"Of all the computer-related books I've read recently, this one influenced my thoughts about security the most. There is very little trustworthy information about computer viruses. Peter Szor is one of the best virus analysts in the world and has the perfect credentials to write this book."-Halvar Flake, Reverse Engineer, SABRE Security GmbHSymantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.Szor also offers the most thorough and practical primer on virus analysis ever published-addressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes Discovering how malicious code attacks on a variety of platforms Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic Mastering empirical methods for analyzing malicious code-and what to do with what you learn Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more Using worm blocking, host-based intrusion prevention, and network-level defense strategies © Copyright Pearson Education. All rights reserved.
Cited By
- Brezinski K, Ferens K and Rantos K (2023). Metamorphic Malware and Obfuscation, Security and Communication Networks, 2023, Online publication date: 1-Jan-2023.
- Lucas K, Pai S, Lin W, Bauer L, Reiter M and Sharif M Adversarial training for raw-binary malware classifiers Proceedings of the 32nd USENIX Conference on Security Symposium, (1163-1180)
- Lyvas C, Ntantogian C and Xenakis C (2022). [m]allotROPism: a metamorphic engine for malicious software variation development, International Journal of Information Security, 21:1, (61-78), Online publication date: 1-Feb-2022.
- Pramanick K and Kulkarni P Detect Compiler Inserted Run-time Security Checks in Binary Software Information Security Practice and Experience, (268-286)
- Rrushi J (2021). DNIC Architectural Developments for 0-Knowledge Detection of OPC Malware, IEEE Transactions on Dependable and Secure Computing, 18:1, (30-44), Online publication date: 1-Jan-2021.
- Huang D, Yang L, Yang X, Zhong X, Tang Y and Stamovlasis D (2020). Evaluating the Performance of a Static Patching Strategy against Computer Viruses, Complexity, 2020, Online publication date: 1-Jan-2020.
- Holt T, van Wilsem J, van de Weijer S and Leukfeldt R (2020). Testing an Integrated Self-Control and Routine Activities Framework to Examine Malware Infection Victimization, Social Science Computer Review, 38:2, (187-206), Online publication date: 1-Apr-2020.
- Zhang X, Song X and Zhu Q (2020). Stability Analysis of a Dynamical Model for Malware Propagation with Generic Nonlinear Countermeasure and Infection Probabilities, Security and Communication Networks, 2020, Online publication date: 1-Jan-2020.
- Ben Yehuda R and Zaidenberg N (2019). Protection against reverse engineering in ARM, International Journal of Information Security, 19:1, (39-51), Online publication date: 1-Feb-2020.
- Bergenholtz E, Casalicchio E, Ilie D and Moss A Detection of Metamorphic Malware Packers Using Multilayered LSTM Networks Information and Communications Security, (36-53)
- Fernandes G, Rodrigues J, Carvalho L, Al-Muhtadi J and Proença M (2019). A comprehensive survey on network anomaly detection, Telecommunications Systems, 70:3, (447-489), Online publication date: 1-Mar-2019.
- Huang K, Li P, Yang L, Yang X, Tang Y and Namin A (2019). Seeking Best-Balanced Patch-Injecting Strategies through Optimal Control Approach, Security and Communication Networks, 2019, Online publication date: 1-Jan-2019.
- Han L, Liu S, Han S, Jia W and Lei J (2018). Owner based malware discrimination, Future Generation Computer Systems, 80:C, (496-504), Online publication date: 1-Mar-2018.
- Biondi F, Given-Wilson T, Legay A, Puodzius C and Quilbeuf J Tutorial: An Overview of Malware Detection and Evasion Techniques Leveraging Applications of Formal Methods, Verification and Validation. Modeling, (565-586)
- Wressnegger C, Freeman K, Yamaguchi F and Rieck K Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, (587-598)
- Ding J, Chen Z, Zhao Y, Su H, Guo Y and Sun E MGeT Proceedings of the 2017 International Conference on Cryptography, Security and Privacy, (96-101)
- Abbink J and Doerr C Popularity-based Detection of Domain Generation Algorithms Proceedings of the 12th International Conference on Availability, Reliability and Security, (1-8)
- Fellouris G and Tartakovsky A (2017). Multichannel Sequential Detection—Part I: Non-i.i.d. Data, IEEE Transactions on Information Theory, 63:7, (4551-4571), Online publication date: 1-Jul-2017.
- Rudd E, Rozsa A, Günther M and Boult T (2017). A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps Toward Autonomous Open World Solutions, IEEE Communications Surveys & Tutorials, 19:2, (1145-1172), Online publication date: 1-Apr-2017.
