- Author:
- Peter Szor
"Of all the computer-related books I've read recently, this one influenced my thoughts about security the most. There is very little trustworthy information about computer viruses. Peter Szor is one of the best virus analysts in the world and has the perfect credentials to write this book."-Halvar Flake, Reverse Engineer, SABRE Security GmbHSymantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.Szor also offers the most thorough and practical primer on virus analysis ever published-addressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes Discovering how malicious code attacks on a variety of platforms Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic Mastering empirical methods for analyzing malicious code-and what to do with what you learn Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more Using worm blocking, host-based intrusion prevention, and network-level defense strategies © Copyright Pearson Education. All rights reserved.
Cited By
- Brezinski K, Ferens K and Rantos K (2023). Metamorphic Malware and Obfuscation, Security and Communication Networks, 2023, Online publication date: 1-Jan-2023.
- Lucas K, Pai S, Lin W, Bauer L, Reiter M and Sharif M Adversarial training for raw-binary malware classifiers Proceedings of the 32nd USENIX Conference on Security Symposium, (1163-1180)
- Lyvas C, Ntantogian C and Xenakis C (2022). [m]allotROPism: a metamorphic engine for malicious software variation development, International Journal of Information Security, 21:1, (61-78), Online publication date: 1-Feb-2022.
- Pramanick K and Kulkarni P Detect Compiler Inserted Run-time Security Checks in Binary Software Information Security Practice and Experience, (268-286)
- Rrushi J (2021). DNIC Architectural Developments for 0-Knowledge Detection of OPC Malware, IEEE Transactions on Dependable and Secure Computing, 18:1, (30-44), Online publication date: 1-Jan-2021.
- Huang D, Yang L, Yang X, Zhong X, Tang Y and Stamovlasis D (2020). Evaluating the Performance of a Static Patching Strategy against Computer Viruses, Complexity, 2020, Online publication date: 1-Jan-2020.
- Holt T, van Wilsem J, van de Weijer S and Leukfeldt R (2020). Testing an Integrated Self-Control and Routine Activities Framework to Examine Malware Infection Victimization, Social Science Computer Review, 38:2, (187-206), Online publication date: 1-Apr-2020.
- Zhang X, Song X and Zhu Q (2020). Stability Analysis of a Dynamical Model for Malware Propagation with Generic Nonlinear Countermeasure and Infection Probabilities, Security and Communication Networks, 2020, Online publication date: 1-Jan-2020.
- Ben Yehuda R and Zaidenberg N (2019). Protection against reverse engineering in ARM, International Journal of Information Security, 19:1, (39-51), Online publication date: 1-Feb-2020.
- Bergenholtz E, Casalicchio E, Ilie D and Moss A Detection of Metamorphic Malware Packers Using Multilayered LSTM Networks Information and Communications Security, (36-53)
- Fernandes G, Rodrigues J, Carvalho L, Al-Muhtadi J and Proença M (2019). A comprehensive survey on network anomaly detection, Telecommunications Systems, 70:3, (447-489), Online publication date: 1-Mar-2019.
- Huang K, Li P, Yang L, Yang X, Tang Y and Namin A (2019). Seeking Best-Balanced Patch-Injecting Strategies through Optimal Control Approach, Security and Communication Networks, 2019, Online publication date: 1-Jan-2019.
- Han L, Liu S, Han S, Jia W and Lei J (2018). Owner based malware discrimination, Future Generation Computer Systems, 80:C, (496-504), Online publication date: 1-Mar-2018.
