Free Shipping In Australia
The Art of Computer Virus Research and Defense By Peter Szor

The Art of Computer Virus Research and Defense
by Peter Szor

In Stock
+10% GST
Written by one of the best virus analysts in the world, this book provides useful information about computer viruses, as well as security.
Only 2 left

The Art of Computer Virus Research and Defense Summary

The Art of Computer Virus Research and Defense by Peter Szor

Peter Szor takes you behind the scenes of anti-virus research, showing howthey are analyzed, how they spread, and--most importantly--how to effectivelydefend against them. This book offers an encyclopedic treatment of thecomputer virus, including: a history of computer viruses, virus behavior,classification, protection strategies, anti-virus and worm-blocking techniques,and how to conduct an accurate threat analysis. The Art of Computer VirusResearch and Defense entertains readers with its look at anti-virus research, butmore importantly it truly arms them in the fight against computer viruses.As one of the lead researchers behind Norton AntiVirus, the most popularantivirus program in the industry, Peter Szor studies viruses every day. Byshowing how viruses really work, this book will help security professionals andstudents protect against them, recognize them, and analyze and limit thedamage they can do.

Why buy from World of Books

Our excellent value books literally don't cost the earth
Free delivery in Australia
Read more here
Every used book bought is one saved from landfill

About Peter Szor

Peter Szor is security architect for Symantec Security Response, where he has been designing and building antivirus technologies for the Norton AntiVirus product line since 1999. From 1990 to 1995, Szor wrote and maintained his own antivirus program, Pasteur. A renowned computer virus and security researcher, Szor speaks frequently at the Virus Bulletin, EICAR, ICSA, and RSA conferences, as well as the USENIX Security Symposium. He currently serves on the advisory board of Virus Bulletin magazine, and is a founding member of the AVED (AntiVirus Emergency Discussion) network.

(c) Copyright Pearson Education. All rights reserved.

Table of Contents

About the Author.




1. Introduction to the Games of Nature.

Early Models of Self-Replicating Structures

John von Neumann: Theory of Self-Reproducing Automata

Fredkin: Reproducing Structures

Conway: Game of Life

Core War: The Fighting Programs

Genesis of Computer Viruses

Automated Replicating Code: The Theory and Definition of Computer Viruses


2. The Fascination of Malicious Code Analysis.

Common Patterns of Virus Research

Antivirus Defense Development

Terminology of Malicious Programs



Logic Bombs

Trojan Horses








Kits (Virus Generators)

Spammer Programs




Other Categories

Joke Programs

Hoaxes: Chain Letters

Other Pests: Adware and Spyware

Computer Malware Naming Scheme







@m or @mm


Annotated List of Officially Recognized Platform Names


3. Malicious Code Environments.

Computer Architecture Dependency

CPU Dependency

Operating System Dependency

Operating System Version Dependency

File System Dependency

Cluster Viruses

NTFS Stream Viruses

NTFS Compression Viruses

ISO Image Infection

File Format Dependency

COM Viruses on DOS

EXE Viruses on DOS

NE (New Executable) Viruses on 16-bit Windows and OS/2

LX Viruses on OS/2

PE (Portable Executable) Viruses on 32-bit Windows

ELF (Executable and Linking Format) Viruses on UNIX

Device Driver Viruses

Object Code and LIB Viruses

Interpreted Environment Dependency

Macro Viruses in Microsoft Products

REXX Viruses on IBM Systems

DCL (DEC Command Language) Viruses on DEC/VMS

Shell Scripts on UNIX (csh, ksh, and bash)

VBScript (Visual Basic Script) Viruses on Windows Systems

BATCH Viruses

Instant Messaging Viruses in mIRC, PIRCH scripts

SuperLogo Viruses

JScript Viruses

Perl Viruses

WebTV Worms in JellyScript Embedded in HTML Mail

Python Viruses

VIM Viruses

EMACS Viruses

TCL Viruses

PHP Viruses

MapInfo Viruses

ABAP Viruses on SAP

Help File Viruses on Windows-When You Press F1...