- Bat-Erdene M, Park H, Li H, Lee H and Choi M (2017). Entropy analysis to classify unknown packing algorithms for malware detection, International Journal of Information Security, 16:3, (227-248), Online publication date: 1-Jun-2017.
- Rrushi J (2016). NIC displays to thwart malware attacks mounted from within the OS, Computers and Security, 61:C, (59-71), Online publication date: 1-Aug-2016.
- Carrara B and Adams C A Survey and Taxonomy Aimed at the Detection and Measurement of Covert Channels Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security, (115-126)
- Fioravanti M, Bishop M and Ford R I'm not sure if we're okay Proceedings of the 2016 New Security Paradigms Workshop, (1-10)
- Sahay S and Sharma A (2016). Grouping the Executables to Detect Malwares with High Accuracy, Procedia Computer Science, 78:C, (667-674), Online publication date: 1-Mar-2016.
- Blazy S, Laporte V and Pichardie D (2016). Verified Abstract Interpretation Techniques for Disassembling Low-level Self-modifying Code, Journal of Automated Reasoning, 56:3, (283-308), Online publication date: 1-Mar-2016.
- Alam S, Horspool R, Traore I and Sogukpinar I (2015). A framework for metamorphic malware analysis and real-time detection, Computers and Security, 48:C, (212-233), Online publication date: 1-Feb-2015.
- Ming J, Xu D, Wang L and Wu D LOOP Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, (757-768)
- Fattori A, Lanzi A, Balzarotti D and Kirda E (2015). Hypervisor-based malware protection with AccessMiner, Computers and Security, 52:C, (33-50), Online publication date: 1-Jul-2015.
- Eskandari M and Raesi H (2014). Frequent sub-graph mining for intelligent malware detection, Security and Communication Networks, 7:11, (1872-1886), Online publication date: 1-Nov-2014.
- Preda M, Mastroeni I and Giacobazzi R Analyzing program dependencies for malware detection Proceedings of ACM SIGPLAN on Program Protection and Reverse Engineering Workshop 2014, (1-7)
- Wüchner T, Ochoa M and Pretschner A Malware detection with quantitative data flow graphs Proceedings of the 9th ACM symposium on Information, computer and communications security, (271-282)
- Guri M, Kedma G, Carmeli B and Elovici Y Limiting access to unintentionally leaked sensitive documents using malware signatures Proceedings of the 19th ACM symposium on Access control models and technologies, (129-140)
- Jiang J, Li C, Yang C and Su C POSTER Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, (1436-1438)
- Aycock J, Somayaji A and Sullins J The ethics of coexistence Proceedings of the IEEE 2014 International Symposium on Ethics in Engineering, Science, and Technology, (1-4)
- Hou Y, Zhuge J, Xin D and Feng W SBE '—' A Precise Shellcode Detection Engine Based on Emulation and Support Vector Machine Proceedings of the 10th International Conference on Information Security Practice and Experience - Volume 8434, (159-171)
- Schreuders Z, McGill T and Payne C (2013). The state of the art of application restrictions and sandboxes, Computers and Security, 32:C, (219-241), Online publication date: 1-Feb-2013.
- Yu L and Brooks R Applying POMDP to moving target optimization Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop, (1-4)
- Alam S, Horspool R and Traore I MAIL: Malware Analysis Intermediate Language Proceedings of the 6th International Conference on Security of Information and Networks, (233-240)
- Niu X, Li Q, Wang W and Weng X Binary program statistical features hiding through huffman obfuscated coding Proceedings of the 9th international conference on Intelligent Computing Theories, (275-284)
- Egele M, Scholte T, Kirda E and Kruegel C (2008). A survey on automated dynamic malware-analysis techniques and tools, ACM Computing Surveys, 44:2, (1-42), Online publication date: 1-Feb-2012.
- Ghosh S, Hiser J and Davidson J Replacement attacks against VM-protected applications Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments, (203-214)
- Sarma B, Li N, Gates C, Potharaju R, Nita-Rotaru C and Molloy I Android permissions Proceedings of the 17th ACM symposium on Access Control Models and Technologies, (13-22)
- Ghosh S, Hiser J and Davidson J (2012). Replacement attacks against VM-protected applications, ACM SIGPLAN Notices, 47:7, (203-214), Online publication date: 5-Sep-2012.