- Biondi F, Given-Wilson T, Legay A, Puodzius C and Quilbeuf J Tutorial: An Overview of Malware Detection and Evasion Techniques Leveraging Applications of Formal Methods, Verification and Validation. Modeling, (565-586)
Wressnegger C, Freeman K, Yamaguchi F and Rieck K Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, (587-598)- Ding J, Chen Z, Zhao Y, Su H, Guo Y and Sun E MGeT Proceedings of the 2017 International Conference on Cryptography, Security and Privacy, (96-101)
- Abbink J and Doerr C Popularity-based Detection of Domain Generation Algorithms Proceedings of the 12th International Conference on Availability, Reliability and Security, (1-8)
- Fellouris G and Tartakovsky A (2017). Multichannel Sequential Detection—Part I: Non-i.i.d. Data, IEEE Transactions on Information Theory, 63:7, (4551-4571), Online publication date: 1-Jul-2017.
- Rudd E, Rozsa A, Günther M and Boult T (2017). A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps Toward Autonomous Open World Solutions, IEEE Communications Surveys & Tutorials, 19:2, (1145-1172), Online publication date: 1-Apr-2017.
- Bat-Erdene M, Park H, Li H, Lee H and Choi M (2017). Entropy analysis to classify unknown packing algorithms for malware detection, International Journal of Information Security, 16:3, (227-248), Online publication date: 1-Jun-2017.
- Rrushi J (2016). NIC displays to thwart malware attacks mounted from within the OS, Computers and Security, 61:C, (59-71), Online publication date: 1-Aug-2016.
- Carrara B and Adams C A Survey and Taxonomy Aimed at the Detection and Measurement of Covert Channels Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security, (115-126)
- Fioravanti M, Bishop M and Ford R I'm not sure if we're okay Proceedings of the 2016 New Security Paradigms Workshop, (1-10)
- Sahay S and Sharma A (2016). Grouping the Executables to Detect Malwares with High Accuracy, Procedia Computer Science, 78:C, (667-674), Online publication date: 1-Mar-2016.
- Blazy S, Laporte V and Pichardie D (2016). Verified Abstract Interpretation Techniques for Disassembling Low-level Self-modifying Code, Journal of Automated Reasoning, 56:3, (283-308), Online publication date: 1-Mar-2016.
- Alam S, Horspool R, Traore I and Sogukpinar I (2015). A framework for metamorphic malware analysis and real-time detection, Computers and Security, 48:C, (212-233), Online publication date: 1-Feb-2015.
- Ming J, Xu D, Wang L and Wu D LOOP Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, (757-768)
- Fattori A, Lanzi A, Balzarotti D and Kirda E (2015). Hypervisor-based malware protection with AccessMiner, Computers and Security, 52:C, (33-50), Online publication date: 1-Jul-2015.
- Eskandari M and Raesi H (2014). Frequent sub-graph mining for intelligent malware detection, Security and Communication Networks, 7:11, (1872-1886), Online publication date: 1-Nov-2014.
- Preda M, Mastroeni I and Giacobazzi R Analyzing program dependencies for malware detection Proceedings of ACM SIGPLAN on Program Protection and Reverse Engineering Workshop 2014, (1-7)
- Wüchner T, Ochoa M and Pretschner A Malware detection with quantitative data flow graphs Proceedings of the 9th ACM symposium on Information, computer and communications security, (271-282)
- Guri M, Kedma G, Carmeli B and Elovici Y Limiting access to unintentionally leaked sensitive documents using malware signatures Proceedings of the 19th ACM symposium on Access control models and technologies, (129-140)
- Jiang J, Li C, Yang C and Su C POSTER Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, (1436-1438)
- Aycock J, Somayaji A and Sullins J The ethics of coexistence Proceedings of the IEEE 2014 International Symposium on Ethics in Engineering, Science, and Technology, (1-4)
- Hou Y, Zhuge J, Xin D and Feng W SBE '—' A Precise Shellcode Detection Engine Based on Emulation and Support Vector Machine Proceedings of the 10th International Conference on Information Security Practice and Experience - Volume 8434, (159-171)
- Schreuders Z, McGill T and Payne C (2013). The state of the art of application restrictions and sandboxes, Computers and Security, 32:C, (219-241), Online publication date: 1-Feb-2013.
