[ISN] Book Review - The Art of Computer Virus Research and Defense

InfoSec News isn at c4i.org
Wed Jun 22 02:45:07 EDT 2005


[ http://www.amazon.com/exec/obidos/ASIN/0321304543/c4iorg  -- WK]

Author: Peter Szor 
Pages: 713 
Publisher: Addison Wesley Longman and Symantec Press 
Rating: 9 
Reviewer: Jose Nazario 
ISBN: 0321304543 
Summary: Clear, sweeping coverage of virus history and technical details 

TAOCVRD opens with Part 1: Strategies of the attacker. Here we get to
start to think about malicious code from the original ideas and
viewpoints of its makers. Chapter 1 opens up with various games of the
classic computer science world, including Conway's Game of Life and
Core Wars, which is still fun after all of these years. From this we
can start to think about computer viruses as a natural extension of
other self-replicating computer structures. What's great about this
chapter is that you can actually understand, and share in, the
fascination of replicating code. It's as if you can understand the
pure world that some virus writers live in.

Chapter 2 starts off the virus-analysis section, including some of the
basics (like the types of malicious programs and their key features),
as well as the naming scheme. Chapter 3, "Malicious Code
Environments," serves as a lengthy and complete description of how
various viruses work. The dependencies that you would expect to see,
including OS, CPU, file formats, and filesystems, are all described.  
Then Szor goes on to describe how viruses work with various languages,
from REXX and DCL to Python and even Office macros. Not all of the
descriptions are lengthy, but you get to see how flexible the world of
writing a virus can be. What I most enjoyed about the book overall is
represented in this chapter, namely Szor's command of the history of
the virus as well as his technical prowess, which he drops in as

Chapter 4 gets a bit more technical and now focuses on infection
strategies. Again, Szor isn't afraid to delve into history or
technical meat, including a lengthy and valuable section "An In-Depth
Look at Win32 Viruses." If you don't feel armed to start dissecting
viruses by this point, you're in luck: there's so much more to read.  
Chapter 5 covers in-memory strategies used by viruses to locate files,
processes, and sometimes evade detection. Szor has a list of
interrupts and their utility to the virus writer, providing a
comprehensive resource to the virus analyst.

Chapters 6 and 7 cover basic and advanced self protection schemes,
respectively, used by viruses. TAOCVRD's completeness of information
in a usable space, together with very functional examples and
descriptions, is again evident. Szor walks you through a basic
decryptor routine, for example, showing you how a self-contained virus
can be both evasive and functional at the same time. Sadly little
attention is given to various virus construction kits at the end of
chapter 7, though.

Chapters 8 and 9 get a little less technical and somewhat more
historical. These chapters cover virus payloads and their
classification (ie benevolent viruses, destructive viruses, etc) and
computer worms, respectively. The overview of payloads is almost
entirely historical, giving a great overview of how virus writers have
used their techniques to cause havoc or just have "fun" from time to
time. Chapter 9 gives a concise and valuable overview of computer
worms, almost boiling about half of my worms book down into just one
chapter in a clear and easy to use fashion.

Part 1 concludes with chapter 10, which covers exploits and attack
techniques used by worms and viruses. Again, Szor's clarity of
explanation shines as he artfully gives a concise overview of how a
buffer overflow attack works (including stack layout and address
manipulation), heap-based attacks, format string attacks, and related
methods. He then discusses these techniques in light of various
historical examples, clearly explaining how they operated and were
successful. If you've been yearning for a short overview of attack
techniques and how malware has used them, this chapter is for you.

Part 2 covers the defender's strategies. Chapter 11 serves as a nice
introduction to this section by describing many of the current and
advanced defense techniques such as some of the first and second
generation scanners, code and system emulation, and metamorphic virus
detection. This is all covered in nice technical detail, always at a
reasonable level to not leave everyone in the dust. Through it all
small examples are constantly given, which reinforce the text nicely.  
Chapter 12 is very similar, this time focusing on in-memory scanning
and analysis techniques.

Chapter 13 covers worm blocking techniques, focusing on host-based
methods which can prevent the buffer overflow from being successful or
the code from arbitrarily gaining network access again. Chapter 14
complements this with network specific defenses, including ACLs and
firewalls, IDS systems, honeypots, and even counterattacks. These two
chapters are a lot less technical than the previous two, but still
quite valuable.

By this point I'm sure you're ready to try your hand at virus
analysis, and Szor is eager to help you out. In chapter 15 he gives
you a great setup for virus analysis, including various tools and
examples of how they work and what kind of information they give you.  
Finally, in chapter 16 you have the obligatory (and valuable) resource
roundup which complements the references given in every chapter, as

Overall I find Szor's book to be amazing, both in terms of its
technical prowess over so many specifics in the field but also for its
presentation. Without dumbing it down, Szor's able to communicate to
most readers with clarity in a manner they'll understand, learn from,
and be able to use. I think that many of us, especially those of us
who get plundered in our email inboxes with malware, are curious to
spend some time dissecting these beasts using techniques AV
professionals use, and Szor's book does an exemplary job of
introducing that world to us all. I consider this to be one of the
most important computer security books I own due to it's clarity and
completeness of coverage.


More information about the ISN mailing list