The Art of Computer Virus Research and Defense

If you want to know what viruses really are, how they attack, how they are activated, and much more, this is the book to consider. This book promises to be a comprehensive guide to virus threats and defense techniques and it’s written by an antivirus expert from Symantec. Does it deliver? Read on and find out.

Author: Peter Szor
Pages: 744
Publisher: Addison-Wesley
ISBN: 0321304543


If you want to know what viruses really are, how they attack, how they are activated, and much more, this is the book to consider. This book promises to be a comprehensive guide to virus threats and defense techniques and it’s written by an antivirus expert from Symantec. Does it deliver? Read on and find out.

About the Author

Peter Szor is security architect for Symantec Security Response, where he has been designing and building antivirus technologies for the Norton AntiVirus product line since 1999. A renowned computer virus and security researcher, Szor speaks frequently at the Virus Bulletin, EICAR, ICSA, and RSA conferences, as well as the USENIX Security Symposium. He currently serves on the advisory board of Virus Bulletin magazine, and is a founding member of the AVED (AntiVirus Emergency Discussion) network.

Inside the Book

The book is divided into two major parts. The first part explains the strategies of the attacker while the second part is dedicated to strategies of the defender.

The first chapter guides the reader through the history of models, games and theories on self-replicating structures. Szor starts with 1948 when John von Neumann provided a model to describe nature’s self-reproduction. Later, a few scientists created their own models, and programs. Each of them is shortly described. The first viruses on microcomputers and the theory and definition of computer viruses are presented. Cohen’s formal mathematical model for computer viruses, together with an explanation of automated replication is here as well and this makes the text certainly an interesting reading if you want to understand the theory of viruses.

The following chapter is an introduction to the real world of viruses and here 24 categories and subcategories of viruses are defined with a short description of each of them. Except terminology, a malware program-naming scheme, slightly outdated, is presented. What follows is a list of Officially Recognized Platform Names that shows officially recognized identifiers following the proposed naming standard.

One of the most important steps toward understanding computer viruses is learning about the particular execution environments in which they operate. Chapter three covers malicious code environments. If we put every single dependency here, the list would be very long. There are a great number of dependencies explained in this chapter. For each dependency, a sample virus is given. For example, a date and time dependent virus is the original W32/CodeRed worm.

Next the author describes some common computer virus infection techniques. You can read about the master boot record infection technique, the file infection techniques, as well as infections techniques on 32-bit Windows operating systems. Knowing these techniques is important if one wants to understand the design of antivirus engines since the described techniques naturally have a great impact on antivirus engines.

After the classification of viruses by infection techniques, in the fifth chapter the author classifies viruses by memory residency strategies that computer viruses use. Eight main categories are shortly described, and every mentioned type of virus memory resident strategy is shown.

What follows is an overview of how viruses use self-protection techniques to survive as long as possible. Szor describes tunneling viruses by handling five different tunneling methods. With two additional methods: armored viruses and aggressive retroviruses, the reader acquires basic knowledge for development of defense systems against computer viruses.

The war between computer virus writers and virus scanners is going on for years. That is why computer virus writers continue to develop advanced virus self-protection techniques. The author mentiones four techniquesr: encrypted, oligomorphic, polymorphic, and metamorphic computer viruses. Another problem is posed by virus construction kits, which can be used by anyone who can use a computer.

As the book continues, the author classifies viruses according to payload and describes eight payload types. Chapter nine is all about strategies that computer worms use to invade target systems. Beside good text, this chapter is full of schematic examples that show some attacks. It even includes wireless mobile worms which present a hole new era of computer worms.

Recently exploits, vulnerabilities, and buffer overflow techniques have become common. Chapter ten covers how computer viruses are using these techniques to their advantage. It contains a lot of examples so it’s easier to understand the presented material.

Computer antivirus strategies change over the years. Scanners became fine instruments and antivirus software will continue to evolve with computer viruses as computer viruses will evolve with antivirus software. Szor covers some of the techniques that are used in antivirus software and categorizes examples of virus detection into three categories. Illustrated are the generic and heuristic methods of virus detection followed by two types of scanners.

After defense techniques, memory scanning and disinfection are described. How to get rid of the viruses, which stay in memory as a process and infect system over and over again, is the main issue here. One will learn how to scan memory in user mode and kernel mode and how to disinfect it.

Chapter thirteen presents worm-blocking techniques and host-based intrusion prevention with their main attributes and a few examples. This chapter is followed by network-level defense strategies which discuss some network-based solutions of prevention. The author presents some worm behavior patterns and related technologies that can detect and prevent worms and network intrusions.

After discussing the different antivirus defense strategies, both host- and network-based, Szor gives a short introduction to malicious code analysis.

Final thoughts

The Art of Computer Virus Research and Defense is really a justified title for the book. With so much techniques, methods, strategies and examples it is the definitive guide for experienced IT professionals, especially for security experts.

It covers threats, analysis and countermeasures. Besides discovering how malicious code attacks, here you can read about implementing defense techniques.

Learn how to stop malicious code now by reading this book.