Next Section

The Art of Computer Virus Research and Defense

Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.

Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.

Szor also offers the most thorough and practical primer on virus analysis ever publishedaddressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes


Table of Contents

   About the Author
   Preface
     Who Should Read This Book
     What I Cover
     What I Do Not Cover
   Acknowledgments
     Contact Information
   Part I.  STRATEGIES OF THE ATTACKER
        Chapter 1.  Introduction to the Games of Nature
     Section 1.1.  Early Models of Self-Replicating Structures
     Section 1.2.  Genesis of Computer Viruses
     Section 1.3.  Automated Replicating Code: The Theory and Definition of Computer Viruses
     References
        Chapter 2.  The Fascination of Malicious Code Analysis
     Section 2.1.  Common Patterns of Virus Research
     Section 2.2.  Antivirus Defense Development
     Section 2.3.  Terminology of Malicious Programs
     Section 2.4.  Other Categories
     Section 2.5.  Computer Malware Naming Scheme
     Section 2.6.  Annotated List of Officially Recognized Platform Names
     References
        Chapter 3.  Malicious Code Environments
     Section 3.1.  Computer Architecture Dependency
     Section 3.2.  CPU Dependency
     Section 3.3.  Operating System Dependency
     Section 3.4.  Operating System Version Dependency
     Section 3.5.  File System Dependency
     Section 3.6.  File Format Dependency
     Section 3.7.  Interpreted Environment Dependency
     Section 3.8.  Vulnerability Dependency
     Section 3.9.  Date and Time Dependency
     Section 3.10.  JIT Dependency: Microsoft .NET Viruses
     Section 3.11.  Archive Format Dependency
     Section 3.12.  File Format Dependency Based on Extension
     Section 3.13.  Network Protocol Dependency
     Section 3.14.  Source Code Dependency
     Section 3.15.  Resource Dependency on Mac and Palm Platforms
     Section 3.16.  Host Size Dependency
     Section 3.17.  Debugger Dependency
     Section 3.18.  Compiler and Linker Dependency
     Section 3.19.  Device Translator Layer Dependency
     Section 3.20.  Embedded Object Insertion Dependency
     Section 3.21.  Self-Contained Environment Dependency
     Section 3.22.  Multipartite Viruses
     Section 3.23.  Conclusion
     References
        Chapter 4.  Classification of Infection Strategies
     Section 4.1.  Boot Viruses
     Section 4.2.  File Infection Techniques
     Section 4.3.  An In-Depth Look at Win32 Viruses
     Section 4.4.  Conclusion
     References
        Chapter 5.  Classification of In-Memory Strategies
     Section 5.1.  Direct-Action Viruses
     Section 5.2.  Memory-Resident Viruses
     Section 5.3.  Temporary Memory-Resident Viruses
     Section 5.4.  Swapping Viruses
     Section 5.5.  Viruses in Processes (in User Mode)
     Section 5.6.  Viruses in Kernel Mode (Windows 9x/Me)
     Section 5.7.  Viruses in Kernel Mode (Windows NT/2000/XP)
     Section 5.8.  In-Memory Injectors over Networks
     References
        Chapter 6.  Basic Self-Protection Strategies
     Section 6.1.  Tunneling Viruses
     Section 6.2.  Armored Viruses
     Section 6.3.  Aggressive Retroviruses
     References
        Chapter 7.  Advanced Code Evolution Techniques and Computer Virus Generator Kits
     Section 7.1.  Introduction
     Section 7.2.  Evolution of Code
     Section 7.3.  Encrypted Viruses
     Section 7.4.  Oligomorphic Viruses
     Section 7.5.  Polymorphic Viruses
     Section 7.6.  Metamorphic Viruses
     Section 7.7.  Virus Construction Kits
     References
        Chapter 8.  Classification According to Payload