- Aycock J, de Castro D, Locasto M and Jarabek C Babel Proceedings of the 2012 ACM Workshop on Cloud computing security workshop, (43-54)
- McLaughlin S and McDaniel P SABOT Proceedings of the 2012 ACM conference on Computer and communications security, (439-449)
- Canzanese R, Kam M and Mancoridis S Inoculation against malware infection using kernel-level software sensors Proceedings of the 8th ACM international conference on Autonomic computing, (101-110)
- Kandissounon Y and Chouchane R A method for detecting machine-generated malware Proceedings of the 49th Annual Southeast Regional Conference, (332-333)
- Santos I, Ugarte-Pedrero X, Sanz B, Laorden C and Bringas P Collective classification for packed executable identification Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference, (23-30)
- Carter J An architecture for Concordia Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, (1-1)
- Jacob G, Hund R, Kruegel C and Holz T JACKSTRAWS Proceedings of the 20th USENIX conference on Security, (29-29)
- Al-Saleh M and Crandall J Application-level reconnaissance Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats, (9-9)
- Lu K, Zou D, Wen W and Gao D Packed, printable, and polymorphic return-oriented programming Proceedings of the 14th international conference on Recent Advances in Intrusion Detection, (101-120)
- Lanzi A, Balzarotti D, Kruegel C, Christodorescu M and Kirda E AccessMiner Proceedings of the 17th ACM conference on Computer and communications security, (399-412)
- Wu Z, Gianvecchio S, Xie M and Wang H Mimimorphism Proceedings of the 17th ACM conference on Computer and communications security, (536-546)
- Al-Saleh M and Crandall J On information flow for intrusion detection Proceedings of the 2010 New Security Paradigms Workshop, (17-32)
- Polychronakis M, Anagnostakis K and Markatos E Comprehensive shellcode detection using runtime heuristics Proceedings of the 26th Annual Computer Security Applications Conference, (287-296)
- Zhang Y, Yang L, Zhou Y and Kuang W (2010). Information security underlying transparent computing: Impacts, visions and challenges, Web Intelligence and Agent Systems, 8:2, (203-217), Online publication date: 1-Apr-2010.
- Rad B and Masrom M Metamorphic virus variants classification using opcode frequency histogram Proceedings of the 14th WSEAS international conference on Computers: part of the 14th WSEAS CSCC multiconference - Volume I, (147-155)
- Merkel R, Hoppe T, Kraetzer C and Dittmann J Statistical detection of malicious PE-Executables for fast offline analysis Proceedings of the 11th IFIP TC 6/TC 11 international conference on Communications and Multimedia Security, (93-105)
- Nekovee M and Saksena R (2010). Simulations of large-scale WiFi-based wireless networks, Future Generation Computer Systems, 26:3, (514-520), Online publication date: 1-Mar-2010.
- Preda M, Giacobazzi R, Debray S, Coogan K and Townsend G Modelling metamorphism by abstract interpretation Proceedings of the 17th international conference on Static analysis, (218-235)
- Morales J, Kartaltepe E, Xu S and Sandhu R Symptoms-based detection of bot processes Proceedings of the 5th international conference on Mathematical methods, models and architectures for computer network security, (229-241)
- Kartaltepe E, Morales J, Xu S and Sandhu R Social network-based botnet command-and-control Proceedings of the 8th international conference on Applied cryptography and network security, (511-528)
- Aycock J and Sullins J Ethical proactive threat research Proceedings of the 14th international conference on Financial cryptograpy and data security, (231-239)
- Kamimura A, Matsumoto S, Ito N and Ohira T Chase and escape in groups Proceedings of the 9th international conference on Cellular automata for research and industry, (570-579)
- Xin Z, Chen H, Han H, Mao B and Xie L Misleading malware similarities analysis by automatic data structure obfuscation Proceedings of the 13th international conference on Information security, (181-195)
- Dai J, Guha R and Lee J Feature set selection in data mining techniques for unknown virus detection Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, (1-4)
- Crandall J, Ensafi R, Forrest S, Ladau J and Shebaro B The ecology of Malware Proceedings of the 2008 New Security Paradigms Workshop, (99-106)
- Sharif M, Lee W, Cui W and Lanzi A Secure in-VM monitoring using hardware virtualization Proceedings of the 16th ACM conference on Computer and communications security, (477-487)
- Pfoh J, Schneider C and Eckert C A formal model for virtual machine introspection Proceedings of the 1st ACM workshop on Virtual machine security, (1-10)