- Yu L and Brooks R Applying POMDP to moving target optimization Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop, (1-4)
- Alam S, Horspool R and Traore I MAIL: Malware Analysis Intermediate Language Proceedings of the 6th International Conference on Security of Information and Networks, (233-240)
- Niu X, Li Q, Wang W and Weng X Binary program statistical features hiding through huffman obfuscated coding Proceedings of the 9th international conference on Intelligent Computing Theories, (275-284)
- Egele M, Scholte T, Kirda E and Kruegel C (2008). A survey on automated dynamic malware-analysis techniques and tools, ACM Computing Surveys, 44:2, (1-42), Online publication date: 1-Feb-2012.
- Ghosh S, Hiser J and Davidson J Replacement attacks against VM-protected applications Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments, (203-214)
- Sarma B, Li N, Gates C, Potharaju R, Nita-Rotaru C and Molloy I Android permissions Proceedings of the 17th ACM symposium on Access Control Models and Technologies, (13-22)
- Ghosh S, Hiser J and Davidson J (2012). Replacement attacks against VM-protected applications, ACM SIGPLAN Notices, 47:7, (203-214), Online publication date: 5-Sep-2012.
- Aycock J, de Castro D, Locasto M and Jarabek C Babel Proceedings of the 2012 ACM Workshop on Cloud computing security workshop, (43-54)
- McLaughlin S and McDaniel P SABOT Proceedings of the 2012 ACM conference on Computer and communications security, (439-449)
- Canzanese R, Kam M and Mancoridis S Inoculation against malware infection using kernel-level software sensors Proceedings of the 8th ACM international conference on Autonomic computing, (101-110)
- Kandissounon Y and Chouchane R A method for detecting machine-generated malware Proceedings of the 49th Annual Southeast Regional Conference, (332-333)
- Santos I, Ugarte-Pedrero X, Sanz B, Laorden C and Bringas P Collective classification for packed executable identification Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference, (23-30)
- Carter J An architecture for Concordia Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, (1-1)
- Jacob G, Hund R, Kruegel C and Holz T JACKSTRAWS Proceedings of the 20th USENIX conference on Security, (29-29)
- Al-Saleh M and Crandall J Application-level reconnaissance Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats, (9-9)
- Lu K, Zou D, Wen W and Gao D Packed, printable, and polymorphic return-oriented programming Proceedings of the 14th international conference on Recent Advances in Intrusion Detection, (101-120)
- Lanzi A, Balzarotti D, Kruegel C, Christodorescu M and Kirda E AccessMiner Proceedings of the 17th ACM conference on Computer and communications security, (399-412)
- Wu Z, Gianvecchio S, Xie M and Wang H Mimimorphism Proceedings of the 17th ACM conference on Computer and communications security, (536-546)
- Al-Saleh M and Crandall J On information flow for intrusion detection Proceedings of the 2010 New Security Paradigms Workshop, (17-32)
- Polychronakis M, Anagnostakis K and Markatos E Comprehensive shellcode detection using runtime heuristics Proceedings of the 26th Annual Computer Security Applications Conference, (287-296)
- Zhang Y, Yang L, Zhou Y and Kuang W (2010). Information security underlying transparent computing: Impacts, visions and challenges, Web Intelligence and Agent Systems, 8:2, (203-217), Online publication date: 1-Apr-2010.
- Rad B and Masrom M Metamorphic virus variants classification using opcode frequency histogram Proceedings of the 14th WSEAS international conference on Computers: part of the 14th WSEAS CSCC multiconference - Volume I, (147-155)
- Merkel R, Hoppe T, Kraetzer C and Dittmann J Statistical detection of malicious PE-Executables for fast offline analysis Proceedings of the 11th IFIP TC 6/TC 11 international conference on Communications and Multimedia Security, (93-105)
- Nekovee M and Saksena R (2010). Simulations of large-scale WiFi-based wireless networks, Future Generation Computer Systems, 26:3, (514-520), Online publication date: 1-Mar-2010.
