Halvar Flake, Reverse Engineer, SABRE Security GmbH

Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.

Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.

Szor also offers the most thorough and practical primer on virus analysis ever publishedaddressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes

• 
  
  Discovering how malicious code attacks on a variety of platforms
• 
  
  Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more
• 
  
  Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic
• 
  
  Mastering empirical methods for analyzing malicious codeand what to do with what you learn
• 
  
  Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines
• 
  
  Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more
• 
  
  Using worm blocking, host-based intrusion prevention, and network-level defense strategies

© Copyright Pearson Education. All rights reserved.

About The Author


Peter Szor is security architect for Symantec Security Response, where has been designing and building anti-virus technologies for the Norton AntiVirus product line since 1999. From 1990 to 1995, Szor wrote and maintained his own antivirus program, Pasteur. A renowned computer virus and security researcher, Szor speaks frequently at the Virus Bulletin, EICAR, ICSA, and RSA conferences, as well as the USENIX Security Symposium. He currently serves on the advisory board of Virus Bulletin Magazine, and is founding member of the AVED (AntiVirus Emergency Discussion) network.

© Copyright Pearson Education. All rights reserved.

Customer Reviews & Comments
Peter Szor's 'The Art of Computer Virus Research and Defense' (TAOCVRAD) is one of the best technical books I've ever read, and I've reviewed over 150 security and networking books during the past 5 years. This book so thoroughly owns the subject of computer viruses that I recommend any authors seeking to write their own virus book find a new topic. Every technical computing professional needs to read this book, fast. I read this book from cover to cover. The author does not lie when he says acquiring the same amount of information requires digging in obscure virus journals and analyzing malicious code. TAOCVRAD's single most powerful aspect is the author's persistence in naming one or more sample viruses that exemplify whatever concept he is discussing. In other words, all of his theory is backed by, or builds on, real-life examples. Each chapter contains moderate end-notes that provide pointers for additional research. A truly great book has the power to change deeply-entrenched opinions, or make readers look at old problems in a new light. In my case, I altered my perception of the virus problem and ways to fight it. First, I changed my concept of viruses and worms. Peter builds on Fred Cohen's virus definition to say 'a computer virus is a program that recursively and explicitly copies a possibly evolved version of itself.' He calls worms a 'subclass of computer viruses.' I used to disagree with Peter; I believed a virus infects files and requires user interaction, and a worm spreads by itself via the network. Now I agree with Peter's viewpoint: 'worms are network viruses, primarily replicating on networks... If the primary vector of the virus is the network, it should be classified as a worm.' The distinction is subtle, but it makes sense to consider worms a subclass of viruses given Peter's extensive analysis of both types of malware. Second, I recognized I held an opinion Peter considers unfortunate: 'some computer security people do not seem to consider computer viruses as a serious aspect of security, or they ignore the relationship between computer security and computer viruses.' I was guilty as charged. I used to positively detest viruses because they seemed like mindless automated code that did little but replicate. After reading about scores of real viruses, I have a profound appreciation for virus technology. Viruses introduced techniques for obfuscation, stealth, and exploitation a decade earlier, in some cases, than the single-shot exploit code we see today. Third, Peter put a human face on the problems associated with closed-source operating systems like Microsoft Windows. Many so-called Native API calls are undocumented, and as such make life difficult for anti-virus developers. (Virus writers tend to know them.) With Microsoft entering the anti-virus market, will it leverage these secrets to outperform competitors lacking this internal knowledge? Readers of Ed Skoudis' 'Malware' or Jose Nazario's 'Defense and Detection Strategies against Internet Worms' will find this new book greatly complements those two works. Those wishing to get the most value from TAOCVRAD should have Intel assembly coding skills and several years of hands-on security experience. I had almost no issues with this book, which is striking given it is nearly 700 pages long. In a few places I found the language a little rough, but not enough to bother me. I believe a code listing on p. 372 should show a '<=' instead of '=', but I may be wrong. Although the author works for Symantec, I did not see an undue amount of Symantec-centric material. Chapter 13 is somewhat of an exception, but I do not fault the author. I felt the network section (ch 14) could have been stronger, since advice to block all IP fragments or ICMP at border routers isn't necessarily wise. I can't personally vouch for all of the author's virus analysis as his skill level exceeds mine by an order of magnitude. TAOCVRAD is the must-buy security book of 2005. You could spend weeks learning from this book. Readers should be thankful Peter decided to share so much of his knowledge with us in an accessible and educational format. Comment | Permalink | (Report this)