Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.
Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.
Szor also offers the most thorough and practical primer on virus analysis ever published—addressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes
- Discovering how malicious code attacks on a variety of platforms
- Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more
- Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic
- Mastering empirical methods for analyzing malicious code—and what to do with what you learn
- Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines
- Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more
- Using worm blocking, host-based intrusion prevention, and network-level defense strategies
Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.
Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.
Szor also offers the most thorough and practical primer on virus analysis ever published—addressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes
- Discovering how malicious code attacks on a variety of platforms
- Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more
- Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic
- Mastering empirical methods for analyzing malicious code—and what to do with what you learn
- Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines
- Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more
- Using worm blocking, host-based intrusion prevention, and network-level defense strategies
![The Art of Computer Virus Research and Defense](http://vs-images.bn-web.com/static/redesign/srcs/images/grey-box.png?v11.10.3)
![The Art of Computer Virus Research and Defense](http://vs-images.bn-web.com/static/redesign/srcs/images/grey-box.png?v11.10.3)
eBook
Available on Compatible NOOK devices, the free NOOK App and in My Digital Library.
Related collections and offers
Overview
Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.
Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.
Szor also offers the most thorough and practical primer on virus analysis ever published—addressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes
- Discovering how malicious code attacks on a variety of platforms
- Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more
- Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic
- Mastering empirical methods for analyzing malicious code—and what to do with what you learn
- Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines
- Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more
- Using worm blocking, host-based intrusion prevention, and network-level defense strategies
Product Details
ISBN-13: | 9780672333903 |
---|---|
Publisher: | Pearson Education |
Publication date: | 02/03/2005 |
Series: | Symantec Press |
Sold by: | Barnes & Noble |
Format: | eBook |
Pages: | 744 |
File size: | 14 MB |
Note: | This product may take a few minutes to download. |
Age Range: | 18 Years |
About the Author
Peter Szor is security architect for Symantec Security Response, where he has been designing and building antivirus technologies for the Norton AntiVirus product line since 1999. From 1990 to 1995, Szor wrote and maintained his own antivirus program, Pasteur. A renowned computer virus and security researcher, Szor speaks frequently at the Virus Bulletin, EICAR, ICSA, and RSA conferences, as well as the USENIX Security Symposium. He currently serves on the advisory board of Virus Bulletin magazine, and is a founding member of the AVED (AntiVirus Emergency Discussion) network.
Read an Excerpt
PrefacePrefaceWho Should Read This Book
Over the last two decades, several publications appeared on the subject of computer viruses, but only a few have been written by professionals ("insiders") of computer virus research. Although many books exist that discuss the computer virus problem, they usually target a novice audience and are simply not too interesting for the technical professionals. There are only a few works that have no worries going into the technical details, necessary to understand, to effectively defend against computer viruses.
Part of the problem is that existing books have littleif anyinformation about the current complexity of computer viruses. For example, they lack serious technical information on fast-spreading computer worms that exploit vulnerabilities to invade target systems, or they do not discuss recent code evolution techniques such as code metamorphism. If you wanted to get all the information I have in this book, you would need to spend a lot of time reading articles and papers that are often hidden somewhere deep inside computer virus and security conference proceedings, and perhaps you would need to dig into malicious code for years to extract the relevant details.
I believe that this book is most useful for IT and security professionals who fight against computer viruses on a daily basis. Nowadays, system administrators as well as individual home users often need to deal with computer worms and other malicious programs on their networks. Unfortunately, security courses have very little training on computer virus protection, and the general public knows very little about how to analyze and defend theirnetwork from such attacks. To make things more difficult, computer virus analysis techniques have not been discussed in any existing works in sufficient length before.
I also think that, for anybody interested in information security, being aware of what the computer virus writers have "achieved" so far is an important thing to know.