     Section 8.1.  No-Payload
     Section 8.2.  Accidentally Destructive Payload
     Section 8.3.  Nondestructive Payload
     Section 8.4.  Somewhat Destructive Payload
     Section 8.5.  Highly Destructive Payload
     Section 8.6.  DoS (Denial of Service) Attacks
     Section 8.7.  Data Stealers: Making Money with Viruses
     Section 8.8.  Conclusion
     References
        Chapter 9.  Strategies of Computer Worms
     Section 9.1.  Introduction
     Section 9.2.  The Generic Structure of Computer Worms
     Section 9.3.  Target Locator
     Section 9.4.  Infection Propagators
     Section 9.5.  Common Worm Code Transfer and Execution Techniques
     Section 9.6.  Update Strategies of Computer Worms
     Section 9.7.  Remote Control via Signaling
     Section 9.8.  Intentional and Accidental Interactions
     Section 9.9.  Wireless Mobile Worms
     References
        Chapter 10.  Exploits, Vulnerabilities, and Buffer Overflow Attacks
     Section 10.1.  Introduction
     Section 10.2.  Background
     Section 10.3.  Types of Vulnerabilities
     Section 10.4.  Current and Previous Threats
     Section 10.5.  Summary
     References
   Part II.  STRATEGIES OF THE DEFENDER
        Chapter 11.  Antivirus Defense Techniques
     Section 11.1.  First-Generation Scanners
     Section 11.2.  Second-Generation Scanners
     Section 11.3.  Algorithmic Scanning Methods
     Section 11.4.  Code Emulation
     Section 11.5.  Metamorphic Virus Detection Examples
     Section 11.6.  Heuristic Analysis of 32-Bit Windows Viruses
     Section 11.7.  Heuristic Analysis Using Neural Networks
     Section 11.8.  Regular and Generic Disinfection Methods
     Section 11.9.  Inoculation
     Section 11.10.  Access Control Systems
     Section 11.11.  Integrity Checking
     Section 11.12.  Behavior Blocking
     Section 11.13.  Sand-Boxing
     Section 11.14.  Conclusion
     References
        Chapter 12.  Memory Scanning and Disinfection
     Section 12.1.  Introduction
     Section 12.2.  The Windows NT Virtual Memory System
     Section 12.3.  Virtual Address Spaces
     Section 12.4.  Memory Scanning in User Mode
     Section 12.5.  Memory Scanning and Paging
     Section 12.6.  Memory Disinfection
     Section 12.7.  Memory Scanning in Kernel Mode
     Section 12.8.  Possible Attacks Against Memory Scanning
     Section 12.9.  Conclusion and Future Work
     References
        Chapter 13.  Worm-Blocking Techniques and Host-Based Intrusion Prevention
     Section 13.1.  Introduction
     Section 13.2.  Techniques to Block Buffer Overflow Attacks
     Section 13.3.  Worm-Blocking Techniques
     Section 13.4.  Possible Future Worm Attacks
     Section 13.5.  Conclusion
     References
        Chapter 14.  Network-Level Defense Strategies
     Section 14.1.  Introduction
     Section 14.2.  Using Router Access Lists
     Section 14.3.  Firewall Protection
     Section 14.4.  Network-Intrusion Detection Systems
     Section 14.5.  Honeypot Systems
     Section 14.6.  Counterattacks
     Section 14.7.  Early Warning Systems
     Section 14.8.  Worm Behavior Patterns on the Network
     Section 14.9.  Conclusion
     References
        Chapter 15.  Malicious Code Analysis Techniques
     Section 15.1.  Your Personal Virus Analysis Laboratory
     Section 15.2.  Information, Information, Information
     Section 15.3.  Dedicated Virus Analysis on VMWARE
     Section 15.4.  The Process of Computer Virus Analysis
     Section 15.5.  Maintaining a Malicious Code Collection
     Section 15.6.  Automated Analysis: The Digital Immune System
     References
        Chapter 16.  Conclusion
     Further Reading
   Index

Next Section