JScript Threats in Adobe PDF

AppleScript Dependency

ANSI Dependency

Macromedia Flash ActionScript Threats

HyperTalk Script Threats

AutoLisp Script Viruses

Registry Dependency

PIF and LNK Dependency

Lotus Word Pro Macro Viruses

AmiPro Document Viruses

Corel Script Viruses

Lotus 1-2-3 Macro Dependency

Windows Installation Script Dependency

AUTORUN.INF and Windows INI File Dependency

HTML (Hypertext Markup Language) Dependency

Vulnerability Dependency

Date and Time Dependency

JIT Dependency: Microsoft .NET Viruses

Archive Format Dependency

File Format Dependency Based on Extension

Network Protocol Dependency

Source Code Dependency

Source Code Trojans

Resource Dependency on Mac and Palm Platforms

Host Size Dependency

Debugger Dependency

Intended Threats that Rely on a Debugger

Compiler and Linker Dependency

Device Translator Layer Dependency

Embedded Object Insertion Dependency

Self-Contained Environment Dependency

Multipartite Viruses



4. Classification of Infection Strategies.

Boot Viruses

Master Boot Record (MBR) Infection Techniques

DOS BOOT Record (DBR) - Infection Techniques

Boot Viruses That Work While Windows 95 Is Active

Possible Boot Image Attacks in Network Environments

File Infection Techniques

Overwriting Viruses

Random Overwriting Viruses

Appending Viruses

Prepending Viruses

Classic Parasitic Viruses

Cavity Viruses

Fractionated Cavity Viruses

Compressing Viruses

Amoeba Infection Technique

Embedded Decryptor Technique

Embedded Decryptor and Virus Body Technique

Obfuscated Tricky Jump Technique

Entry-Point Obscuring (EPO) Viruses

Possible Future Infection Techniques: Code Builders

An In-Depth Look at Win32 Viruses

The Win32 API and Platforms That Support It

Infection Techniques on 32-Bit Windows

Win32 and Win64 Viruses: Designed for Microsoft Windows?



5. Classification of In-Memory Strategies.

Direct-Action Viruses

Memory-Resident Viruses

Interrupt Handling and Hooking

Hook Routines on INT 13h (Boot Viruses)

Hook Routines on INT 21h (File Viruses)

Common Memory Installation Techniques Under DOS

Stealth Viruses

Disk Cache and System Buffer Infection

Temporary Memory-Resident Viruses

Swapping Viruses

Viruses in Processes (in User Mode)

Viruses in Kernel Mode (Windows 9x/Me)

Viruses in Kernel Mode (Windows NT/2000/XP)

In-Memory Injectors over Networks


6. Basic Self-Protection Strategies.

Tunneling Viruses

Memory Scanning for Original Handler

Tracing with Debug Interfaces

Code Emulation-Based Tunneling

Accessing the Disk Using Port I/O

Using Undocumented Functions

Armored Viruses


Encrypted Data

Code Confusion to Avoid Analysis

Opcode Mixing-Based Code Confusion

Using Checksum

Compressed, Obfuscated Code



Antiemulation Techniques

Antigoat Viruses

Aggressive Retroviruses


7. Advanced Code Evolution Techniques and Computer Virus Generator Kits.


Evolution of Code

Encrypted Viruses

Oligomorphic Viruses

Polymorphic Viruses

The 1260 Virus

The Dark Avenger Mutation Engine (MtE)

32-Bit Polymorphic Viruses

Metamorphic Viruses

What Is a Metamorphic Virus?

Simple Metamorphic Viruses

More Complex Metamorphic Viruses and Permutation Techniques

Mutating Other Applications: The Ultimate Virus Generator?

Advanced Metamorphic Viruses: Zmist

{W32, Linux}/Simile: A Metamorphic Engine Across Systems

The Dark Future-MSIL Metamorphic Viruses

Virus Construction Kits

VCS (Virus Construction Set)


VCL (Virus Creation Laboratory)

PS-MPC (Phalcon-Skism Mass-Produced Code Generator)

NGVCK (Next Generation Virus Creation Kit)

Other Kits and Mutators

How to Test a Virus Construction Tool?