For years, computer virus researchers used to be "file" or "infected object" oriented. To the contrary, security professionals were excited about suspicious events only on the network level. In addition, threats such as CodeRed worm appeared to inject their code into the memory of vulnerable processes over the network, but did not "infect" objects on the disk. Today, it is important to understand all of these major perspectivesthe file (storage), in-memory, and network viewsand correlate the events using malicious code analysis techniques.
During the years, I have trained many computer virus and security analysts to effectively analyze and respond to malicious code threats. In this book, I have included information about anything that I ever had to deal with. For example, I have relevant examples of ancient threats, such as 8-bit viruses on the Commodore 64. You will see that techniques such as stealth technology appeared in the earliest computer viruses, and on a variety of platforms. Thus, you will be able to realize that current rootkits do not represent anything new! You will find sufficient coverage on 32-bit Windows worm threats with in-depth exploit discussions, as well as 64-bit viruses and "pocket monsters" on mobile devices. All along the way, my goal is to illustrate how old techniques "reincarnate" in new threats and demonstrate up-to-date attacks with just enough technical details.
I am sure that many of you are interested in joining the fight against malicious code, and perhaps, just like me, some of you will become inventors of defense techniques. All of you should, however, be aware of the pitfalls and the challenges of this field!
That is what this book is all about.What I Cover
The purpose of this book is to demonstrate the current state of the art of computer virus and antivirus developments and to teach you the methodology of computer virus analysis and protection. I discuss infection techniques of computer viruses from all possible perspectives: file (on storage), in-memory, and network. I classify and tell you all about the dirty little tricks of computer viruses that bad guys developed over the last two decades and tell you what has been done to deal with complexities such as code polymorphism and exploits.
The easiest way to read this book is, well, to read it from chapter to chapter. However, some of the attack chapters have content that can be more relevant after understanding techniques presented in the defense chapters. If you feel that any of the chapters are not your taste, or are too difficult or lengthy, you can always jump to the next chapter. I am sure that everybody will find some parts of this book very difficult and other parts very simple, depending on individual experience.
I expect my readers to be familiar with technology and some level of programming. There are so many things discussed in this book that it is simply impossible to cover everything in sufficient length. However, you will know exactly what you might need to learn from elsewhere to be absolutely successful against malicious threats. To help you, I have created an extensive reference list for each chapter that leads you to the necessary background information.
Indeed, this book could easily have been over 1,000 pages. However, as you can tell, I am not Shakespeare. My knowledge of computer viruses is great, not my English. Most likely, you would have no benefit of my work if this were the other way around.What I Do Not Cover
I do not cover Trojan horse programs or backdoors in great length. This book is primarily about self-replicating malicious code. There are plenty of great books available on regular malicious programs, but not on computer viruses.
I do not present any virus code in the book that you could directly use to build another virus. This book is not a "virus writing" class. My understanding, however, is that the bad guys already know about most of the techniques that I discuss in this book. So, the good guys need to learn more and start to think (but not act) like a real attacker to develop their defense!
Interestingly, many universities attempt to teach computer virus research courses by offering classes on writing viruses. Would it really help if a student could write a virus to infect millions of systems around the world? Will such students know more about how to develop defense better? Simply, the answer is no...
Instead, classes should focus on the analysis of existing malicious threats. There are so many threats out there waiting for somebody to understand themand do something against them.
Of course, the knowledge of computer viruses is like the "Force" in Star Wars. Depending on the user of the "Force," the knowledge can turn to good or evil. I cannot force you to stay away from the "Dark Side," but I urge you to do so.
© Copyright Pearson Education. All rights reserved.
Table of Contents
About the Author.
Preface.
Acknowledgments.
