The Art of Computer Virus Research and Defense

The Art of Computer Virus Research and Defense

3.85 (42 ratings by Goodreads)
By (author) 

Free delivery worldwide

Available. Dispatched from the UK in 2 business days
When will my order arrive?


Peter Szor takes you behind the scenes of anti-virus research, showing howthey are analyzed, how they spread, and--most importantly--how to effectivelydefend against them. This book offers an encyclopedic treatment of thecomputer virus, including: a history of computer viruses, virus behavior,classification, protection strategies, anti-virus and worm-blocking techniques,and how to conduct an accurate threat analysis. The Art of Computer VirusResearch and Defense entertains readers with its look at anti-virus research, butmore importantly it truly arms them in the fight against computer viruses.As one of the lead researchers behind Norton AntiVirus, the most popularantivirus program in the industry, Peter Szor studies viruses every day. Byshowing how viruses really work, this book will help security professionals andstudents protect against them, recognize them, and analyze and limit thedamage they can more

Product details

  • Paperback | 744 pages
  • 172.7 x 233.7 x 35.6mm | 975.23g
  • Pearson Education (US)
  • Addison-Wesley Educational Publishers Inc
  • New Jersey, United States
  • English
  • Annotated
  • New.
  • 0321304543
  • 9780321304544
  • 431,863

About Peter Szor

Peter Szor is security architect for Symantec Security Response, where he has been designing and building antivirus technologies for the Norton AntiVirus product line since 1999. From 1990 to 1995, Szor wrote and maintained his own antivirus program, Pasteur. A renowned computer virus and security researcher, Szor speaks frequently at the Virus Bulletin, EICAR, ICSA, and RSA conferences, as well as the USENIX Security Symposium. He currently serves on the advisory board of Virus Bulletin magazine, and is a founding member of the AVED (AntiVirus Emergency Discussion) network. (c) Copyright Pearson Education. All rights more

Back cover copy

" "Of all the computer-related books I've read recently, this one influenced my thoughts about security the most. There is very little trustworthy information about computer viruses. Peter Szor is one of the best virus analysts in the world and has the perfect credentials to write this book."" Halvar Flake, Reverse Engineer, SABRE Security GmbH Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, "The Art of Computer Virus Research and Defense" is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more. Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats. Szor also offers the most thorough and practical primer on virus analysis ever publishedaddressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes Discovering how malicious code attacks on a variety of platforms Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic Mastering empirical methods for analyzing malicious codeand what to do with what you learn Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more Using worm blocking, host-based intrusion prevention, and network-level defense strategies (c) Copyright Pearson Education. All rights reserved."show more

