Viruses have come a long way since their first incarnations in the 1980s. What used to be an annoyance to computer users who would share floppy disks with one another has become a global threat. Millions, if not billions, of dollars in data and lost productivity have been lost due to these malicious little chunks of executable code. Many computer users only interact with their virus scanner insofar as it reminds them to click a button and download the newest updates. In fact, there is far more going on behind the scenes than even most generalist security experts may be aware of.

Szor’s work is an encyclopedic analysis of the techniques used by both virus developers and antivirus researchers. Explicitly broken up into these two parts, the book begins with a brief overview, history, and theory of malicious software. After the introduction, Szor wastes no time, jumping directly into a roughly chronological discussion of virus environments, infection strategies, and virus self-protection schemes. After a chapter covering buffer overflows and other exploits, the remainder of the book addresses virus detection, disinfection, host-based and network-based intrusion prevention, and viral code analysis. Unlike Skoudis’ book [1], this book delves into the internal details of viruses specifically, rather than giving a fairly high-level account of various types of malicious software. Skoudis covers backdoors, trojans, and rootkits, three topics that are extremely valuable security topics in their own right, but Szor explains early on that his focus is only on viruses.

The author explicitly states that this book is not intended to be a virus-building manual, and no detailed source code examples are provided that might overly help a budding virus writer. There is enough detail described in the chapters on virus techniques, however, to give a coder skilled in assembly or C the ability to create effective malicious code. The text is also a resource, in a somewhat roundabout way, for readers interested in various binary executable formats. To the reader without a basic understanding of programming, and operating systems concepts such as application programming interface (API) calls and kernel-mode versus user mode, the book is likely to be a bit difficult to comprehend. This is not a quick introduction in any sense, so it is not for beginners.

Before covering the high points of the book, I have two primary gripes. The author refers to the pseudonyms of authors of viruses, in some cases repeatedly. This extra information does not contribute in a meaningful way to the coverage of virus techniques, and serves to glorify the virus writers. Citing virus writers in this way establishes a dangerous precedent, which may only serve to encourage budding virus-writing criminals. My second gripe is that Szor’s analysis focuses almost exclusively on signature- and heuristic-based virus detection, which are the common techniques employed by the major antivirus companies. Chapter 11 is a deep look into techniques that these modern antivirus systems (installed on almost everyone’s computers) use to make sure that viruses or worms are detected and hopefully prevented. A short paragraph on page 19, discussing integrity checking, concludes that “the general public does not like to be bothered each time a new program is introduced on their systems, but [Dr. Frederick] Cohen’s approach is definitely the safest technique to use.” Given that much modern research has been done on this aspect of virus prevention, and that many of the negative aspects of integrity checking Szor describes have been worked out, integrity checking and whitelisting certainly deserve more mention than just section 11.11 in this nearly comprehensive work.

Despite my gripes with this book, it covers the field of virus development and protection in great detail, and with eloquence. Viruses for older platforms, such as DOS and Windows 95, are discussed nearly as much as those infecting 32- and 64-bit applications for more modern operating systems, such as Windows 2000 and XP. This coverage is important, though, to fully explain the evolution of virus writers’ tactics. As operating systems became more complex, so too did the strategies that viruses used to infect these new systems. While Linux and other non-Microsoft operating systems are discussed, the majority of virus techniques are specifically geared to Windows operating systems, simply because the majority of viruses infect Windows. Chapter 7, which discusses polymorphic viruses and virus creation kits, is interesting, and noticeably less encyclopedic than other parts of the book. Chapter 8’s extremely brief coverage of virus payload types could have benefited from more in-depth coverage of the relatively new field of cryptovirology, though, to be fair, Szor did cite Malicious cryptography [2] as a reference. The obligatory section on exploits like buffer overflows (chapter 10) and techniques for blocking such exploits (chapter 13) may be redundant with many other security texts, but it is definitely relevant in learning the methods that worms use to remotely penetrate systems and how to stop them. Chapter 13, in particular, spends time with specific exploit-prevention techniques that may be overlooked by other authors.

I don’t expect that this text would be used for a college course on virus techniques, simply because there is so much detail. It would be difficult to cover a quarter of the material in this book in a semester, and the laundry list of prerequisite courses might be too much to handle for most undergraduates. I believe that the target audience of this book is the security professional with a computer science background who is interested in becoming very intimate with the topic of computer viruses. I consider myself a member of this audience, and, although it has a few flaws, this book has earned a spot on the “for frequent reference” section of my bookcase.