- Preda M, Giacobazzi R, Debray S, Coogan K and Townsend G Modelling metamorphism by abstract interpretation Proceedings of the 17th international conference on Static analysis, (218-235)
- Morales J, Kartaltepe E, Xu S and Sandhu R Symptoms-based detection of bot processes Proceedings of the 5th international conference on Mathematical methods, models and architectures for computer network security, (229-241)
- Kartaltepe E, Morales J, Xu S and Sandhu R Social network-based botnet command-and-control Proceedings of the 8th international conference on Applied cryptography and network security, (511-528)
- Aycock J and Sullins J Ethical proactive threat research Proceedings of the 14th international conference on Financial cryptograpy and data security, (231-239)
- Kamimura A, Matsumoto S, Ito N and Ohira T Chase and escape in groups Proceedings of the 9th international conference on Cellular automata for research and industry, (570-579)
- Xin Z, Chen H, Han H, Mao B and Xie L Misleading malware similarities analysis by automatic data structure obfuscation Proceedings of the 13th international conference on Information security, (181-195)
- Dai J, Guha R and Lee J Feature set selection in data mining techniques for unknown virus detection Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, (1-4)
- Crandall J, Ensafi R, Forrest S, Ladau J and Shebaro B The ecology of Malware Proceedings of the 2008 New Security Paradigms Workshop, (99-106)
- Sharif M, Lee W, Cui W and Lanzi A Secure in-VM monitoring using hardware virtualization Proceedings of the 16th ACM conference on Computer and communications security, (477-487)
- Pfoh J, Schneider C and Eckert C A formal model for virtual machine introspection Proceedings of the 1st ACM workshop on Virtual machine security, (1-10)
- Kim I, Kim D, Kim B, Choi Y, Yoon S, Oh J and Jang J A case study of unknown attack detection against zero-day worm in the honeynet environment Proceedings of the 11th international conference on Advanced Communication Technology - Volume 3, (1715-1720)
- Gupta A, Kuppili P, Akella A and Barford P An empirical study of malware evolution Proceedings of the First international conference on COMmunication Systems And NETworks, (356-365)
- Kolbitsch C, Comparetti P, Kruegel C, Kirda E, Zhou X and Wang X Effective and efficient malware detection at the end host Proceedings of the 18th conference on USENIX security symposium, (351-366)
- Lam I, Xiao W, Wang S and Chen K Counteracting Phishing Page Polymorphism Proceedings of the 3rd International Conference and Workshops on Advances in Information Security and Assurance, (270-279)
- Passerini E, Paleari R and Martignoni L How Good Are Malware Detectors at Remediating Infected Systems? Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, (21-37)
- Treadwell S and Zhou M A heuristic approach for detection of obfuscated malware Proceedings of the 2009 IEEE international conference on Intelligence and security informatics, (291-299)
- Wang Y, Ye Y, Chen H and Jiang Q An improved clustering validity index for determining the number of malware clusters Proceedings of the 3rd international conference on Anti-Counterfeiting, security, and identification in communication, (544-547)
- Di Crescenzo G, Jiang S and Safavi-Naini R Corruption-localizing hashing Proceedings of the 14th European conference on Research in computer security, (489-504)
- Nightingale E, Peek D, Chen P and Flinn J Parallelizing security checks on commodity hardware Proceedings of the 13th international conference on Architectural support for programming languages and operating systems, (308-318)
- Nightingale E, Peek D, Chen P and Flinn J (2008). Parallelizing security checks on commodity hardware, ACM SIGARCH Computer Architecture News, 36:1, (308-318), Online publication date: 25-Mar-2008.
- Nightingale E, Peek D, Chen P and Flinn J (2008). Parallelizing security checks on commodity hardware, ACM SIGOPS Operating Systems Review, 42:2, (308-318), Online publication date: 25-Mar-2008.