- Kim I, Kim D, Kim B, Choi Y, Yoon S, Oh J and Jang J A case study of unknown attack detection against zero-day worm in the honeynet environment Proceedings of the 11th international conference on Advanced Communication Technology - Volume 3, (1715-1720)
- Gupta A, Kuppili P, Akella A and Barford P An empirical study of malware evolution Proceedings of the First international conference on COMmunication Systems And NETworks, (356-365)
- Kolbitsch C, Comparetti P, Kruegel C, Kirda E, Zhou X and Wang X Effective and efficient malware detection at the end host Proceedings of the 18th conference on USENIX security symposium, (351-366)
- Lam I, Xiao W, Wang S and Chen K Counteracting Phishing Page Polymorphism Proceedings of the 3rd International Conference and Workshops on Advances in Information Security and Assurance, (270-279)
- Passerini E, Paleari R and Martignoni L How Good Are Malware Detectors at Remediating Infected Systems? Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, (21-37)
- Treadwell S and Zhou M A heuristic approach for detection of obfuscated malware Proceedings of the 2009 IEEE international conference on Intelligence and security informatics, (291-299)
- Wang Y, Ye Y, Chen H and Jiang Q An improved clustering validity index for determining the number of malware clusters Proceedings of the 3rd international conference on Anti-Counterfeiting, security, and identification in communication, (544-547)
- Di Crescenzo G, Jiang S and Safavi-Naini R Corruption-localizing hashing Proceedings of the 14th European conference on Research in computer security, (489-504)
- Nightingale E, Peek D, Chen P and Flinn J Parallelizing security checks on commodity hardware Proceedings of the 13th international conference on Architectural support for programming languages and operating systems, (308-318)
- Nightingale E, Peek D, Chen P and Flinn J (2008). Parallelizing security checks on commodity hardware, ACM SIGARCH Computer Architecture News, 36:1, (308-318), Online publication date: 25-Mar-2008.
- Nightingale E, Peek D, Chen P and Flinn J (2008). Parallelizing security checks on commodity hardware, ACM SIGOPS Operating Systems Review, 42:2, (308-318), Online publication date: 25-Mar-2008.
- Nightingale E, Peek D, Chen P and Flinn J (2008). Parallelizing security checks on commodity hardware, ACM SIGPLAN Notices, 43:3, (308-318), Online publication date: 25-Mar-2008.
- Smullen C, Tarapore S, Gurumurthi S, Ranganathan P and Uysal M Active storage revisited Proceedings of the 5th conference on Computing frontiers, (293-304)
- Preda M, Christodorescu M, Jha S and Debray S (2008). A semantics-based approach to malware detection, ACM Transactions on Programming Languages and Systems, 30:5, (1-54), Online publication date: 1-Aug-2008.
- Morales J Threat of renovated .NET viruses to mobile devices Proceedings of the 46th Annual Southeast Regional Conference on XX, (367-372)
- Kim I, Kim D, Kim B, Choi Y, Yoon S, Oh J and Jang J An architecture of unknown attack detection system against zero-day worm Proceedings of the 8th conference on Applied computer scince, (205-210)
- Siddiqui M, Wang M and Lee J Data mining methods for malware detection using instruction sequences Proceedings of the 26th IASTED International Conference on Artificial Intelligence and Applications, (358-363)
- Iwahashi R, Oliveira D, Wu S, Crandall J, Heo Y, Oh J and Jang J Towards Automatically Generating Double-Free Vulnerability Signatures Using Petri Nets Proceedings of the 11th international conference on Information Security, (114-130)
- Zhang Y, Li T and Qin R Computer Virus Evolution Model Inspired by Biological DNA Proceedings of the 4th international conference on Intelligent Computing: Advanced Intelligent Computing Theories and Applications - with Aspects of Artificial Intelligence, (943-950)
- Nekovee M Epidemic Spreading of Computer Worms in Fixed Wireless Networks Bio-Inspired Computing and Communication, (105-115)
- Schweitzer D, Gibson D and Baird L (2008). Simplified core war for introducing low-level concepts, Journal of Computing Sciences in Colleges, 24:1, (167-173), Online publication date: 1-Oct-2008.
- Truong M and Hoang T A multi-agent mechanism in machine learning approach to anti-virus system Proceedings of the 2nd KES International conference on Agent and multi-agent systems: technologies and applications, (743-752)
- Dinaburg A, Royal P, Sharif M and Lee W Ether Proceedings of the 15th ACM conference on Computer and communications security, (51-62)
- Preda M, Christodorescu M, Jha S and Debray S (2007). A semantics-based approach to malware detection, ACM SIGPLAN Notices, 42:1, (377-388), Online publication date: 17-Jan-2007.