I. STRATEGIES OF THE ATTACKER.
1. Introduction to the Games of Nature.
Early Models of Self-Replicating Structures
John von Neumann: Theory of Self-Reproducing Automata
Fredkin: Reproducing Structures
Conway: Game of Life
Core War: The Fighting Programs
Genesis of Computer Viruses
Automated Replicating Code: The Theory and Definition of Computer Viruses
References
2. The Fascination of Malicious Code Analysis.
Common Patterns of Virus Research
Antivirus Defense Development
Terminology of Malicious Programs
Viruses
Worms
Logic Bombs
Trojan Horses
Germs
Exploits
Downloaders
Dialers
Droppers
Injectors
Auto-Rooters
Kits (Virus Generators)
Spammer Programs
Flooders
Keyloggers
Rootkits
Other Categories
Joke Programs
Hoaxes: Chain Letters
Other Pests: Adware and Spyware
Computer Malware Naming Scheme
<family_name>
<malware_type>://
<platform>/
.<group_name>
<infective_length>
<variant>
[<devolution>]
<modifiers>
:<locale_specifier>
#<packer>
@m or @mm
!<vendor-specific_comment>
Annotated List of Officially Recognized Platform Names
References
3. Malicious Code Environments.
Computer Architecture Dependency
CPU Dependency
Operating System Dependency
Operating System Version Dependency
File System Dependency
Cluster Viruses
NTFS Stream Viruses
NTFS Compression Viruses
ISO Image Infection
File Format Dependency
COM Viruses on DOS
EXE Viruses on DOS
NE (New Executable) Viruses on 16-bit Windows and OS/2
LX Viruses on OS/2
PE (Portable Executable) Viruses on 32-bit Windows
ELF (Executable and Linking Format) Viruses on UNIX
Device Driver Viruses
Object Code and LIB Viruses
Interpreted Environment Dependency
Macro Viruses in Microsoft Products
REXX Viruses on IBM Systems
DCL (DEC Command Language) Viruses on DEC/VMS
Shell Scripts on UNIX (csh, ksh, and bash)
VBScript (Visual Basic Script) Viruses on Windows Systems
BATCH Viruses
Instant Messaging Viruses in mIRC, PIRCH scripts
SuperLogo Viruses
JScript Viruses
Perl Viruses
WebTV Worms in JellyScript Embedded in HTML Mail
Python Viruses
VIM Viruses
EMACS Viruses
TCL Viruses
PHP Viruses
MapInfo Viruses
ABAP Viruses on SAP
Help File Viruses on Windows–When You Press F1…
JScript Threats in Adobe PDF
AppleScript Dependency
ANSI Dependency
Macromedia Flash ActionScript Threats
HyperTalk Script Threats
AutoLisp Script Viruses
Registry Dependency
PIF and LNK Dependency
Lotus Word Pro Macro Viruses
AmiPro Document Viruses
Corel Script Viruses
Lotus 1-2-3 Macro Dependency
Windows Installation Script Dependency
AUTORUN.INF and Windows INI File Dependency
HTML (Hypertext Markup Language) Dependency
Vulnerability Dependency
Date and Time Dependency
JIT Dependency: Microsoft .NET Viruses
Archive Format Dependency
File Format Dependency Based on Extension
Network Protocol Dependency
Source Code Dependency
Source Code Trojans
Resource Dependency on Mac and Palm Platforms
Host Size Dependency
Debugger Dependency
Intended Threats that Rely on a Debugger
Compiler and Linker Dependency
Device Translator Layer Dependency
Embedded Object Insertion Dependency
Self-Contained Environment Dependency
Multipartite Viruses
Conclusion
References
4. Classification of Infection Strategies.
Boot Viruses
Master Boot Record (MBR) Infection Techniques
DOS BOOT Record (DBR) - Infection Techniques
Boot Viruses That Work While Windows 95 Is Active
Possible Boot Image Attacks in Network Environments
File Infection Techniques
Overwriting Viruses
Random Overwriting Viruses
Appending Viruses
Prepending Viruses
Classic Parasitic Viruses
Cavity Viruses
Fractionated Cavity Viruses
Compressing Viruses
Amoeba Infection Technique
Embedded Decryptor Technique
Embedded Decryptor and Virus Body Technique
Obfuscated Tricky Jump Technique
Entry-Point Obscuring (EPO) Viruses
Possible Future Infection Techniques: Code Builders
An In-Depth Look at Win32 Viruses
The Win32 API and Platforms That Support It
Infection Techniques on 32-Bit Windows
Win32 and Win64 Viruses: Designed for Microsoft Windows?
