Customer Reviews

The Art of Computer Virus Research and Defense

5 star:		(19)
4 star:		(0)
3 star:		(2)
2 star:		(2)
1 star:		(2)

 

 

Peter Szor's 'The Art of Computer Virus Research and Defense' (TAOCVRAD) is one of the best technical books I've ever read, and I've reviewed over 150 security and networking books during the past 5 years. This book so thoroughly owns the subject of computer viruses that I recommend any authors seeking to write their own virus book find a new topic. Every technical computing professional needs to read this book, fast.

I read this book from cover to cover. The author does not lie when he says acquiring the same amount of information requires digging in obscure virus journals and analyzing malicious code. TAOCVRAD's single most powerful aspect is the author's persistence in naming one or more sample viruses that exemplify whatever concept he is discussing. In other words, all of his theory is backed by, or builds on, real-life examples. Each chapter contains moderate end-notes that provide pointers for additional research.

A truly great book has the power to change deeply-entrenched opinions, or make readers look at old problems in a new light. In my case, I altered my perception of the virus problem and ways to fight it. First, I changed my concept of viruses and worms. Peter builds on Fred Cohen's virus definition to say 'a computer virus is a program that recursively and explicitly copies a possibly evolved version of itself.' He calls worms a 'subclass of computer viruses.' I used to disagree with Peter; I believed a virus infects files and requires user interaction, and a worm spreads by itself via the network. Now I agree with Peter's viewpoint: 'worms are network viruses, primarily replicating on networks... If the primary vector of the virus is the network, it should be classified as a worm.' The distinction is subtle, but it makes sense to consider worms a subclass of viruses given Peter's extensive analysis of both types of malware.

Second, I recognized I held an opinion Peter considers unfortunate: 'some computer security people do not seem to consider computer viruses as a serious aspect of security, or they ignore the relationship between computer security and computer viruses.' I was guilty as charged. I used to positively detest viruses because they seemed like mindless automated code that did little but replicate. After reading about scores of real viruses, I have a profound appreciation for virus technology. Viruses introduced techniques for obfuscation, stealth, and exploitation a decade earlier, in some cases, than the single-shot exploit code we see today.

Third, Peter put a human face on the problems associated with closed-source operating systems like Microsoft Windows. Many so-called Native API calls are undocumented, and as such make life difficult for anti-virus developers. (Virus writers tend to know them.) With Microsoft entering the anti-virus market, will it leverage these secrets to outperform competitors lacking this internal knowledge?

Readers of Ed Skoudis' 'Malware' or Jose Nazario's 'Defense and Detection Strategies against Internet Worms' will find this new book greatly complements those two works. Those wishing to get the most value from TAOCVRAD should have Intel assembly coding skills and several years of hands-on security experience.

I had almost no issues with this book, which is striking given it is nearly 700 pages long. In a few places I found the language a little rough, but not enough to bother me. I believe a code listing on p. 372 should show a '<=' instead of '=', but I may be wrong. Although the author works for Symantec, I did not see an undue amount of Symantec-centric material. Chapter 13 is somewhat of an exception, but I do not fault the author. I felt the network section (ch 14) could have been stronger, since advice to block all IP fragments or ICMP at border routers isn't necessarily wise. I can't personally vouch for all of the author's virus analysis as his skill level exceeds mine by an order of magnitude.

TAOCVRAD is the must-buy security book of 2005. You could spend weeks learning from this book. Readers should be thankful Peter decided to share so much of his knowledge with us in an accessible and educational format.

If the phase "a bible of malware" weren't a cliché, I would have used it to describe this book without hesitation. I read a lot of security (and specifically, malware) titles, but I have never seen a book that comprehensive and detailed, period.

The author appears to know _everything_ that was going on in the malicious software space since the 80s (for example, who knew that there were viruses written in DEC's DCL language)... A lot of effort is spent classifying various infection, in-memory, self-protection, payload and other virus strategies. I loved the section on malware self-protection, such as anti-debugging and anti-disassembly tactics and even self-brute-forcing virus code (I never knew there are sooo many of those tricks). Nowhere else I saw the detailed explanation of oligomorphic, polymorphic and metamorphic viruses... Note that while the book does cover the fun historical viruses, its coverage extends all the way to phishing attacks of the 2004-2005.

My other favorite part is the chapter on worms. "Vanilla" viruses often feel like the creatures of the past, and the worms steal all the glory. The other holds a view that worms are just a type of viruses that he justifies fairly well. Indeed, there is no accepted definition of a "worm".