- Preda M, Christodorescu M, Jha S and Debray S A semantics-based approach to malware detection Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, (377-388)
- Tanachaiwiwat S and Helmy A On the performance evaluation and prediction of encounter-based worm interactions based on node characteristics Proceedings of the second ACM workshop on Challenged networks, (67-74)
- Chouchane M, Walenstein A and Lakhotia A Statistical signatures for fast filtering of instruction-substituting metamorphic malware Proceedings of the 2007 ACM workshop on Recurring malcode, (31-37)
- Bruschi D, Martignoni L and Monga M (2007). Code Normalization for Self-Mutating Malware, IEEE Security and Privacy, 5:2, (46-54), Online publication date: 1-Mar-2007.
- Lee M, Shon T, Cho K, Chung M, Seo J and Moon J An approach for classifying internet worms based on temporal behaviors and packet flows Proceedings of the intelligent computing 3rd international conference on Advanced intelligent computing theories and applications, (646-655)
- Holzer A, Kinder J and Veith H Using verification technology to specify and detect malware Proceedings of the 11th international conference on Computer aided systems theory, (497-504)
- François J, State R and Festor O Botnets for scalable management Proceedings of the Distributed systems: operations and management 18th IFIP/IEEE international conference on Managing virtualization of networks and services, (1-12)
- An G and Park J Cooperative component testing architecture in collaborating network environment Proceedings of the 4th international conference on Autonomic and Trusted Computing, (179-190)
- Holland-Minkley A Cyberattacks Proceedings of the 7th conference on Information technology education, (39-46)
- Crandall J, Wassermann G, de Oliveira D, Su Z, Wu S and Chong F Temporal search Proceedings of the 12th international conference on Architectural support for programming languages and operating systems, (25-36)
- Crandall J, Wassermann G, de Oliveira D, Su Z, Wu S and Chong F (2006). Temporal search, ACM SIGOPS Operating Systems Review, 40:5, (25-36), Online publication date: 20-Oct-2006.
- Crandall J, Wassermann G, de Oliveira D, Su Z, Wu S and Chong F (2006). Temporal search, ACM SIGPLAN Notices, 41:11, (25-36), Online publication date: 1-Nov-2006.
- Crandall J, Wassermann G, de Oliveira D, Su Z, Wu S and Chong F (2006). Temporal search, ACM SIGARCH Computer Architecture News, 34:5, (25-36), Online publication date: 20-Oct-2006.
- Ma J, Dunagan J, Wang H, Savage S and Voelker G Finding diversity in remote code injection exploits Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, (53-64)
- Di Crescenzo G and Vakil F Cryptographic hashing for virus localization Proceedings of the 4th ACM workshop on Recurring malcode, (41-48)
- Chouchane M and Lakhotia A Using engine signature to detect metamorphic malware Proceedings of the 4th ACM workshop on Recurring malcode, (73-78)
- Venugopal D An efficient signature representation and matching method for mobile devices Proceedings of the 2nd annual international workshop on Wireless internet, (16-es)
- Ford R and Gordon S Cent, five cent, ten cent, dollar Proceedings of the 2006 workshop on New security paradigms, (3-10)
- Bond M and Danezis G A pact with the devil Proceedings of the 2006 workshop on New security paradigms, (77-82)
- Venugopal D, Hu G and Roman N Intelligent virus detection on mobile devices Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, (1-4)
- Sokolsky O, Kannan S and Lee I Simulation-Based graph similarity Proceedings of the 12th international conference on Tools and Algorithms for the Construction and Analysis of Systems, (426-440)
- Reddy D, Dash S and Pujari A New malicious code detection using variable length n-grams Proceedings of the Second international conference on Information Systems Security, (276-288)
- Anckaert B, Madou M and De Bosschere K A model for self-modifying code Proceedings of the 8th international conference on Information hiding, (232-248)
- Edge K, Lamont G and Raines R A retrovirus inspired algorithm for virus detection & optimization Proceedings of the 8th annual conference on Genetic and evolutionary computation, (103-110)
- Seifert J On authenticated computing and RSA-based authentication Proceedings of the 12th ACM conference on Computer and communications security, (122-127)
- Crandall J, Su Z, Wu S and Chong F On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits Proceedings of the 12th ACM conference on Computer and communications security, (235-248)
Index Terms
- The Art of Computer Virus Research and Defense
Recommendations
Orchestration of APT malware evasive manoeuvers employed for eluding anti-virus and sandbox defense
AbstractThe modern day cyber attacks are highly targeted and incorporate advanced tactics, techniques and procedures for greater stealth, impact and success. These attacks are also known as Advanced Persistent Threats(APT) because of their ...
Classification of packed executables for accurate computer virus detection
Executable packing is the most common technique used by computer virus writers to obfuscate malicious code and evade detection by anti-virus software. Universal unpackers have been proposed that can detect and extract encrypted code from packed ...