Conclusion
References
5. Classification of In-Memory Strategies.
Direct-Action Viruses
Memory-Resident Viruses
Interrupt Handling and Hooking
Hook Routines on INT 13h (Boot Viruses)
Hook Routines on INT 21h (File Viruses)
Common Memory Installation Techniques Under DOS
Stealth Viruses
Disk Cache and System Buffer Infection
Temporary Memory-Resident Viruses
Swapping Viruses
Viruses in Processes (in User Mode)
Viruses in Kernel Mode (Windows 9x/Me)
Viruses in Kernel Mode (Windows NT/2000/XP)
In-Memory Injectors over Networks
References
6. Basic Self-Protection Strategies.
Tunneling Viruses
Memory Scanning for Original Handler
Tracing with Debug Interfaces
Code Emulation—Based Tunneling
Accessing the Disk Using Port I/O
Using Undocumented Functions
Armored Viruses
Antidisassembly
Encrypted Data
Code Confusion to Avoid Analysis
Opcode Mixing—Based Code Confusion
Using Checksum
Compressed, Obfuscated Code
Antidebugging
Antiheuristics
Antiemulation Techniques
Antigoat Viruses
Aggressive Retroviruses
References
7. Advanced Code Evolution Techniques and Computer Virus Generator Kits.
Introduction
Evolution of Code
Encrypted Viruses
Oligomorphic Viruses
Polymorphic Viruses
The 1260 Virus
The Dark Avenger Mutation Engine (MtE)
32-Bit Polymorphic Viruses
Metamorphic Viruses
What Is a Metamorphic Virus?
Simple Metamorphic Viruses
More Complex Metamorphic Viruses and Permutation Techniques
Mutating Other Applications: The Ultimate Virus Generator?
Advanced Metamorphic Viruses: Zmist
{W32, Linux}/Simile: A Metamorphic Engine Across Systems
The Dark Future–MSIL Metamorphic Viruses
Virus Construction Kits
VCS (Virus Construction Set)
GenVir
VCL (Virus Creation Laboratory)
PS-MPC (Phalcon-Skism Mass-Produced Code Generator)
NGVCK (Next Generation Virus Creation Kit)
Other Kits and Mutators
How to Test a Virus Construction Tool?
References
8. Classification According to Payload.
No-Payload
Accidentally Destructive Payload
Nondestructive Payload
Somewhat Destructive Payload
Highly Destructive Payload
Viruses That Overwrite Data
Data Diddlers
Viruses That Encrypt Data: The “Good,” the Bad, and the Ugly
Hardware Destroyers
DoS (Denial of Service) Attacks
Data Stealers: Making Money with Viruses
Phishing Attacks
Backdoor Features
Conclusion
References
9. Strategies of Computer Worms.
Introduction
The Generic Structure of Computer Worms
Target Locator
Infection Propagator
Remote Control and Update Interface
Life-Cycle Manager
Payload
Self-Tracking
Target Locator
E-Mail Address Harvesting
Network Share Enumeration Attacks
Network Scanning and Target Fingerprinting
Infection Propagators
Attacking Backdoor-Compromised Systems
Peer-to-Peer Network Attacks
Instant Messaging Attacks
E-Mail Worm Attacks and Deception Techniques
E-Mail Attachment Inserters
SMTP Proxy—Based Attacks
SMTP Attacks
SMTP Propagation on Steroids Using MX Queries
NNTP (Network News Transfer Protocol) Attacks
Common Worm Code Transfer and Execution Techniques
Executable Code—Based Attacks
Links to Web Sites or Web Proxies
HTML-Based Mail
Remote Login-Based Attacks
Code Injection Attacks
Shell Code—Based Attacks
Update Strategies of Computer Worms
Authenticated Updates on the Web or Newsgroups
Backdoor-Based Updates
Remote Control via Signaling
Peer-to-Peer Network Control
Intentional and Accidental Interactions
Cooperation
Competition
The Future: A Simple Worm Communication Protocol?
