When someone as knowledgeable about computer viruses as Symantec’s chief antivirus researcher writes a book on the subject, it is expected that the resulting work will be authoritative; Peter Szor’s work is that and much more. This book is so full of the details of computer viruses, their infection techniques, examples, and protection strategies, and is presented in such an authoritative and comprehensive way, that it will surely become a must-have for anyone interested in the study of computer viruses. Before you wade into this fountain of knowledge, however, be prepared: the book is not written for novices (that is a feature, not a defect).
The book is divided into two parts. The first part, chapters 1 to 10, is titled “Strategies for the Attacker.” Chapters 11 to 16 make up the second part, “Strategies for the Defenders.” Chapter 1 goes over the early history of models and games of self-replication, in!cluding Frederick Cohen’s mathematical formulation of viruses [1]. The two main components of chapter 2 are a unified nomenclature/terminology for malicious programs, with a small description of each of them, and a list of the official recognized platform names used in the industry. Chapter 3 looks at the malicious code environment. As the author emphasizes, “One of the most important steps towards understanding computer viruses is learning about the particular execution environment in which they operate.” The environment dependencies studied in this chapter include architecture, central processing unit, operating system, file system, and file format, among others. The author then classifies viruses based on infection strategies, and examines several examples of each. A section of this chapter is devoted to an extensive look at Win32 viruses.
In the next chapter, classification based on in-memory strategies is presented, with memory-resident viruses g!etting most of the attention. While chapter 6 looks at basic self-protection strategies, chapter 7 looks at more advanced code evolution methods, like encrypted, polymorphic, and metamorphic viruses. Chapter 8 is relatively short, focusing on virus classification based on payloads. Computer worms are discussed at length in chapter 9, starting with their structure, and going on to target locator, propagation methods, transfer and execution techniques, update strategies, and remote control. Chapter 10 concludes the first part, with a look at how viruses and worms are using exploits, vulnerabilities, and buffer overflow techniques found in software to their advantage. The author provides a quick introduction to buffer overflows, including heap overflows and format string attacks. A couple of examples are also provided, to show how viruses and worms have used various vulnerabilities discussed earlier in the chapter.
Chapter 11 starts the discussion on the other side of the! coin: defense strategies. First-generation scanners that use simple techniques like string scanning, entry-point and fixed-point scanning, and other generic methods are discussed first, before the author moves on to second-generation scanners that “use nearly exact and exact identification,” helping to detect viruses better. Methods like algorithmic scanning and code emulation are discussed next, leading to some examples of metamorphic virus detection, and heuristic analysis of 32-bit Windows viruses. Chapter 12 covers similar ground, but from the point of view of memory scanning and disinfection, with an emphasis on Win32 subsystem viruses. Chapter 13 looks at techniques to block buffer overflow attacks and worm attacks using host-based intrusion detection. Chapter 14 looks at network-level defenses, using, for example, honeypots. Chapter 15 is an extensive discussion on how to perform malicious code analysis in a lab. Basic analysis methods like disassembly an!d decryption are discussed, and several software packages that can help in the job are pointed out. Chapter 16 is a short conclusion, with pointers to other reading materials.
Szor’s writing style, though exhaustive, sometimes suffers from awkward discontinuities. It also has to be mentioned in passing that, as explicitly stated by the author, trojan horse code and backdoors are not covered in this book. This does not detract from the book’s amazing detail, however. This work, in short, will be a definitive one in the area of computer virus research for some time to come.