- Nightingale E, Peek D, Chen P and Flinn J (2008). Parallelizing security checks on commodity hardware, ACM SIGPLAN Notices, 43:3, (308-318), Online publication date: 25-Mar-2008.
- Smullen C, Tarapore S, Gurumurthi S, Ranganathan P and Uysal M Active storage revisited Proceedings of the 5th conference on Computing frontiers, (293-304)
- Preda M, Christodorescu M, Jha S and Debray S (2008). A semantics-based approach to malware detection, ACM Transactions on Programming Languages and Systems, 30:5, (1-54), Online publication date: 1-Aug-2008.
- Morales J Threat of renovated .NET viruses to mobile devices Proceedings of the 46th Annual Southeast Regional Conference on XX, (367-372)
- Kim I, Kim D, Kim B, Choi Y, Yoon S, Oh J and Jang J An architecture of unknown attack detection system against zero-day worm Proceedings of the 8th conference on Applied computer scince, (205-210)
- Siddiqui M, Wang M and Lee J Data mining methods for malware detection using instruction sequences Proceedings of the 26th IASTED International Conference on Artificial Intelligence and Applications, (358-363)
- Iwahashi R, Oliveira D, Wu S, Crandall J, Heo Y, Oh J and Jang J Towards Automatically Generating Double-Free Vulnerability Signatures Using Petri Nets Proceedings of the 11th international conference on Information Security, (114-130)
- Zhang Y, Li T and Qin R Computer Virus Evolution Model Inspired by Biological DNA Proceedings of the 4th international conference on Intelligent Computing: Advanced Intelligent Computing Theories and Applications - with Aspects of Artificial Intelligence, (943-950)
- Nekovee M Epidemic Spreading of Computer Worms in Fixed Wireless Networks Bio-Inspired Computing and Communication, (105-115)
- Schweitzer D, Gibson D and Baird L (2008). Simplified core war for introducing low-level concepts, Journal of Computing Sciences in Colleges, 24:1, (167-173), Online publication date: 1-Oct-2008.
- Truong M and Hoang T A multi-agent mechanism in machine learning approach to anti-virus system Proceedings of the 2nd KES International conference on Agent and multi-agent systems: technologies and applications, (743-752)
- Dinaburg A, Royal P, Sharif M and Lee W Ether Proceedings of the 15th ACM conference on Computer and communications security, (51-62)
- Preda M, Christodorescu M, Jha S and Debray S (2007). A semantics-based approach to malware detection, ACM SIGPLAN Notices, 42:1, (377-388), Online publication date: 17-Jan-2007.
- Preda M, Christodorescu M, Jha S and Debray S A semantics-based approach to malware detection Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, (377-388)
- Tanachaiwiwat S and Helmy A On the performance evaluation and prediction of encounter-based worm interactions based on node characteristics Proceedings of the second ACM workshop on Challenged networks, (67-74)
- Chouchane M, Walenstein A and Lakhotia A Statistical signatures for fast filtering of instruction-substituting metamorphic malware Proceedings of the 2007 ACM workshop on Recurring malcode, (31-37)
- Bruschi D, Martignoni L and Monga M (2007). Code Normalization for Self-Mutating Malware, IEEE Security and Privacy, 5:2, (46-54), Online publication date: 1-Mar-2007.