8. Classification According to Payload.


Accidentally Destructive Payload

Nondestructive Payload

Somewhat Destructive Payload

Highly Destructive Payload

Viruses That Overwrite Data

Data Diddlers

Viruses That Encrypt Data: The "Good," the Bad, and the Ugly

Hardware Destroyers

DoS (Denial of Service) Attacks

Data Stealers: Making Money with Viruses

Phishing Attacks

Backdoor Features



9. Strategies of Computer Worms.


The Generic Structure of Computer Worms

Target Locator

Infection Propagator

Remote Control and Update Interface

Life-Cycle Manager



Target Locator

E-Mail Address Harvesting

Network Share Enumeration Attacks

Network Scanning and Target Fingerprinting

Infection Propagators

Attacking Backdoor-Compromised Systems

Peer-to-Peer Network Attacks

Instant Messaging Attacks

E-Mail Worm Attacks and Deception Techniques

E-Mail Attachment Inserters

SMTP Proxy-Based Attacks

SMTP Attacks

SMTP Propagation on Steroids Using MX Queries

NNTP (Network News Transfer Protocol) Attacks

Common Worm Code Transfer and Execution Techniques

Executable Code-Based Attacks

Links to Web Sites or Web Proxies

HTML-Based Mail

Remote Login-Based Attacks

Code Injection Attacks

Shell Code-Based Attacks

Update Strategies of Computer Worms

Authenticated Updates on the Web or Newsgroups

Backdoor-Based Updates

Remote Control via Signaling

Peer-to-Peer Network Control

Intentional and Accidental Interactions



The Future: A Simple Worm Communication Protocol?

Wireless Mobile Worms


10. Exploits, Vulnerabilities, and Buffer Overflow Attacks.


Definition of Blended Attack

The Threat


Types of Vulnerabilities

Buffer Overflows

First-Generation Attacks

Second-Generation Attacks

Third-Generation Attacks

Current and Previous Threats

The Morris Internet Worm, 1988 (Stack Overflow to Run

- Shellcode)

Linux/ADM, 1998 ("Copycatting" the Morris Worm)

The CodeRed Outbreak, 2001 (The Code Injection Attack)

Linux/Slapper Worm, 2002 (A Heap Overflow Example)

W32/Slammer Worm, January 2003 (The Mini Worm)

Blaster Worm, August 2003 (Shellcode-Based Attack on Win32)

Generic Buffer Overflow Usage in Computer Viruses

Description of W32/Badtrans.B@mm

Exploits in W32/Nimda.A@mm

Description of W32/Bolzano

Description of VBS/Bubbleboy

Description of W32/Blebla




11. Antivirus Defense Techniques.

First-Generation Scanners

String Scanning



Generic Detection



Top-and-Tail Scanning

Entry-Point and Fixed-Point Scanning

Hyperfast Disk Access

Second-Generation Scanners

Smart Scanning

Skeleton Detection

Nearly Exact Identification

Exact Identification

Algorithmic Scanning Methods


Static Decryptor Detection

The X-RAY Method

Code Emulation

Encrypted and Polymorphic Virus Detection Using Emulation

Dynamic Decryptor Detection

Metamorphic Virus Detection Examples

Geometric Detection

Disassembling Techniques

Using Emulators for Tracing

Heuristic Analysis of 32-Bit Windows Viruses

Code Execution Starts in the Last Section

Suspicious Section Characteristics

Virtual Size Is Incorrect in PE Header

Possible "Gap" Between Sections

Suspicious Code Redirection

Suspicious Code Section Name

Possible Header Infection

Suspicious Imports from KERNEL32.DLL by Ordinal

Import Address Table Is Patched

Multiple PE Headers

Multiple Windows Headers and Suspicious KERNEL32.DLL Imports

Suspicious Relocations

Kernel Look-Up

Kernel Inconsistency

Loading a Section into the VMM Address Space

Incorrect Size of Code in Header

Examples of Suspicious Flag Combinations

Heuristic Analysis Using Neural Networks

Regular and Generic Disinfection Methods

Standard Disinfection

Generic Decryptors

How Does a Generic Disinfector Work?