Table of contents

About the Author. Preface. Acknowledgments. I. STRATEGIES OF THE ATTACKER. 1. Introduction to the Games of Nature. Early Models of Self-Replicating Structures John von Neumann: Theory of Self-Reproducing Automata Fredkin: Reproducing Structures Conway: Game of Life Core War: The Fighting Programs Genesis of Computer Viruses Automated Replicating Code: The Theory and Definition of Computer Viruses References 2. The Fascination of Malicious Code Analysis. Common Patterns of Virus Research Antivirus Defense Development Terminology of Malicious Programs Viruses Worms Logic Bombs Trojan Horses Germs Exploits Downloaders Dialers Droppers Injectors Auto-Rooters Kits (Virus Generators) Spammer Programs Flooders Keyloggers Rootkits Other Categories Joke Programs Hoaxes: Chain Letters Other Pests: Adware and Spyware Computer Malware Naming Scheme :// / . [] : # @m or @mm ! Annotated List of Officially Recognized Platform Names References 3. Malicious Code Environments. Computer Architecture Dependency CPU Dependency Operating System Dependency Operating System Version Dependency File System Dependency Cluster Viruses NTFS Stream Viruses NTFS Compression Viruses ISO Image Infection File Format Dependency COM Viruses on DOS EXE Viruses on DOS NE (New Executable) Viruses on 16-bit Windows and OS/2 LX Viruses on OS/2 PE (Portable Executable) Viruses on 32-bit Windows ELF (Executable and Linking Format) Viruses on UNIX Device Driver Viruses Object Code and LIB Viruses Interpreted Environment Dependency Macro Viruses in Microsoft Products REXX Viruses on IBM Systems DCL (DEC Command Language) Viruses on DEC/VMS Shell Scripts on UNIX (csh, ksh, and bash) VBScript (Visual Basic Script) Viruses on Windows Systems BATCH Viruses Instant Messaging Viruses in mIRC, PIRCH scripts SuperLogo Viruses JScript Viruses Perl Viruses WebTV Worms in JellyScript Embedded in HTML Mail Python Viruses VIM Viruses EMACS Viruses TCL Viruses PHP Viruses MapInfo Viruses ABAP Viruses on SAP Help File Viruses on Windows-When You Press F1... JScript Threats in Adobe PDF AppleScript Dependency ANSI Dependency Macromedia Flash ActionScript Threats HyperTalk Script Threats AutoLisp Script Viruses Registry Dependency PIF and LNK Dependency Lotus Word Pro Macro Viruses AmiPro Document Viruses Corel Script Viruses Lotus 1-2-3 Macro Dependency Windows Installation Script Dependency AUTORUN.INF and Windows INI File Dependency HTML (Hypertext Markup Language) Dependency Vulnerability Dependency Date and Time Dependency JIT Dependency: Microsoft .NET Viruses Archive Format Dependency File Format Dependency Based on Extension Network Protocol Dependency Source Code Dependency Source Code Trojans Resource Dependency on Mac and Palm Platforms Host Size Dependency Debugger Dependency Intended Threats that Rely on a Debugger Compiler and Linker Dependency Device Translator Layer Dependency Embedded Object Insertion Dependency Self-Contained Environment Dependency Multipartite Viruses Conclusion References 4. Classification of Infection Strategies. Boot Viruses Master Boot Record (MBR) Infection Techniques DOS BOOT Record (DBR) - Infection Techniques Boot Viruses That Work While Windows 95 Is Active Possible Boot Image Attacks in Network Environments File Infection Techniques Overwriting Viruses Random Overwriting Viruses Appending Viruses Prepending Viruses Classic Parasitic Viruses Cavity Viruses Fractionated Cavity Viruses Compressing Viruses Amoeba Infection Technique Embedded Decryptor Technique Embedded Decryptor and Virus Body Technique Obfuscated Tricky Jump Technique Entry-Point Obscuring (EPO) Viruses Possible Future Infection Techniques: Code Builders An In-Depth Look at Win32 Viruses The Win32 API and Platforms That Support It Infection Techniques on 32-Bit Windows Win32 and Win64 Viruses: Designed for Microsoft Windows? Conclusion References 5. Classification of In-Memory Strategies. Direct-Action Viruses Memory-Resident Viruses Interrupt Handling and Hooking Hook Routines on INT 13h (Boot Viruses) Hook Routines on INT 21h (File Viruses) Common Memory Installation Techniques Under DOS Stealth Viruses Disk Cache and System Buffer Infection Temporary Memory-Resident Viruses Swapping Viruses Viruses in Processes (in User Mode) Viruses in Kernel Mode (Windows 9x/Me) Viruses in Kernel Mode (Windows NT/2000/XP) In-Memory Injectors over Networks References 6. Basic Self-Protection Strategies. Tunneling Viruses Memory