Wireless Mobile Worms
References
10. Exploits, Vulnerabilities, and Buffer Overflow Attacks.
Introduction
Definition of Blended Attack
The Threat
Background
Types of Vulnerabilities
Buffer Overflows
First-Generation Attacks
Second-Generation Attacks
Third-Generation Attacks
Current and Previous Threats
The Morris Internet Worm, 1988 (Stack Overflow to Run
- Shellcode)
Linux/ADM, 1998 (“Copycatting” the Morris Worm)
The CodeRed Outbreak, 2001 (The Code Injection Attack)
Linux/Slapper Worm, 2002 (A Heap Overflow Example)
W32/Slammer Worm, January 2003 (The Mini Worm)
Blaster Worm, August 2003 (Shellcode-Based Attack on Win32)
Generic Buffer Overflow Usage in Computer Viruses
Description of W32/Badtrans.B@mm
Exploits in W32/Nimda.A@mm
Description of W32/Bolzano
Description of VBS/Bubbleboy
Description of W32/Blebla
Summary
References
II. STRATEGIES OF THE DEFENDER.
11. Antivirus Defense Techniques.
First-Generation Scanners
String Scanning
Wildcards
Mismatches
Generic Detection
Hashing
Bookmarks
Top-and-Tail Scanning
Entry-Point and Fixed-Point Scanning
Hyperfast Disk Access
Second-Generation Scanners
Smart Scanning
Skeleton Detection
Nearly Exact Identification
Exact Identification
Algorithmic Scanning Methods
Filtering
Static Decryptor Detection
The X-RAY Method
Code Emulation
Encrypted and Polymorphic Virus Detection Using Emulation
Dynamic Decryptor Detection
Metamorphic Virus Detection Examples
Geometric Detection
Disassembling Techniques
Using Emulators for Tracing
Heuristic Analysis of 32-Bit Windows Viruses
Code Execution Starts in the Last Section
Suspicious Section Characteristics
Virtual Size Is Incorrect in PE Header
Possible “Gap” Between Sections
Suspicious Code Redirection
Suspicious Code Section Name
Possible Header Infection
Suspicious Imports from KERNEL32.DLL by Ordinal
Import Address Table Is Patched
Multiple PE Headers
Multiple Windows Headers and Suspicious KERNEL32.DLL Imports
Suspicious Relocations
Kernel Look-Up
Kernel Inconsistency
Loading a Section into the VMM Address Space
Incorrect Size of Code in Header
Examples of Suspicious Flag Combinations
Heuristic Analysis Using Neural Networks
Regular and Generic Disinfection Methods
Standard Disinfection
Generic Decryptors
How Does a Generic Disinfector Work?
How Can the Disinfector Be Sure That the File Is Infected?
Where Is the Original End of the Host File?
How Many Virus Types Can We Handle This Way?
Examples of Heuristics for Generic Repair
Generic Disinfection Examples
Inoculation
Access Control Systems
Integrity Checking
False Positives
Clean Initial State
Speed
Special Objects
Necessity of Changed Objects
Possible Solutions
Behavior Blocking
Sand-Boxing
Conclusion
References
12. Memory Scanning and Disinfection.
Introduction
The Windows NT Virtual Memory System
Virtual Address Spaces
Memory Scanning in User Mode
The Secrets of NtQuerySystemInform-ation()
Common Processes and Special System Rights
Viruses in the Win32 Subsystem
Win32 Viruses That Allocate Private Pages
Native Windows NT Service Viruses
Win32 Viruses That Use a Hidden Window Procedure
Win32 Viruses That Are Part of the Executed Image Itself
Memory Scanning and Paging
Enumerating Processes and Scanning File Images
Memory Disinfection
Terminating a Particular Process That Contains Virus Code
Detecting and Terminating Virus Threads
Patching the Virus Code in the Active Pages
How to Disinfect Loaded DLLs and Running Applications
Memory Scanning in Kernel Mode
Scanning the User Address Space of Processes
Determining NT Service API Entry Points
Important NT Functions for Kernel-Mode Memory Scanning
Process Context
Scanning the Upper 2GB of Address Space
How Can You Deactivate a Filter Driver Virus?