The book is obviously aimed towards virus defense, although both sides are covered in [at times] excruciating detail. The entire part is dedicated to history and technology of virus scanning. Personally, I never saw it covered with that level of detail. Finally, I had a chance to learn what `heuristic detection' means. On the defense side, the book also covers behavior blocking and host intrusion prevention, which has a chance of emerging as the main approaches of virus fighting, supplanting pure signature-based scanning. Similarly fun was a section on network-level defense strategies (such as using ACLs, firewalls, etc).

A surprisingly small chapter covers malicious code analysis techniques. I would have appreciated a more detailed info on using VMware for malware analysis.

Overall, the book is very technical, but (if need be) can be read without diving too deeply into PDP11 assembly  , just to get familiar with all the malware classifications, infection methods and other tricks. Highly recommended for technical security professionals, might also benefit others in IT and beyond. I think it will also fit the textbook profile for an advanced computer security course.

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II". In his spare time, he maintains his security portal info-secure.org

If you are interested in historical details about viruses/malware, if you are searching for details about various techniques getting used by malicious software and if you are interested how people in the AV industry work... This book is definatly THE reference. Peter, a very competent virus researcher, who is known through his various articles in the Virus Bulletin magazine shows you all the techniques you need to analyse, to detect and to remove malicious software. His technical overview includes the entire history of computer viruses and is written in a very impressive and entertaining style. While I have read many books and articles about exploiting software, he also serves the most understandable definition of exploiting techniques like the classical stack overflow etc. I must say that his style impressed me so much that I read through the book in one day, something normally happening to me when reading thrillers of James Patterson. But this book is so well written, that you can rarely lay it out of your hands. You just want to know where Peter leds to, the next step in the voyage through the malicious world of computer viruses and malware. This book is geared through everybody trying to understanding what's happening in the malicious code polluting the Internet. For me well worth the money I spent on it.

I was wondering in the bookshop trying to find some in-depth books on Computer Virus and Network Security and suddenly I came across this book. In a few pages the book lit up my eyes and the author successfully attracted my attention and I was simply amazed by his solid background and rich knowledge and also his effort in presenting all the materials in an orderly and logical way that has successfully flatten the learning curve for people fresh to the area.
Well, some people may complain that this is a disappointing book in that it hasn't gone far enough to illustrate the necessary virus writing skills and they believe only in this way can one speciallized in virus defense benefit most. Again, this is not the truth as far as I see. If one simply want to write virus by following existing codes he can only gain a narrow horizon by focusing upon one or two popular virus. But as the old idiom goes, you will miss the forest by seeing a tree only. New virus are produced by those high-intelligent poeple everyday and promises to continue to come in the forseeable future. New technologies too, emerge and then disapper with the patch or hot fixes. But as long as you have a comprehensive knowledge of the basic of virus research and defense you will never lose in this battle against virus. I think the author has trying to model his book to be some thing beyond the mere technology collection but to present to us how one might equip himself with the fundamental knowledge of the virus's history, main ideas, or even try to give definition in some places. So this is why the author names his creation to be "Virus research & defense" instead of "virus writing & defense". And as far as I see, his attempt has been a huge success.
And what's more, even for people who are crazy about writing virus this book is not such a disappointment. It incorporate many code snippet into the book and these code has actually reveal the dark side of the virus and one smart enough and with some knowledge in coding will be able to rebuild the complete viruses. Those who complain about the lack of virus writing skills might better try to figure out the reason in themselves. Anyway, there are a lot of sample virus within your easy reach on the internet. So why take the trouble to reproduce it here?
And finally I would like to show my thanks for the great effort Peter has spent on this book. For me this book has brought to me great pleasures and it has helped to orgnize my knowledge about computer virus in a more systematical manner. For those either new to the area or those professionals this is a must read and you shouldn't miss it.

I read this book quite a while ago. When searching for a new book on viruses to read it came up in the list of search results. Reading all the positive reviews I find it hard to believe we read the same book. Unfortunately I cannot recommend this book for a variety of reasons. Firstly it is now out of date, a lot has changed in the last 5 years. Secondly even when it first come out I found the book quite superficial and lacking in technical detail. Certainly for someone seeking an indepth knowledge of how viruses are designed and can be defended against this book wasn't up to the task. The audience I can see this book as being useful for would be someone who is not a programmer but is looking for a detailed history of the different types of computer viruses. For those looking for discussion and analysis of virus or antivirus source code please look elsewhere !!