Scanning for Original Handler Tracing with Debug Interfaces Code Emulation-Based Tunneling Accessing the Disk Using Port I/O Using Undocumented Functions Armored Viruses Antidisassembly Encrypted Data Code Confusion to Avoid Analysis Opcode Mixing-Based Code Confusion Using Checksum Compressed, Obfuscated Code Antidebugging Antiheuristics Antiemulation Techniques Antigoat Viruses Aggressive Retroviruses References 7. Advanced Code Evolution Techniques and Computer Virus Generator Kits. Introduction Evolution of Code Encrypted Viruses Oligomorphic Viruses Polymorphic Viruses The 1260 Virus The Dark Avenger Mutation Engine (MtE) 32-Bit Polymorphic Viruses Metamorphic Viruses What Is a Metamorphic Virus? Simple Metamorphic Viruses More Complex Metamorphic Viruses and Permutation Techniques Mutating Other Applications: The Ultimate Virus Generator? Advanced Metamorphic Viruses: Zmist {W32, Linux}/Simile: A Metamorphic Engine Across Systems The Dark Future-MSIL Metamorphic Viruses Virus Construction Kits VCS (Virus Construction Set) GenVir VCL (Virus Creation Laboratory) PS-MPC (Phalcon-Skism Mass-Produced Code Generator) NGVCK (Next Generation Virus Creation Kit) Other Kits and Mutators How to Test a Virus Construction Tool? References 8. Classification According to Payload. No-Payload Accidentally Destructive Payload Nondestructive Payload Somewhat Destructive Payload Highly Destructive Payload Viruses That Overwrite Data Data Diddlers Viruses That Encrypt Data: The "Good," the Bad, and the Ugly Hardware Destroyers DoS (Denial of Service) Attacks Data Stealers: Making Money with Viruses Phishing Attacks Backdoor Features Conclusion References 9. Strategies of Computer Worms. Introduction The Generic Structure of Computer Worms Target Locator Infection Propagator Remote Control and Update Interface Life-Cycle Manager Payload Self-Tracking Target Locator E-Mail Address Harvesting Network Share Enumeration Attacks Network Scanning and Target Fingerprinting Infection Propagators Attacking Backdoor-Compromised Systems Peer-to-Peer Network Attacks Instant Messaging Attacks E-Mail Worm Attacks and Deception Techniques E-Mail Attachment Inserters SMTP Proxy-Based Attacks SMTP Attacks SMTP Propagation on Steroids Using MX Queries NNTP (Network News Transfer Protocol) Attacks Common Worm Code Transfer and Execution Techniques Executable Code-Based Attacks Links to Web Sites or Web Proxies HTML-Based Mail Remote Login-Based Attacks Code Injection Attacks Shell Code-Based Attacks Update Strategies of Computer Worms Authenticated Updates on the Web or Newsgroups Backdoor-Based Updates Remote Control via Signaling Peer-to-Peer Network Control Intentional and Accidental Interactions Cooperation Competition The Future: A Simple Worm Communication Protocol? Wireless Mobile Worms References 10. Exploits, Vulnerabilities, and Buffer Overflow Attacks. Introduction Definition of Blended Attack The Threat Background Types of Vulnerabilities Buffer Overflows First-Generation Attacks Second-Generation Attacks Third-Generation Attacks Current and Previous Threats The Morris Internet Worm, 1988 (Stack Overflow to Run - Shellcode) Linux/ADM, 1998 ("Copycatting" the Morris Worm) The CodeRed Outbreak, 2001 (The Code Injection Attack) Linux/Slapper Worm, 2002 (A Heap Overflow Example) W32/Slammer Worm, January 2003 (The Mini Worm) Blaster Worm, August 2003 (Shellcode-Based Attack on Win32) Generic Buffer Overflow Usage in Computer Viruses Description of W32/Badtrans.B@mm Exploits in W32/Nimda.A@mm Description of W32/Bolzano Description of VBS/Bubbleboy Description of W32/Blebla Summary References II. STRATEGIES OF THE DEFENDER. 11. Antivirus Defense Techniques. First-Generation Scanners String Scanning Wildcards Mismatches Generic Detection Hashing Bookmarks Top-and-Tail Scanning Entry-Point and Fixed-Point Scanning Hyperfast Disk Access Second-Generation Scanners Smart Scanning Skeleton Detection Nearly Exact Identification Exact Identification Algorithmic Scanning Methods Filtering Static Decryptor Detection The X-RAY Method Code Emulation Encrypted and Polymorphic Virus Detection Using Emulation Dynamic Decryptor Detection Metamorphic Virus Detection Examples Geometric Detection Disassembling Techniques Using Emulators for Tracing Heuristic Analysis of 32-Bit Windows Viruses Code Execution Starts in the Last Section Suspicious Section Characteristics Virtual Size Is Incorrect in PE Header Possible "Gap" Between