"The Art of Computer Virus Research and Defense", Peter Szor, 2005,
%A Peter Szor pszor@...
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%O U$49.99/C$69.99 416-447-5101 800-822-6339 bkexpress@...
%O Audience s+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P 713 p.
%T "The Art of Computer Virus Research and Defense"
The preface states that the book is a compilation of research over a
fifteen year period. While it is not explicitly stated, Szor seems to
indicate that the primary audience for the work consists of those
professionally engaged in the field of malware research and
protection. (He also admits that his writing might be a little rough,
which is true. While his text is generally clear enough, it is
frequently disjointed, and often appears incomplete or jumpy.
Illustrations are habitually less than helpful, although this can't be
attributed to a lack of command of English.) Given the stature of
people he lists in the acknowledgements one can hope for good quality
in the technical information.
Part one deals with the strategies of the attacker. Chapter one
describes games and studies of natural ecologies relevant to computer
viruses, as well as the early history (and even pre-history) of these
programs. I could cavil that he misses some points (such as the
1980-81 Apple virus programs at two universities in Texas), or glosses
over some important events (such as Shoch and Hupp's worm experiments
at Xerox PARC), but the background is much better and broader than
that found in most chronicles. The beginnings of malicious code
analysis are provided in chapter two, although it concentrates on a
glossary of malware types (albeit incomplete and not always
universally agreed) and the CARO (Computer Antivirus Research
Organization) naming convention. The environment in which viruses
operate, particularly hardware and operating system platform
dependencies, is reviewed in chapter three. This material is much
more detailed than that given in any other virus related text.
(Dependencies missing from the list seem to be those that utilize
protective software itself, such as the old virus that used a function
of the Thunderbyte antivirus to spread, or the more recent Witty worm,
targeted at the BlackIce firewall. Companion viruses utilizing
precedence priorities would seem to be related to operating system
functions, but are not included in that section.) Unfortunately, the
content will not be of direct and immediate use, since it primarily
points out issues and relies on the reader's background to understand
how to deal with the problems, but nonetheless the material is
fascinating and the inventory impressive. Chapter four outlines
infection strategies and is likewise comprehensive. Memory use and
infection strategies are described in chapter five. The issue of
viral self-protection; tactics to avoid detection and elimination; are
given in chapter six. Chapter seven reviews variations on the theme
of polymorphism, and also catalogues some of the virus generation
kits. Payload types are enumerated in chapter eight. Oddly, botnets
are mentioned neither here, nor in the material on worms, in chapter
nine. (Szor's use of a modified Cohenesque definition of a virus as
infecting files means that some of the items listed in this section
are what would otherwise be called email viruses. His usage is not
always consistent, as in the earlier mention of script viruses on page
81.) "Exploits," in chapter ten, covers a multitude of software
vulnerabilities that might be used by a variety of malware categories
for diverse purposes. This content is also some of the best that I've
seen dealing with the matter of software vulnerabilities, and would be
well recommended to those interested in building secure applications.
Part two moves into the area of defence. Chapter eleven describes the
basic types of antiviral or antimalware programs, concentrating
primarily on various forms of scanning, although change detection and
activity monitoring/restriction are mentioned. It is often desireable
to find and disable malware in memory. The means of doing so,
particularly in the hiding-place riddled Win32 system, are described
in chapter twelve. Means of blocking worm attacks are discussed in
chapter thirteen, although most appear to be either forms of
application proxy firewalling, or (somewhat ironically) activity
monitoring. Chapter fourteen lists generic network protection
mechanisms, such as firewalls and intrusion detection systems,
although the section on the use of network sniffers to capture memory-
only worms is intriguing to the researcher. Software analysis, and
the tools therefore, is covered in chapter fifteen, emphasizing
functional aspects of the malware. Chapter sixteen concludes with a
register of Websites for further study and reference.
For those involved in malware research, Szor's book is easily the best
since Ferbrache's "A Pathology of Computer Viruses" (cf.
BKPTHVIR.RVW). It contains a wealth of information found nowhere else
in book form. On the other hand, it is demanding of the reader, both
in terms of the often uneven writing style, and the background
knowledge of computer internals and programming that is required. The
text does not provide material that would be suitable for general
protection of computer systems and networks. On the other hand,
intelligent amateur students of malicious software will find much to
reward their investigation of this book.
copyright Robert M. Slade, 2005 BKACVRAD.RVW 20050731
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Basic research is what I'm doing when I don't know what I'm doing
- Werner von Braun