- Lee M, Shon T, Cho K, Chung M, Seo J and Moon J An approach for classifying internet worms based on temporal behaviors and packet flows Proceedings of the intelligent computing 3rd international conference on Advanced intelligent computing theories and applications, (646-655)
- Holzer A, Kinder J and Veith H Using verification technology to specify and detect malware Proceedings of the 11th international conference on Computer aided systems theory, (497-504)
- François J, State R and Festor O Botnets for scalable management Proceedings of the Distributed systems: operations and management 18th IFIP/IEEE international conference on Managing virtualization of networks and services, (1-12)
- An G and Park J Cooperative component testing architecture in collaborating network environment Proceedings of the 4th international conference on Autonomic and Trusted Computing, (179-190)
- Holland-Minkley A Cyberattacks Proceedings of the 7th conference on Information technology education, (39-46)
- Crandall J, Wassermann G, de Oliveira D, Su Z, Wu S and Chong F Temporal search Proceedings of the 12th international conference on Architectural support for programming languages and operating systems, (25-36)
- Crandall J, Wassermann G, de Oliveira D, Su Z, Wu S and Chong F (2006). Temporal search, ACM SIGOPS Operating Systems Review, 40:5, (25-36), Online publication date: 20-Oct-2006.
- Crandall J, Wassermann G, de Oliveira D, Su Z, Wu S and Chong F (2006). Temporal search, ACM SIGPLAN Notices, 41:11, (25-36), Online publication date: 1-Nov-2006.
- Crandall J, Wassermann G, de Oliveira D, Su Z, Wu S and Chong F (2006). Temporal search, ACM SIGARCH Computer Architecture News, 34:5, (25-36), Online publication date: 20-Oct-2006.
- Ma J, Dunagan J, Wang H, Savage S and Voelker G Finding diversity in remote code injection exploits Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, (53-64)
- Di Crescenzo G and Vakil F Cryptographic hashing for virus localization Proceedings of the 4th ACM workshop on Recurring malcode, (41-48)
- Chouchane M and Lakhotia A Using engine signature to detect metamorphic malware Proceedings of the 4th ACM workshop on Recurring malcode, (73-78)
- Venugopal D An efficient signature representation and matching method for mobile devices Proceedings of the 2nd annual international workshop on Wireless internet, (16-es)
- Ford R and Gordon S Cent, five cent, ten cent, dollar Proceedings of the 2006 workshop on New security paradigms, (3-10)
- Bond M and Danezis G A pact with the devil Proceedings of the 2006 workshop on New security paradigms, (77-82)
- Venugopal D, Hu G and Roman N Intelligent virus detection on mobile devices Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, (1-4)
- Sokolsky O, Kannan S and Lee I Simulation-Based graph similarity Proceedings of the 12th international conference on Tools and Algorithms for the Construction and Analysis of Systems, (426-440)
- Reddy D, Dash S and Pujari A New malicious code detection using variable length n-grams Proceedings of the Second international conference on Information Systems Security, (276-288)
- Anckaert B, Madou M and De Bosschere K A model for self-modifying code Proceedings of the 8th international conference on Information hiding, (232-248)
- Edge K, Lamont G and Raines R A retrovirus inspired algorithm for virus detection & optimization Proceedings of the 8th annual conference on Genetic and evolutionary computation, (103-110)
- Seifert J On authenticated computing and RSA-based authentication Proceedings of the 12th ACM conference on Computer and communications security, (122-127)
- Crandall J, Su Z, Wu S and Chong F On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits Proceedings of the 12th ACM conference on Computer and communications security, (235-248)
Index Terms
- The Art of Computer Virus Research and Defense
Recommendations
Orchestration of APT malware evasive manoeuvers employed for eluding anti-virus and sandbox defense
AbstractThe modern day cyber attacks are highly targeted and incorporate advanced tactics, techniques and procedures for greater stealth, impact and success. These attacks are also known as Advanced Persistent Threats(APT) because of their ...
Classification of packed executables for accurate computer virus detection
Executable packing is the most common technique used by computer virus writers to obfuscate malicious code and evade detection by anti-virus software. Universal unpackers have been proposed that can detect and extract encrypted code from packed ...
