5. Classification of In-Memory Strategies.

Direct-Action Viruses

Memory-Resident Viruses

Interrupt Handling and Hooking

Hook Routines on INT 13h (Boot Viruses)

Hook Routines on INT 21h (File Viruses)

Common Memory Installation Techniques Under DOS

Stealth Viruses

Disk Cache and System Buffer Infection

Temporary Memory-Resident Viruses

Swapping Viruses

Viruses in Processes (in User Mode)

Viruses in Kernel Mode (Windows 9x/Me)

Viruses in Kernel Mode (Windows NT/2000/XP)

In-Memory Injectors over Networks


6. Basic Self-Protection Strategies.

Tunneling Viruses

Memory Scanning for Original Handler

Tracing with Debug Interfaces

Code Emulation—Based Tunneling

Accessing the Disk Using Port I/O

Using Undocumented Functions

Armored Viruses


Encrypted Data

Code Confusion to Avoid Analysis

Opcode Mixing—Based Code Confusion

Using Checksum

Compressed, Obfuscated Code



Antiemulation Techniques

Antigoat Viruses

Aggressive Retroviruses


7. Advanced Code Evolution Techniques and Computer Virus Generator Kits.


Evolution of Code

Encrypted Viruses

Oligomorphic Viruses

Polymorphic Viruses

The 1260 Virus

The Dark Avenger Mutation Engine (MtE)

32-Bit Polymorphic Viruses

Metamorphic Viruses

What Is a Metamorphic Virus?

Simple Metamorphic Viruses

More Complex Metamorphic Viruses and Permutation Techniques

Mutating Other Applications: The Ultimate Virus Generator?

Advanced Metamorphic Viruses: Zmist

{W32, Linux}/Simile: A Metamorphic Engine Across Systems

The Dark Future–MSIL Metamorphic Viruses

Virus Construction Kits

VCS (Virus Construction Set)


VCL (Virus Creation Laboratory)

PS-MPC (Phalcon-Skism Mass-Produced Code Generator)

NGVCK (Next Generation Virus Creation Kit)

Other Kits and Mutators

How to Test a Virus Construction Tool?


8. Classification According to Payload.


Accidentally Destructive Payload

Nondestructive Payload

Somewhat Destructive Payload

Highly Destructive Payload

Viruses That Overwrite Data

Data Diddlers

Viruses That Encrypt Data: The “Good,” the Bad, and the Ugly

Hardware Destroyers

DoS (Denial of Service) Attacks

Data Stealers: Making Money with Viruses

Phishing Attacks

Backdoor Features



9. Strategies of Computer Worms .


The Generic Structure of Computer Worms

Target Locator

Infection Propagator

Remote Control and Update Interface

Life-Cycle Manager



Target Locator

E-Mail Address Harvesting

Network Share Enumeration Attacks

Network Scanning and Target Fingerprinting

Infection Propagators

Attacking Backdoor-Compromised Systems

Peer-to-Peer Network Attacks

Instant Messaging Attacks

E-Mail Worm Attacks and Deception Techniques

E-Mail Attachment Inserters

SMTP Proxy—Based Attacks

SMTP Attacks

SMTP Propagation on Steroids Using MX Queries

NNTP (Network News Transfer Protocol) Attacks

Common Worm Code Transfer and Execution Techniques

Executable Code—Based Attacks

Links to Web Sites or Web Proxies

HTML-Based Mail

Remote Login-Based Attacks

Code Injection Attacks

Shell Code—Based Attacks

Update Strategies of Computer Worms

Authenticated Updates on the Web or Newsgroups

Backdoor-Based Updates

Remote Control via Signaling

Peer-to-Peer Network Control

Intentional and Accidental Interactions



The Future: A Simple Worm Communication Protocol?

Wireless Mobile Worms


10. Exploits, Vulnerabilities, and Buffer Overflow Attacks.


Definition of Blended Attack

The Threat


Types of Vulnerabilities

Buffer Overflows

First-Generation Attacks

Second-Generation Attacks

Third-Generation Attacks

Current and Previous Threats

The Morris Internet Worm, 1988 (Stack Overflow to Run

- Shellcode)

Linux/ADM, 1998 (“Copycatting” the Morris Worm)

The CodeRed Outbreak, 2001 (The Code Injection Attack)

Linux/Slapper Worm, 2002 (A Heap Overflow Example)

W32/Slammer Worm, January 2003 (The Mini Worm)

Blaster Worm, August 2003 (Shellcode-Based Attack on Win32)