Sections Suspicious Code Redirection Suspicious Code Section Name Possible Header Infection Suspicious Imports from KERNEL32.DLL by Ordinal Import Address Table Is Patched Multiple PE Headers Multiple Windows Headers and Suspicious KERNEL32.DLL Imports Suspicious Relocations Kernel Look-Up Kernel Inconsistency Loading a Section into the VMM Address Space Incorrect Size of Code in Header Examples of Suspicious Flag Combinations Heuristic Analysis Using Neural Networks Regular and Generic Disinfection Methods Standard Disinfection Generic Decryptors How Does a Generic Disinfector Work? How Can the Disinfector Be Sure That the File Is Infected? Where Is the Original End of the Host File? How Many Virus Types Can We Handle This Way? Examples of Heuristics for Generic Repair Generic Disinfection Examples Inoculation Access Control Systems Integrity Checking False Positives Clean Initial State Speed Special Objects Necessity of Changed Objects Possible Solutions Behavior Blocking Sand-Boxing Conclusion References 12. Memory Scanning and Disinfection. Introduction The Windows NT Virtual Memory System Virtual Address Spaces Memory Scanning in User Mode The Secrets of NtQuerySystemInform-ation() Common Processes and Special System Rights Viruses in the Win32 Subsystem Win32 Viruses That Allocate Private Pages Native Windows NT Service Viruses Win32 Viruses That Use a Hidden Window Procedure Win32 Viruses That Are Part of the Executed Image Itself Memory Scanning and Paging Enumerating Processes and Scanning File Images Memory Disinfection Terminating a Particular Process That Contains Virus Code Detecting and Terminating Virus Threads Patching the Virus Code in the Active Pages How to Disinfect Loaded DLLs and Running Applications Memory Scanning in Kernel Mode Scanning the User Address Space of Processes Determining NT Service API Entry Points Important NT Functions for Kernel-Mode Memory Scanning Process Context Scanning the Upper 2GB of Address Space How Can You Deactivate a Filter Driver Virus? Dealing with Read-Only Kernel Memory Kernel-Mode Memory Scanning on 64-Bit Platforms Possible Attacks Against Memory Scanning Conclusion and Future Work References 13. Worm-Blocking Techniques and Host-Based Intrusion Prevention. Introduction Script Blocking and SMTP Worm Blocking New Attacks to Block: CodeRed, Slammer Techniques to Block Buffer Overflow Attacks Code Reviews Compiler-Level Solutions Operating System-Level Solutions and Run-Time Extensions Subsystem Extensions-Libsafe Kernel Mode Extensions Program Shepherding Worm-Blocking Techniques Injected Code Detection Send Blocking: An Example of Blocking Self-Sending Code Exception Handler Validation Other Return-to-LIBC Attack Mitigation Techniques "GOT" and "IAT" Page Attributes High Number of Connections and Connection Errors Possible Future Worm Attacks A Possible Increase of Retroworms "Slow" Worms Below the Radar Polymorphic and Metamorphic Worms Largescale Damage Automated Exploit Discovery-Learning from the Environment Conclusion References 14. Network-Level Defense Strategies. Introduction Using Router Access Lists Firewall Protection Network-Intrusion Detection Systems Honeypot Systems Counterattacks Early Warning Systems Worm Behavior Patterns on the Network Capturing the Blaster Worm Capturing the Linux/Slapper Worm Capturing the W32/Sasser.D Worm Capturing the Ping Requests of the W32/Welchia Worm Detecting W32/Slammer and Related Exploits Conclusion References 15. Malicious Code Analysis Techniques. Your Personal Virus Analysis Laboratory How to Get the Software? Information, Information, Information Architecture Guides Knowledge Base Dedicated Virus Analysis on VMWARE The Process of Computer Virus Analysis Preparation Unpacking Disassembling and Decryption Dynamic Analysis Techniques Maintaining a Malicious Code Collection Automated Analysis: The Digital Immune System References 16. Conclusion. Further Reading Information on Security and Early Warnings Security Updates Computer Worm Outbreak Statistics Computer Virus Research Papers Contact Information for Antivirus Vendors Antivirus Testers and Related Sites more

Rating details

42 ratings
3.85 out of 5 stars
5 31% (13)
4 31% (13)
3 31% (13)
2 7% (3)
1 0% (0)
Book ratings by Goodreads
Goodreads is the world's largest site for readers with over 50 million reviews. We're featuring millions of their reader ratings on our book pages to help you find your new favourite book. Close X