Reviews
Jeremy A Hansen
Viruses have come a long way since their first incarnations in the 1980s. What used to be an annoyance to computer users who would share floppy disks with one another has become a global threat. Millions, if not billions, of dollars in data and lost productivity have been lost due to these malicious little chunks of executable code. Many computer users only interact with their virus scanner insofar as it reminds them to click a button and download the newest updates. In fact, there is far more going on behind the scenes than even most generalist security experts may be aware of. Szor's work is an encyclopedic analysis of the techniques used by both virus developers and antivirus researchers. Explicitly broken up into these two parts, the book begins with a brief overview, history, and theory of malicious software. After the introduction, Szor wastes no time, jumping directly into a roughly chronological discussion of virus environments, infection strategies, and virus self-protection schemes. After a chapter covering buffer overflows and other exploits, the remainder of the book addresses virus detection, disinfection, host-based and network-based intrusion prevention, and viral code analysis. Unlike Skoudis' book [1], this book delves into the internal details of viruses specifically, rather than giving a fairly high-level account of various types of malicious software. Skoudis covers backdoors, trojans, and rootkits, three topics that are extremely valuable security topics in their own right, but Szor explains early on that his focus is only on viruses. The author explicitly states that this book is not intended to be a virus-building manual, and no detailed source code examples are provided that might overly help a budding virus writer. There is enough detail described in the chapters on virus techniques, however, to give a coder skilled in assembly or C the ability to create effective malicious code. The text is also a resource, in a somewhat roundabout way, for readers interested in various binary executable formats. To the reader without a basic understanding of programming, and operating systems concepts such as application programming interface (API) calls and kernel-mode versus user mode, the book is likely to be a bit difficult to comprehend. This is not a quick introduction in any sense, so it is not for beginners. Before covering the high points of the book, I have two primary gripes. The author refers to the pseudonyms of authors of viruses, in some cases repeatedly. This extra information does not contribute in a meaningful way to the coverage of virus techniques, and serves to glorify the virus writers. Citing virus writers in this way establishes a dangerous precedent, which may only serve to encourage budding virus-writing criminals. My second gripe is that Szor's analysis focuses almost exclusively on signature- and heuristic-based virus detection, which are the common techniques employed by the major antivirus companies. Chapter 11 is a deep look into techniques that these modern antivirus systems (installed on almost everyone's computers) use to make sure that viruses or worms are detected and hopefully prevented. A short paragraph on page 19, discussing integrity checking, concludes that "the general public does not like to be bothered each time a new program is introduced on their systems, but [Dr. Frederick] Cohen's approach is definitely the safest technique to use." Given that much modern research has been done on this aspect of virus prevention, and that many of the negative aspects of integrity checking Szor describes have been worked out, integrity checking and whitelisting certainly deserve more mention than just section 11.11 in this nearly comprehensive work. Despite my gripes with this book, it covers the field of virus development and protection in great detail, and with eloquence. Viruses for older platforms, such as DOS and Windows 95, are discussed nearly as much as those infecting 32- and 64-bit applications for more modern operating systems, such as Windows 2000 and XP. This coverage is important, though, to fully explain the evolution of virus writers' tactics. As operating systems became more complex, so too did the strategies that viruses used to infect these new systems. While Linux and other non-Microsoft operating systems are discussed, the majority of virus techniques are specifically geared to Windows operating systems, simply because the majority of viruses infect Windows. Chapter 7, which discusses polymorphic viruses and virus creation kits, is interesting, and noticeably less encyclopedic than other parts of the book. Chapter 8's extremely brief coverage of virus payload types could have benefited from more in-depth coverage of the relatively new field of cryptovirology, though, to be fair, Szor did cite Malicious cryptography [2] as a reference. The obligatory section on exploits like buffer overflows (chapter 10) and techniques for blocking such exploits (chapter 13) may be redundant with many other security texts, but it is definitely relevant in learning the methods that worms use to remotely penetrate systems and how to stop them. Chapter 13, in particular, spends time with specific exploit-prevention techniques that may be overlooked by other authors. I don't expect that this text would be used for a college course on virus techniques, simply because there is so much detail. It would be difficult to cover a quarter of the material in this book in a semester, and the laundry list of prerequisite courses might be too much to handle for most undergraduates. I believe that the target audience of this book is the security professional with a computer science background who is interested in becoming very intimate with the topic of computer viruses. I consider myself a member of this audience, and, although it has a few flaws, this book has earned a spot on the "for frequent reference" section of my bookcase. Online Computing Reviews Service