Generic Buffer Overflow Usage in Computer Viruses

Description of W32/Badtrans.B@mm

Exploits in W32/Nimda.A@mm

Description of W32/Bolzano

Description of VBS/Bubbleboy

Description of W32/Blebla




11. Antivirus Defense Techniques.

First-Generation Scanners

String Scanning



Generic Detection



Top-and-Tail Scanning

Entry-Point and Fixed-Point Scanning

Hyperfast Disk Access

Second-Generation Scanners

Smart Scanning

Skeleton Detection

Nearly Exact Identification

Exact Identification

Algorithmic Scanning Methods


Static Decryptor Detection

The X-RAY Method

Code Emulation

Encrypted and Polymorphic Virus Detection Using Emulation

Dynamic Decryptor Detection

Metamorphic Virus Detection Examples

Geometric Detection

Disassembling Techniques

Using Emulators for Tracing

Heuristic Analysis of 32-Bit Windows Viruses

Code Execution Starts in the Last Section

Suspicious Section Characteristics

Virtual Size Is Incorrect in PE Header

Possible “Gap” Between Sections

Suspicious Code Redirection

Suspicious Code Section Name

Possible Header Infection

Suspicious Imports from KERNEL32.DLL by Ordinal

Import Address Table Is Patched

Multiple PE Headers

Multiple Windows Headers and Suspicious KERNEL32.DLL Imports

Suspicious Relocations

Kernel Look-Up

Kernel Inconsistency

Loading a Section into the VMM Address Space

Incorrect Size of Code in Header

Examples of Suspicious Flag Combinations

Heuristic Analysis Using Neural Networks

Regular and Generic Disinfection Methods

Standard Disinfection

Generic Decryptors

How Does a Generic Disinfector Work?

How Can the Disinfector Be Sure That the File Is Infected?

Where Is the Original End of the Host File?

How Many Virus Types Can We Handle This Way?

Examples of Heuristics for Generic Repair

Generic Disinfection Examples


Access Control Systems

Integrity Checking

False Positives

Clean Initial State


Special Objects

Necessity of Changed Objects

Possible Solutions

Behavior Blocking




12. Memory Scanning and Disinfection.


The Windows NT Virtual Memory System

Virtual Address Spaces

Memory Scanning in User Mode

The Secrets of NtQuerySystemInform-ation()

Common Processes and Special System Rights

Viruses in the Win32 Subsystem

Win32 Viruses That Allocate Private Pages

Native Windows NT Service Viruses

Win32 Viruses That Use a Hidden Window Procedure

Win32 Viruses That Are Part of the Executed Image Itself

Memory Scanning and Paging

Enumerating Processes and Scanning File Images

Memory Disinfection

Terminating a Particular Process That Contains Virus Code

Detecting and Terminating Virus Threads

Patching the Virus Code in the Active Pages

How to Disinfect Loaded DLLs and Running Applications

Memory Scanning in Kernel Mode

Scanning the User Address Space of Processes

Determining NT Service API Entry Points

Important NT Functions for Kernel-Mode Memory Scanning

Process Context

Scanning the Upper 2GB of Address Space

How Can You Deactivate a Filter Driver Virus?

Dealing with Read-Only Kernel Memory

Kernel-Mode Memory Scanning on 64-Bit Platforms

Possible Attacks Against Memory Scanning

Conclusion and Future Work


13. Worm-Blocking Techniques and Host-Based Intrusion Prevention.


Script Blocking and SMTP Worm Blocking

New Attacks to Block: CodeRed, Slammer

Techniques to Block Buffer Overflow Attacks

Code Reviews

Compiler-Level Solutions

Operating System-Level Solutions and Run-Time Extensions

Subsystem Extensions–Libsafe

Kernel Mode Extensions

Program Shepherding

Worm-Blocking Techniques

Injected Code Detection

Send Blocking: An Example of Blocking Self-Sending Code

Exception Handler Validation

Other Return-to-LIBC Attack Mitigation Techniques

“GOT” and “IAT” Page Attributes

High Number of Connections and Connection Errors

Possible Future Worm Attacks

A Possible Increase of Retroworms

“Slow” Worms Below the Radar

Polymorphic and Metamorphic Worms

Largescale Damage

Automated Exploit Discovery–Learning from the Environment



14. Network-Level Defense Strategies.


Using Router Access Lists

Firewall Protection

Network-Intrusion Detection Systems

Honeypot Systems


Early Warning Systems

Worm Behavior Patterns on the Network

Capturing the Blaster Worm

Capturing the Linux/Slapper Worm

Capturing the W32/Sasser.D Worm

Capturing the Ping Requests of the W32/Welchia Worm

Detecting W32/Slammer and Related Exploits



15. Malicious Code Analysis Techniques.

Your Personal Virus Analysis Laboratory

How to Get the Software?

Information, Information, Information

Architecture Guides

Knowledge Base

Dedicated Virus Analysis on VMWARE

The Process of Computer Virus Analysis



Disassembling and Decryption

Dynamic Analysis Techniques

Maintaining a Malicious Code Collection

Automated Analysis: The Digital Immune System


16. Conclusion.

Further Reading

Information on Security and Early Warnings

Security Updates

Computer Worm Outbreak Statistics

Computer Virus Research Papers

Contact Information for Antivirus Vendors

Antivirus Testers and Related Sites


Customer Reviews

Average Review:

Post to your social network


Most Helpful Customer Reviews

See all customer reviews

The Art of Computer Virus Research and Defense 5 out of 5 based on 0 ratings. 1 reviews.
Guest More than 1 year ago
Szor's book appears to be the current definitive text on antivirus methods. The breadth of coverage of methods is good. So too is the level of detail. The book makes you appreciate how hard the task is of finding these darned viruses. In general, you are trying to discern malware intent in an arbitrary file. Where this file is often binary. But, as Szor is careful to explain, there can certainly be source code viruses as well. These could be in Postscript, PDF or scripting files. He also points out that the Microsoft Office data files are really binary programs, that run under the Microsoft Office applications. The book shows the considerable level of ingenuity on both sides of this struggle. As in how antivirus companies like Symantec often run a suspected virus in an emulator, stepping through the code. But in response, some viruses try to detect if they are being run inside an emulator. How they do this is very crafty and simple. It is examples of tactics like this that give the book its worth.