I think the reason the author didn't provide much detail was that he didn't want to make his own job producing antivirus software any harder than it already was. Also he wasn't about to give away any trade secrets to his competitors. Perhaps as well he wanted to make the book reasonably accessible to people without a strong programming background.

So for those looking for detailed and current technical information, look elsewhere, for those after a history and taxonomy of computer viruses this book might be adequate.

This is simply incredible - over 700 pages of detailed analysis of viruses from the general to the specific. Their history, the trends, the future, how they work - it's all here.

This can be heavy geek territory. If you aren't fascinated by the details of executable programs and the like, some of this will be hard sledding. But if you are the type who likes to take things apart to see how they work, this is for you: Peter Szor, Symantec's chief antivirus researcher, who saw his first virus before he even knew how to read assembly language, carefully explores this subject from beginning to end.

A lot of this is, of course Windows related, but there is also coverage of Linux viruses and worms. All sorts of virus types are explored and laid out in general, and certain specific instances are explored in detail.

I read through this quickly in an hour or so to get the big picture, but it will be sitting close at hand for several weeks as I spend more time in specific sections. It's really an encyclopedic piece of work.

Recommended mostly for the curious geek or serious security professional only, but highly, highly recommended for that audience. For the less geeky, this would still be of interest because the historical and more general overviews it contains.

I think by now we're all familiar with viruses and worms. It may have been a term paper diskette chewed up by a virus back in college, a family member's computer infected with the latest worm, or your email inbox clogged with a mass mailer of the week. But how do AV researchers dissect such malware, especially when virus writers have devoted so much time to avoiding detection and perfecting their craft with self-decrypting viruses, polymorphic shellcode, and obfuscated loops. Haven't you wanted a peek into how that's done, and how you would analyze such a monster that landed in your computer? Well, Peter Szor's book The Art of Computer Virus Research and Defense (TAOCVRD) has been gaining lots of critical acclaim lately for filling that gap, and rightfully so. (Before we begin, however, I should make one thing perfectly clear: I was a technical reviewer of this book. I enjoyed it when I read it originally, and I'm even more pleased with the final result. And now on to your regularly scheduled review.)

TAOCVRD opens with Part 1: Strategies of the attacker. Here we get to start to think about malicious code from the original ideas and viewpoints of its makers. Chapter 1 opens up with various games of the classic computer science world, including Conway's Game of Life and Core Wars, which is still fun after all of these years. From this we can start to think about computer viruses as a natural extension of other self-replicating computer structures. What's great about this chapter is that you can actually understand, and share in, the fascination of replicating code. It's as if you can understand the pure world that some virus writers live in.

Chapter 2 starts off the virus-analysis section, including some of the basics (like the types of malicious programs and their key features), as well as the naming scheme. Chapter 3, "Malicious Code Environments," serves as a lengthy and complete description of how various viruses work. The dependencies that you would expect to see, including OS, CPU, file formats, and filesystems, are all described. Then Szor goes on to describe how viruses work with various languages, from REXX and DCL to Python and even Office macros. Not all of the descriptions are lengthy, but you get to see how flexible the world of writing a virus can be. What I most enjoyed about the book overall is represented in this chapter, namely Szor's command of the history of the virus as well as his technical prowess, which he drops in as appropriate.

Chapter 4 gets a bit more technical and now focuses on infection strategies. Again, Szor isn't afraid to delve into history or technical meat, including a lengthy and valuable section "An In-Depth Look at Win32 Viruses." If you don't feel armed to start dissecting viruses by this point, you're in luck: there's so much more to read. Chapter 5 covers in-memory strategies used by viruses to locate files, processes, and sometimes evade detection. Szor has a list of interrupts and their utility to the virus writer, providing a comprehensive resource to the virus analyst.

Chapters 6 and 7 cover basic and advanced self protection schemes, respectively, used by viruses. TAOCVRD's completeness of information in a usable space, together with very functional examples and descriptions, is again evident. Szor walks you through a basic decryptor routine, for example, showing you how a self-contained virus can be both evasive and functional at the same time. Sadly little attention is given to various virus construction kits at the end of chapter 7, though.

Chapters 8 and 9 get a little less technical and somewhat more historical. These chapters cover virus payloads and their classification (ie benevolent viruses, destructive viruses, etc) and computer worms, respectively. The overview of payloads is almost entirely historical, giving a great overview of how virus writers have used their techniques to cause havoc or just have "fun" from time to time. Chapter 9 gives a concise and valuable overview of computer worms, almost boiling about half of my worms book down into just one chapter in a clear and easy to use fashion.

