Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The Art of Computer Virus Research and Defense", Peter Szor

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKACVRAD.RVW 20050731 The Art of Computer Virus Research and Defense , Peter Szor, 2005, 0-321-30454-3, U$49.99/C$69.99 %A Peter Szor pszor@acm.org %C
    Message 1 of 1 , Dec 19, 2005
      BKACVRAD.RVW 20050731

      "The Art of Computer Virus Research and Defense", Peter Szor, 2005,
      0-321-30454-3, U$49.99/C$69.99
      %A Peter Szor pszor@...
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2005
      %G 0-321-30454-3
      %I Addison-Wesley Publishing Co.
      %O U$49.99/C$69.99 416-447-5101 800-822-6339 bkexpress@...
      %O http://www.amazon.com/exec/obidos/ASIN/0321304543/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0321304543/robsladesin03-20
      %O Audience s+ Tech 3 Writing 2 (see revfaq.htm for explanation)
      %P 713 p.
      %T "The Art of Computer Virus Research and Defense"

      The preface states that the book is a compilation of research over a
      fifteen year period. While it is not explicitly stated, Szor seems to
      indicate that the primary audience for the work consists of those
      professionally engaged in the field of malware research and
      protection. (He also admits that his writing might be a little rough,
      which is true. While his text is generally clear enough, it is
      frequently disjointed, and often appears incomplete or jumpy.
      Illustrations are habitually less than helpful, although this can't be
      attributed to a lack of command of English.) Given the stature of
      people he lists in the acknowledgements one can hope for good quality
      in the technical information.

      Part one deals with the strategies of the attacker. Chapter one
      describes games and studies of natural ecologies relevant to computer
      viruses, as well as the early history (and even pre-history) of these
      programs. I could cavil that he misses some points (such as the
      1980-81 Apple virus programs at two universities in Texas), or glosses
      over some important events (such as Shoch and Hupp's worm experiments
      at Xerox PARC), but the background is much better and broader than
      that found in most chronicles. The beginnings of malicious code
      analysis are provided in chapter two, although it concentrates on a
      glossary of malware types (albeit incomplete and not always
      universally agreed) and the CARO (Computer Antivirus Research
      Organization) naming convention. The environment in which viruses
      operate, particularly hardware and operating system platform
      dependencies, is reviewed in chapter three. This material is much
      more detailed than that given in any other virus related text.
      (Dependencies missing from the list seem to be those that utilize
      protective software itself, such as the old virus that used a function
      of the Thunderbyte antivirus to spread, or the more recent Witty worm,
      targeted at the BlackIce firewall. Companion viruses utilizing
      precedence priorities would seem to be related to operating system
      functions, but are not included in that section.) Unfortunately, the
      content will not be of direct and immediate use, since it primarily
      points out issues and relies on the reader's background to understand
      how to deal with the problems, but nonetheless the material is
      fascinating and the inventory impressive. Chapter four outlines
      infection strategies and is likewise comprehensive. Memory use and
      infection strategies are described in chapter five. The issue of
      viral self-protection; tactics to avoid detection and elimination; are
      given in chapter six. Chapter seven reviews variations on the theme
      of polymorphism, and also catalogues some of the virus generation
      kits. Payload types are enumerated in chapter eight. Oddly, botnets
      are mentioned neither here, nor in the material on worms, in chapter
      nine. (Szor's use of a modified Cohenesque definition of a virus as
      infecting files means that some of the items listed in this section
      are what would otherwise be called email viruses. His usage is not
      always consistent, as in the earlier mention of script viruses on page
      81.) "Exploits," in chapter ten, covers a multitude of software
      vulnerabilities that might be used by a variety of malware categories
      for diverse purposes. This content is also some of the best that I've
      seen dealing with the matter of software vulnerabilities, and would be
      well recommended to those interested in building secure applications.

      Part two moves into the area of defence. Chapter eleven describes the
      basic types of antiviral or antimalware programs, concentrating
      primarily on various forms of scanning, although change detection and
      activity monitoring/restriction are mentioned. It is often desireable
      to find and disable malware in memory. The means of doing so,
      particularly in the hiding-place riddled Win32 system, are described
      in chapter twelve. Means of blocking worm attacks are discussed in
      chapter thirteen, although most appear to be either forms of
      application proxy firewalling, or (somewhat ironically) activity
      monitoring. Chapter fourteen lists generic network protection
      mechanisms, such as firewalls and intrusion detection systems,
      although the section on the use of network sniffers to capture memory-
      only worms is intriguing to the researcher. Software analysis, and
      the tools therefore, is covered in chapter fifteen, emphasizing
      functional aspects of the malware. Chapter sixteen concludes with a
      register of Websites for further study and reference.

      For those involved in malware research, Szor's book is easily the best
      since Ferbrache's "A Pathology of Computer Viruses" (cf.
      BKPTHVIR.RVW). It contains a wealth of information found nowhere else
      in book form. On the other hand, it is demanding of the reader, both
      in terms of the often uneven writing style, and the background
      knowledge of computer internals and programming that is required. The
      text does not provide material that would be suitable for general
      protection of computer systems and networks. On the other hand,
      intelligent amateur students of malicious software will find much to
      reward their investigation of this book.

      copyright Robert M. Slade, 2005 BKACVRAD.RVW 20050731

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Basic research is what I'm doing when I don't know what I'm doing
      - Werner von Braun
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.