Book Review - The Art of Computer Virus Research and Defense

Networking/Security Forums -> News // Columns // Articles

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Tue Mar 15, 2005 5:46 am    Post subject: Book Review - The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense

Author(s): Peter Szor
Publisher: Name
Date Published: 2005
Book Specifications: Softcover, 713 pages
Category: Security
Reviewer's Recommended User Level: Intermediate\Advanced
Suggested Publisher Price: $49.99 US / $69.99 CDN
ISBN: 0-321-30454-3 Research and Defense

From the Back

Threats. Analysis. Countermeasures. The Definitive Guide for Experienced IT and Security Professionals. Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on Computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.

Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.


In the past few months, we have seen some interesting examples of spyware and adware employing tricks and techniques used by virus writers. While I am generally able to noodle together what a piece of malware is doing, there have been a couple recent variants that have me completely confused as to how to reverse the damage. It occurred to me that my techniques needed refining, so I have spent the better part of the last couple of weeks Googling the underbelly of the Internet hoping to find some sort of a blueprint. I picked this up at Barnes and Noble, and was hooked within a few pages. This was exactly what I had been looking for.

Letís make this clear up front. You will not learn how to write malicious code from reading this book. If you are able to understand all of the concepts as presented, it will quickly become clear that you already know how to write malicious code. And if you are interested in malware analysis, you are in for a treat.

Section I

The first section is appropriately titled Strategies of the Attacker, and chapter one, Introduction to the Games of Nature. Have you ever heard of John von Neumann? Neither had I. It turns out that in addition to introducing binary operations, von Neumann introduced the theory of Self-Replicating Automata, or for those without a dictionary nearby, self-reproducing machines (in 1948). Stanislaw Ulam suggested the idea of using cellular automation as a means of describing these self reproducing machines, and the theory of reproducing structures was born. Szor discusses early computer programs used to demonstrate these budding concepts, including Core War, a computer game where the goal is to write a program that will overwrite your opponents programs and kill them. I had heard of this game, but was surprised to find out that there is a modern version that includes networking capabilities. (

The remainder of chapter one, and chapter two, are tributes to the pioneers of virus research, antivirus development, and common definitions for malicious software. In addition to the familiar definitions of virus, worm, etc., I was introduced to the concept of an octopus, which is a piece of malicious software that exists as a set of programs on more than one computer on a network, or rabbit, which is an application that only exists as a single copy of itself at any given time on a series of networked hosts.

The remainder of the first section covers malicious code environments, classification of infection strategies, in-memory strategies, self-protection strategies, and code evolution. There are also two sections in which computer worms, exploits, vulnerabilities, and buffer overflow attacks are described in great detail. Worms are not just discussed in general terms. We get to see how worms are coded to take advantage of vulnerabilities and exploits, including Blaster, Nimda, Code red, and others that had never made it into the wild. Not only how they work, but how fatal flaws kept some of them from becoming the lead story on the evening news.

Section II

The next section is dedicated to defense strategies, and in-depth analysis of detection methods, starting with signature based detection, and quickly moving through some very sophisticated techniques I hadnít considered before, including algorithmic scanning, code emulation, metamorphic code detection, and a large section on heuristic methods. Interestingly enough, Szor discusses potential weaknesses of each method, presenting a clear picture of the difficulties with detection.

While inoculation, access control, integrity checking, and sand boxing are presented as potential methods of defense, even they are not without problems. The remainder of the section covers memory scanning and disinfection, worm-blocking techniques, host-based intrusion protection, and network-level defense.

Another feature of the book that I really like is that when a section is opened for discussion, it is illustrated with several different examples. For example, the chapter on network-level defense is broken down into small subsections that discuss router access lists, firewalls, network intrusion detection systems, honeypots, counterattacks, and worm behavior. The worm behavior section is further delineated into methods for capturing and recognizing the Blaster Worm, Slapper, Sasser, Welchia, and Slammer; each with Ethereal dumps and code explanation.

Section two ends with a short section that describes malicious code analysis techniques. Most of the tools mentioned were free, which I consider a bonus. He also has a substantial section covering the merits of using VMWare or VirtualPC for malware analysis boxes, which is a topic not often covered. It was nice to find out that my methods of malware analysis are not totally out of the ballpark. The process of analysis is described in a series of steps; preparation, unpacking, disassembly and decryption, and dynamic analysis techniques.