Srijith KrishnanNair
When someone as knowledgeable about computer viruses as Symantec's chief antivirus researcher writes a book on the subject, it is expected that the resulting work will be authoritative; Peter Szor's work is that and much more. This book is so full of the details of computer viruses, their infection techniques, examples, and protection strategies, and is presented in such an authoritative and comprehensive way, that it will surely become a must-have for anyone interested in the study of computer viruses. Before you wade into this fountain of knowledge, however, be prepared: the book is not written for novices (that is a feature, not a defect). The book is divided into two parts. The first part, chapters 1 to 10, is titled "Strategies for the Attacker." Chapters 11 to 16 make up the second part, "Strategies for the Defenders." Chapter 1 goes over the early history of models and games of self-replication, including Frederick Cohen's mathematical formulation of viruses [1]. The two main components of chapter 2 are a unified nomenclature/terminology for malicious programs, with a small description of each of them, and a list of the official recognized platform names used in the industry. Chapter 3 looks at the malicious code environment. As the author emphasizes, "One of the most important steps towards understanding computer viruses is learning about the particular execution environment in which they operate." The environment dependencies studied in this chapter include architecture, central processing unit, operating system, file system, and file format, among others. The author then classifies viruses based on infection strategies, and examines several examples of each. A section of this chapter is devoted to an extensive look at Win32 viruses. In the next chapter, classification based on in-memory strategies is presented, with memory-resident viruses getting most of the attention. While chapter 6 looks at basic self-protection strategies, chapter 7 looks at more advanced code evolution methods, like encrypted, polymorphic, and metamorphic viruses. Chapter 8 is relatively short, focusing on virus classification based on payloads. Computer worms are discussed at length in chapter 9, starting with their structure, and going on to target locator, propagation methods, transfer and execution techniques, update strategies, and remote control. Chapter 10 concludes the first part, with a look at how viruses and worms are using exploits, vulnerabilities, and buffer overflow techniques found in software to their advantage. The author provides a quick introduction to buffer overflows, including heap overflows and format string attacks. A couple of examples are also provided, to show how viruses and worms have used various vulnerabilities discussed earlier in the chapter. Chapter 11 starts the discussion on the other side of the coin: defense strategies. First-generation scanners that use simple techniques like string scanning, entry-point and fixed-point scanning, and other generic methods are discussed first, before the author moves on to second-generation scanners that "use nearly exact and exact identification," helping to detect viruses better. Methods like algorithmic scanning and code emulation are discussed next, leading to some examples of metamorphic virus detection, and heuristic analysis of 32-bit Windows viruses. Chapter 12 covers similar ground, but from the point of view of memory scanning and disinfection, with an emphasis on Win32 subsystem viruses. Chapter 13 looks at techniques to block buffer overflow attacks and worm attacks using host-based intrusion detection. Chapter 14 looks at network-level defenses, using, for example, honeypots. Chapter 15 is an extensive discussion on how to perform malicious code analysis in a lab. Basic analysis methods like disassembly and decryption are discussed, and several software packages that can help in the job are pointed out. Chapter 16 is a short conclusion, with pointers to other reading materials. Szor's writing style, though exhaustive, sometimes suffers from awkward discontinuities. It also has to be mentioned in passing that, as explicitly stated by the author, trojan horse code and backdoors are not covered in this book. This does not detract from the book's amazing detail, however. This work, in short, will be a definitive one in the area of computer virus research for some time to come. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.