Dealing with Read-Only Kernel Memory
Kernel-Mode Memory Scanning on 64-Bit Platforms
Possible Attacks Against Memory Scanning
Conclusion and Future Work
References
13. Worm-Blocking Techniques and Host-Based Intrusion Prevention.
Introduction
Script Blocking and SMTP Worm Blocking
New Attacks to Block: CodeRed, Slammer
Techniques to Block Buffer Overflow Attacks
Code Reviews
Compiler-Level Solutions
Operating System-Level Solutions and Run-Time Extensions
Subsystem Extensions–Libsafe
Kernel Mode Extensions
Program Shepherding
Worm-Blocking Techniques
Injected Code Detection
Send Blocking: An Example of Blocking Self-Sending Code
Exception Handler Validation
Other Return-to-LIBC Attack Mitigation Techniques
“GOT” and “IAT” Page Attributes
High Number of Connections and Connection Errors
Possible Future Worm Attacks
A Possible Increase of Retroworms
“Slow” Worms Below the Radar
Polymorphic and Metamorphic Worms
Largescale Damage
Automated Exploit Discovery–Learning from the Environment
Conclusion
References
14. Network-Level Defense Strategies.
Introduction
Using Router Access Lists
Firewall Protection
Network-Intrusion Detection Systems
Honeypot Systems
Counterattacks
Early Warning Systems
Worm Behavior Patterns on the Network
Capturing the Blaster Worm
Capturing the Linux/Slapper Worm
Capturing the W32/Sasser.D Worm
Capturing the Ping Requests of the W32/Welchia Worm
Detecting W32/Slammer and Related Exploits
Conclusion
References
15. Malicious Code Analysis Techniques.
Your Personal Virus Analysis Laboratory
How to Get the Software?
Information, Information, Information
Architecture Guides
Knowledge Base
Dedicated Virus Analysis on VMWARE
The Process of Computer Virus Analysis
Preparation
Unpacking
Disassembling and Decryption
Dynamic Analysis Techniques
Maintaining a Malicious Code Collection
Automated Analysis: The Digital Immune System
References
16. Conclusion.
Further Reading
Information on Security and Early Warnings
Security Updates
Computer Worm Outbreak Statistics
Computer Virus Research Papers
Contact Information for Antivirus Vendors
Antivirus Testers and Related Sites
Index.
Preface
Preface Who Should Read This Book
Over the last two decades, several publications appeared on the subject of computer viruses, but only a few have been written by professionals ("insiders") of computer virus research. Although many books exist that discuss the computer virus problem, they usually target a novice audience and are simply not too interesting for the technical professionals. There are only a few works that have no worries going into the technical details, necessary to understand, to effectively defend against computer viruses.
Part of the problem is that existing books have littleif anyinformation about the current complexity of computer viruses. For example, they lack serious technical information on fast-spreading computer worms that exploit vulnerabilities to invade target systems, or they do not discuss recent code evolution techniques such as code metamorphism. If you wanted to get all the information I have in this book, you would need to spend a lot of time reading articles and papers that are often hidden somewhere deep inside computer virus and security conference proceedings, and perhaps you would need to dig into malicious code for years to extract the relevant details.