Reading this book was like a trip through a museum. The various code samples tend to build on each other, demonstrating the evolution of malware. Each chapter is brimming with information, making it almost seem like a textbook, but it does not read like a textbook. Each part flows logically into the next, and it is one of the few books I have that I didnít find myself skimming through for fear of missing something. Szor delicately dances around presenting complete code, but is still able to clearly demonstrate processes and procedures.

While I wouldnít call this book advanced, without some idea of how operating systems work, one will easily get lost. Much time is spent discussing file structures, PE headers, memory, and how viruses are able to utilize weaknesses inherent to these various structures to carry out their nefarious deeds. There are even a few undocumented APIs sprinkled through the text just to keep things interesting. With that said, if one has a basic understanding of operating systems and code, this book will pull everything together in such a way that one has a much clearer picture of the interdependencies of a given OS.

The only complaint I have, and it isnít even a compliant as such, but I would like to have seen a little more time spent on actual hands-on analysis. Aside from that, I consider this to be one of the top two books of its type I have ever had the privilege of reading, and as such, I give it an honored SFDC rating of 10 / 10.

Keywords: Peter Szor virus research defense malware symantec press

Chad Clites
Security Forums Dot Com

This review is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.

Last edited by Groovicus on Tue Mar 15, 2005 7:56 pm; edited 3 times in total

Author: ryansuttonLocation: San Francisco, California PostPosted: Wed Mar 16, 2005 8:38 pm    Post subject:
Nice review Groovicus, I don't know if I want to spend $50 on it, maybe I can find a deal somewhere :p

Author: ATS PostPosted: Wed Mar 16, 2005 9:46 pm    Post subject:
the library is running some pretty good deals right now....

Very Happy

Author: ryansuttonLocation: San Francisco, California PostPosted: Wed Mar 16, 2005 9:47 pm    Post subject:
lol, Last time I went to my public library the most recent computer book was about a year old.

Author: meeeeeeeeeeLocation: CT, USA PostPosted: Thu Mar 17, 2005 4:04 pm    Post subject:
Very nice review groov! I'm adding it to my shopping list.

Ryansutton, if you ask the librarian, in most cases they will track down the book you want and get it for you. The reason you don't see newer computer books is that nobody bothers to ask for them. Wink

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Thu Mar 17, 2005 4:13 pm    Post subject:
I meant to add some links to some whitpapers that the author has done: <-- directly from the book

There are quite a few others online also. Smile

Author: ryansuttonLocation: San Francisco, California PostPosted: Thu Mar 17, 2005 7:25 pm    Post subject:
meeeeeeeeee wrote:

Ryansutton, if you ask the librarian, in most cases they will track down the book you want and get it for you. The reason you don't see newer computer books is that nobody bothers to ask for them. Wink

I never even thought to do that! Thanks for the suggestion, I will let you know if it works.

Author: zeedoLocation: Scotland PostPosted: Thu Mar 17, 2005 11:15 pm    Post subject:
ryansutton wrote:
Nice review Groovicus, I don't know if I want to spend $50 on it, maybe I can find a deal somewhere :p

I read it on my safari account, access to which is very cheap and worth it, if you read alot of technical books. I know most people prefer to read from paper, but if it's going to save you some cash I'm sure you'll get used to it.

My review of the book wouldn't rate it as highly as groovicus did. It was more a 6/10 for me. Still a semi-interesting read though.

Author: ryansuttonLocation: San Francisco, California PostPosted: Thu Mar 17, 2005 11:39 pm    Post subject:
Thanks for the info Zeedo, on average how much cheaper is it to read online?

Author: zeedoLocation: Scotland PostPosted: Fri Mar 18, 2005 1:33 am    Post subject:
Prices here
I have a 10 slot bookshelf the smallest is 5 which costs $9.99 (USD) per month. Not bad for access to 5 books per month.

Basically you search for a book you want to read and preview parts of it and check the contents page.
If you like it you add it to your shelf and it takes up 1 slot. It stays on your shelf for a minmum of one month. during that time you can read it and add bookmarks and notes to it etc... at the end of the month if you are finished with it you can remove it from the shelf, otherwise you keep it there until you are done.

I find I keep one or two reference books on there for long periods and add and remove other books as I need them. Eg.. ATM Im studying for MCP exams 70-293 and 70-294 so I have 2 books for each of those exams on my shelf, The virus book we are discussing here, a book on telecoms and a couple of active directory books. Theres a pretty good selection.

You can try it for free for 14 days to see if you like it here.

Author: ryansuttonLocation: San Francisco, California PostPosted: Fri Mar 18, 2005 4:43 am    Post subject:
Thanks for that piece of information Zeedo, I think I will sign up.

Networking/Security Forums -> News // Columns // Articles

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group