Trusted SF Member
Joined: 19 May 2004
Location: Centerville, South Dakota
|Posted: Tue Mar 15, 2005 5:46 am Post subject: Book Review - The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
Author(s): Peter Szor
Publisher: Name www.awprofessional.com
Date Published: 2005
Book Specifications: Softcover, 713 pages
Reviewer's Recommended User Level: Intermediate\Advanced
Suggested Publisher Price: $49.99 US / $69.99 CDN
Amazon.com:Virus Research and Defense
From the Back
Threats. Analysis. Countermeasures. The Definitive Guide for Experienced IT and Security Professionals. Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on Computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.
Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.
In the past few months, we have seen some interesting examples of spyware and adware employing tricks and techniques used by virus writers. While I am generally able to noodle together what a piece of malware is doing, there have been a couple recent variants that have me completely confused as to how to reverse the damage. It occurred to me that my techniques needed refining, so I have spent the better part of the last couple of weeks Googling the underbelly of the Internet hoping to find some sort of a blueprint. I picked this up at Barnes and Noble, and was hooked within a few pages. This was exactly what I had been looking for.
Letís make this clear up front. You will not learn how to write malicious code from reading this book. If you are able to understand all of the concepts as presented, it will quickly become clear that you already know how to write malicious code. And if you are interested in malware analysis, you are in for a treat.
The first section is appropriately titled Strategies of the Attacker, and chapter one, Introduction to the Games of Nature. Have you ever heard of John von Neumann? Neither had I. It turns out that in addition to introducing binary operations, von Neumann introduced the theory of Self-Replicating Automata, or for those without a dictionary nearby, self-reproducing machines (in 1948). Stanislaw Ulam suggested the idea of using cellular automation as a means of describing these self reproducing machines, and the theory of reproducing structures was born. Szor discusses early computer programs used to demonstrate these budding concepts, including Core War, a computer game where the goal is to write a program that will overwrite your opponents programs and kill them. I had heard of this game, but was surprised to find out that there is a modern version that includes networking capabilities. (http://www.corewars.org/)
The remainder of chapter one, and chapter two, are tributes to the pioneers of virus research, antivirus development, and common definitions for malicious software. In addition to the familiar definitions of virus, worm, etc., I was introduced to the concept of an octopus, which is a piece of malicious software that exists as a set of programs on more than one computer on a network, or rabbit, which is an application that only exists as a single copy of itself at any given time on a series of networked hosts.
The remainder of the first section covers malicious code environments, classification of infection strategies, in-memory strategies, self-protection strategies, and code evolution. There are also two sections in which computer worms, exploits, vulnerabilities, and buffer overflow attacks are described in great detail. Worms are not just discussed in general terms. We get to see how worms are coded to take advantage of vulnerabilities and exploits, including Blaster, Nimda, Code red, and others that had never made it into the wild. Not only how they work, but how fatal flaws kept some of them from becoming the lead story on the evening news.
The next section is dedicated to defense strategies, and in-depth analysis of detection methods, starting with signature based detection, and quickly moving through some very sophisticated techniques I hadnít considered before, including algorithmic scanning, code emulation, metamorphic code detection, and a large section on heuristic methods. Interestingly enough, Szor discusses potential weaknesses of each method, presenting a clear picture of the difficulties with detection.
While inoculation, access control, integrity checking, and sand boxing are presented as potential methods of defense, even they are not without problems. The remainder of the section covers memory scanning and disinfection, worm-blocking techniques, host-based intrusion protection, and network-level defense.
Another feature of the book that I really like is that when a section is opened for discussion, it is illustrated with several different examples. For example, the chapter on network-level defense is broken down into small subsections that discuss router access lists, firewalls, network intrusion detection systems, honeypots, counterattacks, and worm behavior. The worm behavior section is further delineated into methods for capturing and recognizing the Blaster Worm, Slapper, Sasser, Welchia, and Slammer; each with Ethereal dumps and code explanation.
Section two ends with a short section that describes malicious code analysis techniques. Most of the tools mentioned were free, which I consider a bonus. He also has a substantial section covering the merits of using VMWare or VirtualPC for malware analysis boxes, which is a topic not often covered. It was nice to find out that my methods of malware analysis are not totally out of the ballpark. The process of analysis is described in a series of steps; preparation, unpacking, disassembly and decryption, and dynamic analysis techniques.
Reading this book was like a trip through a museum. The various code samples tend to build on each other, demonstrating the evolution of malware. Each chapter is brimming with information, making it almost seem like a textbook, but it does not read like a textbook. Each part flows logically into the next, and it is one of the few books I have that I didnít find myself skimming through for fear of missing something. Szor delicately dances around presenting complete code, but is still able to clearly demonstrate processes and procedures.
While I wouldnít call this book advanced, without some idea of how operating systems work, one will easily get lost. Much time is spent discussing file structures, PE headers, memory, and how viruses are able to utilize weaknesses inherent to these various structures to carry out their nefarious deeds. There are even a few undocumented APIs sprinkled through the text just to keep things interesting. With that said, if one has a basic understanding of operating systems and code, this book will pull everything together in such a way that one has a much clearer picture of the interdependencies of a given OS.
The only complaint I have, and it isnít even a compliant as such, but I would like to have seen a little more time spent on actual hands-on analysis. Aside from that, I consider this to be one of the top two books of its type I have ever had the privilege of reading, and as such, I give it an honored SFDC rating of 10 / 10.
Keywords: Peter Szor virus research defense malware symantec press
Security Forums Dot Com
This review is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.
Last edited by Groovicus on Tue Mar 15, 2005 7:56 pm; edited 3 times in total