I believe that this book is most useful for IT and security professionals who fight against computer viruses on a daily basis. Nowadays, system administrators as well as individual home users often need to deal with computer worms and other malicious programs on their networks. Unfortunately, security courses have very little training on computer virus protection, and the general public knows very little about how to analyze and defend their network from such attacks. To make things more difficult, computer virus analysis techniques have not been discussed in any existing works in sufficient length before.
I also think that, for anybody interested in information security, being aware of what the computer virus writers have "achieved" so far is an important thing to know.
For years, computer virus researchers used to be "file" or "infected object" oriented. To the contrary, security professionals were excited about suspicious events only on the network level. In addition, threats such as CodeRed worm appeared to inject their code into the memory of vulnerable processes over the network, but did not "infect" objects on the disk. Today, it is important to understand all of these major perspectivesthe file (storage), in-memory, and network viewsand correlate the events using malicious code analysis techniques.
During the years, I have trained many computer virus and security analysts to effectively analyze and respond to malicious code threats. In this book, I have included information about anything that I ever had to deal with. For example, I have relevant examples of ancient threats, such as 8-bit viruses on the Commodore 64. You will see that techniques such as stealth technology appeared in the earliest computer viruses, and on a variety of platforms. Thus, you will be able to realize that current rootkits do not represent anything new! You will find sufficient coverage on 32-bit Windows worm threats with in-depth exploit discussions, as well as 64-bit viruses and "pocket monsters" on mobile devices. All along the way, my goal is to illustrate how old techniques "reincarnate" in new threats and demonstrate up-to-date attacks with just enough technical details.
I am sure that many of you are interested in joining the fight against malicious code, and perhaps, just like me, some of you will become inventors of defense techniques. All of you should, however, be aware of the pitfalls and the challenges of this field!
That is what this book is all about.
What I CoverThe purpose of this book is to demonstrate the current state of the art of computer virus and antivirus developments and to teach you the methodology of computer virus analysis and protection. I discuss infection techniques of computer viruses from all possible perspectives: file (on storage), in-memory, and network. I classify and tell you all about the dirty little tricks of computer viruses that bad guys developed over the last two decades and tell you what has been done to deal with complexities such as code polymorphism and exploits.
The easiest way to read this book is, well, to read it from chapter to chapter. However, some of the attack chapters have content that can be more relevant after understanding techniques presented in the defense chapters. If you feel that any of the chapters are not your taste, or are too difficult or lengthy, you can always jump to the next chapter. I am sure that everybody will find some parts of this book very difficult and other parts very simple, depending on individual experience.
I expect my readers to be familiar with technology and some level of programming. There are so many things discussed in this book that it is simply impossible to cover everything in sufficient length. However, you will know exactly what you might need to learn from elsewhere to be absolutely successful against malicious threats. To help you, I have created an extensive reference list for each chapter that leads you to the necessary background information.
Indeed, this book could easily have been over 1,000 pages. However, as you can tell, I am not Shakespeare. My knowledge of computer viruses is great, not my English. Most likely, you would have no benefit of my work if this were the other way around.
What I Do Not CoverI do not cover Trojan horse programs or backdoors in great length. This book is primarily about self-replicating malicious code. There are plenty of great books available on regular malicious programs, but not on computer viruses.
I do not present any virus code in the book that you could directly use to build another virus. This book is not a "virus writing" class. My understanding, however, is that the bad guys already know about most of the techniques that I discuss in this book. So, the good guys need to learn more and start to think (but not act) like a real attacker to develop their defense!
Interestingly, many universities attempt to teach computer virus research courses by offering classes on writing viruses. Would it really help if a student could write a virus to infect millions of systems around the world? Will such students know more about how to develop defense better? Simply, the answer is no...
Instead, classes should focus on the analysis of existing malicious threats. There are so many threats out there waiting for somebody to understand themand do something against them.
Of course, the knowledge of computer viruses is like the "Force" in Star Wars. Depending on the user of the "Force," the knowledge can turn to good or evil. I cannot force you to stay away from the "Dark Side," but I urge you to do so.
© Copyright Pearson Education. All rights reserved.