The Art of Computer Virus Research & Defense, by Peter Szor ISBN 0321304543
Reviewed
by: Howard Carson, September 2005
Published
by: Symantec Press/Addison-Wesley Professional
Requires: N/A
MSRP: US$49.99, CAN$69.99
Every Information Technology (IT) and security professional in every company on earth is currently responsible for ensuring that virus laden files and e-mail do not penetrate their company networks and servers. To say that the problem is utterly and completely a global concern is actually the ultimate understatement. It is more accurate to say that at a fundamental level, every unprotected, partially protected and many so-called fully protected computers connected directly or indirectly to the Internet are vulnerable to attack and infestation by viruses. In turn, that means the data—public and private—stored on all of those computers may be accessible to strangers, thieves, miscreants and anyone with the will to commit nefarious acts. There are bad people lurking in the digital shadows, shrouding their villainy behind anonymous servers, misguided protectors and the collusion of the morally dispossessed. Fail to protect your computers and the villains will get you. Every time.
Symantec is a prominent leader in the world of antivirus research. Its Norton Antivirus and Norton Internet Security products are well-known and highly regarded. The products are not strictly the result of musings between product managers, programmers and marketers however. Far from it. The root philosophy of any software company's commitment to antivirus and Internet security products must emanate from serious, well-founded research. Peter Szor, Symantec's chief antivirus researcher has literally now written the book on his favorite subject. The Art of Computer Virus Research & Defense is Szor's guide to contemporary virus threats, defense techniques and analysis tools. In case you're wondering, Szor made his bones over the years working on AVP, F-Prot and Symantec Norton Antivirus. The man also did his 1991 diploma work on the subject of computer viruses and virus protection. These days, besides his position as chief antivirus researcher at Symantec, he's also a member of the Computer Antivirus Researchers Organization (CARO) and sits on the advisory board of Virus Bulletin magazine. The guy's got some game, no doubt about it. |
|
The first thing I discovered about the book is that reading a number of the defense chapters first, makes it significantly easier to understand the relevant attack chapters. In essence, Szor takes the position that understanding the mechanics of a protection scheme for a specific virus payload provides some context for the components of a virus and the reason for using specific attack vectors. Agree or disagree, depending on your current skill level and your current knowledge of viruses and countermeasures. In any case, the book is balanced to provide a thorough knowledge of origin, design, cause, effect, defense and remedy. All virus designs and methodologies, except for Trojans and backdoors, are fully covered.
Szor has organized the book into logical groupings of issues. He has systematized the book in a way that makes it easy for comparatively inexperienced IT and security technologists to analyze current viruses and their attack vectors in order to understand prevailing network conditions and devise a response. The only caveat imposed is one of experience—programming experience, that is. Szor rightly expects that anyone charged with tackling these sorts of problems and responsibilities should be at least a junior programmer, preferably an intermediate one, but a bona-fide programmer in any case.
The Art of Computer Virus Research & Defense made for a week of fascinating reading followed by a couple of days reinforcing my business network. Szor's clear and concise descriptions of, among many other things, cavity viruses and fractionated cavity viruses, classic parasitic viruses, embedded decryptor techniques, Win32 function call hooking, the use of undocumented CPU instructions, infection of portable executable files, format string attacks, and code injection attacks, provided technical details that were so clear to me that I almost felt as if I was only truly understanding this segment of software science for the first time. Szor demonstrates his preeminence in the antivirus business with unassailable authority and well-earned confidence.
Cons: The book is primarily about self-replicating malicious code. As a result, Trojan horse programs and backdoors are not covered in any significant way. (It's a feature not a bug, Symantec might say, and the book is working as designed!). There are plenty of competent IT and security people out there who do not have the programming experience needed to fully take advantage of all the book has to offer. That's actually an indictment of the IT sector in general—too many people without some important training and experience working in jobs that require it.
Pros: Szor systematically and authoritatively covers virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, identifying and responding to code obfuscation, mastering empirical methods for analysis of malicious code, reverse engineering techniques using dissemblers, debuggers, emulators and virtual machines, and implementation of technical defenses. The book is thorough at 716 pages, and provides a detailed table of contents and a very usable index. Chapter 16 contains a nice compilation of antivirus software vendor links, a short list of links to highly authoritative virus research papers, a list of security and early warning web sites, and a link to the CAIDA web site and it worm outbreak statistics. If you need an injection of sanity and wholly reliable technical information to boost your digital immune system, this is the book to buy. Highly recommended.
Feedback? Letters to the Editor? Send them here!
|
|