How Can the Disinfector Be Sure That the File Is Infected?

Where Is the Original End of the Host File?

How Many Virus Types Can We Handle This Way?

Examples of Heuristics for Generic Repair

Generic Disinfection Examples


Access Control Systems

Integrity Checking

False Positives

Clean Initial State


Special Objects

Necessity of Changed Objects

Possible Solutions

Behavior Blocking




12. Memory Scanning and Disinfection.


The Windows NT Virtual Memory System

Virtual Address Spaces

Memory Scanning in User Mode

The Secrets of NtQuerySystemInform-ation()

Common Processes and Special System Rights

Viruses in the Win32 Subsystem

Win32 Viruses That Allocate Private Pages

Native Windows NT Service Viruses

Win32 Viruses That Use a Hidden Window Procedure

Win32 Viruses That Are Part of the Executed Image Itself

Memory Scanning and Paging

Enumerating Processes and Scanning File Images

Memory Disinfection

Terminating a Particular Process That Contains Virus Code

Detecting and Terminating Virus Threads

Patching the Virus Code in the Active Pages

How to Disinfect Loaded DLLs and Running Applications

Memory Scanning in Kernel Mode

Scanning the User Address Space of Processes

Determining NT Service API Entry Points

Important NT Functions for Kernel-Mode Memory Scanning

Process Context

Scanning the Upper 2GB of Address Space

How Can You Deactivate a Filter Driver Virus?

Dealing with Read-Only Kernel Memory

Kernel-Mode Memory Scanning on 64-Bit Platforms

Possible Attacks Against Memory Scanning

Conclusion and Future Work


13. Worm-Blocking Techniques and Host-Based Intrusion Prevention.


Script Blocking and SMTP Worm Blocking

New Attacks to Block: CodeRed, Slammer

Techniques to Block Buffer Overflow Attacks

Code Reviews

Compiler-Level Solutions

Operating System-Level Solutions and Run-Time Extensions

Subsystem Extensions-Libsafe

Kernel Mode Extensions

Program Shepherding

Worm-Blocking Techniques

Injected Code Detection

Send Blocking: An Example of Blocking Self-Sending Code

Exception Handler Validation

Other Return-to-LIBC Attack Mitigation Techniques

"GOT" and "IAT" Page Attributes

High Number of Connections and Connection Errors

Possible Future Worm Attacks

A Possible Increase of Retroworms

"Slow" Worms Below the Radar

Polymorphic and Metamorphic Worms

Largescale Damage

Automated Exploit Discovery-Learning from the Environment



14. Network-Level Defense Strategies.


Using Router Access Lists

Firewall Protection

Network-Intrusion Detection Systems

Honeypot Systems


Early Warning Systems

Worm Behavior Patterns on the Network

Capturing the Blaster Worm

Capturing the Linux/Slapper Worm

Capturing the W32/Sasser.D Worm

Capturing the Ping Requests of the W32/Welchia Worm

Detecting W32/Slammer and Related Exploits



15. Malicious Code Analysis Techniques.

Your Personal Virus Analysis Laboratory

How to Get the Software?

Information, Information, Information

Architecture Guides

Knowledge Base

Dedicated Virus Analysis on VMWARE

The Process of Computer Virus Analysis



Disassembling and Decryption

Dynamic Analysis Techniques

Maintaining a Malicious Code Collection

Automated Analysis: The Digital Immune System


16. Conclusion.

Further Reading

Information on Security and Early Warnings

Security Updates

Computer Worm Outbreak Statistics

Computer Virus Research Papers

Contact Information for Antivirus Vendors

Antivirus Testers and Related Sites


Additional information

The Art of Computer Virus Research and Defense by Peter Szor
Peter Szor
Used - Very Good
Pearson Education (US)
Book picture is for illustrative purposes only, actual binding, cover or edition may vary.
This is a used book - there is no escaping the fact it has been read by someone else and it will show signs of wear and previous use. Overall we expect it to be in very good condition, but if you are not entirely satisfied please get in touch with us.