Part 1 concludes with chapter 10, which covers exploits and attack techniques used by worms and viruses. Again, Szor's clarity of explanation shines as he artfully gives a concise overview of how a buffer overflow attack works (including stack layout and address manipulation), heap-based attacks, format string attacks, and related methods. He then discusses these techniques in light of various historical examples, clearly explaining how they operated and were successful. If you've been yearning for a short overview of attack techniques and how malware has used them, this chapter is for you.

Part 2 covers the defender's strategies. Chapter 11 serves as a nice introduction to this section by describing many of the current and advanced defense techniques such as some of the first and second generation scanners, code and system emulation, and metamorphic virus detection. This is all covered in nice technical detail, always at a reasonable level to not leave everyone in the dust. Through it all small examples are constantly given, which reinforce the text nicely. Chapter 12 is very similar, this time focusing on in-memory scanning and analysis techniques.

Chapter 13 covers worm blocking techniques, focusing on host-based methods which can prevent the buffer overflow from being successful or the code from arbitrarily gaining network access again. Chapter 14 complements this with network specific defenses, including ACLs and firewalls, IDS systems, honeypots, and even counterattacks. These two chapters are a lot less technical than the previous two, but still quite valuable.

By this point I'm sure you're ready to try your hand at virus analysis, and Szor is eager to help you out. In chapter 15 he gives you a great setup for virus analysis, including various tools and examples of how they work and what kind of information they give you. Finally, in chapter 16 you have the obligatory (and valuable) resource roundup which complements the references given in every chapter, as well.

Overall I find Szor's book to be amazing, both in terms of its technical prowess over so many specifics in the field but also for its presentation. Without dumbing it down, Szor's able to communicate to most readers with clarity in a manner they'll understand, learn from, and be able to use. I think that many of us, especially those of us who get plundered in our email inboxes with malware, are curious to spend some time dissecting these beasts using techniques AV professionals use, and Szor's book does an exemplary job of introducing that world to us all. I consider this to be one of the most important computer security books I own due to it's clarity and completeness of coverage.

As a relative amature in the subject of computer viruses, this book was very helpful. With a little background in basic computing, you can easily understand this book. The book starts off simple virus from back in the day, describing the first viruses to appear. The book then goes into detail about the more advanced forms of virus infections and viruses to appear on more modern systems. After reading the book, i came away with a new respect for the art of self replicating code (aka Virus), and the techniques that virus researchers use to develop software to protect your PC from these threats.

Peter Szor's book is definitely THE book any aspiring anti-virus researcher and computer security professional must read. It is very broad and information-packed, covering just about every single important aspect of computer viruses and anti-virus research. The book is very technical which, from my point of view, is a big plus - although beginners might find some parts of it daunting. This is definitely no "viruses for dummies" book. In the field of computer viruses and anti-virus research, this book is what Donald Knuth's Art of Computer Programming, The, Volumes 1-3 Boxed Set (2nd Edition) (The Art of Computer Programming Series) is for computer scientists.

The only gripe I have is that it is perhaps not deep enough. While every important aspect of viruses and anti-virus defense is covered, some of them are not covered deeply enough. This is not the author's fault but the publisher's. Originally, the author intended to write two separate volumes (one dedicated to computer viruses and one dedicated to anti-virus defenses), covering in depth every aspect of these two areas. However, the publisher imposed size restrictions on him. Although the book is rather thick (700+ pages), the space is still not enough to cover in sufficient depth every important aspect of this field.

However, each chapter contains references for further reading and the interested reader can do their own research of the aspects that are not covered deeply enough.

In summary: excellent book, useful both as a textbook and as a reference. Great read, information-packed, useful. Just don't expect to find any "how to write a virus" recipies there - fortunately, the author went to great lengths to avoid them.

Szor's book appears to be the current definitive text on antivirus methods. The breadth of coverage of methods is good. So too is the level of detail.

The book makes you appreciate how hard the task is of finding these darned viruses. In general, you are trying to discern malware intent in an arbitrary file. Where this file is often binary. But, as Szor is careful to explain, there can certainly be source code viruses as well. These could be in Postscript, PDF or scripting files. He also points out that the Microsoft Office data files are really binary programs, that run under the Microsoft Office applications.

The book shows the considerable level of ingenuity on both sides of this struggle. As in how antivirus companies like Symantec often run a suspected virus in an emulator, stepping through the code. But in response, some viruses try to detect if they are being run inside an emulator. How they do this is very crafty and simple. (Shades of the "Matrix"!) It is examples of tactics like this that give the book its worth.