Spotlight customer reviews:
|
Customer Rating:  
Summary: Disappointing
Comment: The book is very disappointing in that the author does not show explicitly how to create and code viruses. The author explains in the preface that he does not include such code because of its obvious dangers. This reviewer believes however that the more understanding we have of viruses the better we can deal with their threats. We need to understand just what is possible, and this can only be done by creating viruses that may or may not be hazardous to computer systems. The more viruses that we create and then study the more we can guard against their infection. This goes for computer viruses as well as biological ones. Yes, there are dangers involved in doing this, but these dangers are nullified by the tools and artificial immune systems that we create in the process of studying viruses.
The book of course is not without its merits, one of these being the discussion of the history of computer viruses, which the author includes in the first chapter of the book. The designation "computer virus" was done in 1984, at which time a formal mathematical model was created for computer viruses. The author defines a computer virus as being a program that can recursively and explicitly copy a possibly evolved version of itself. This definition he says covers the notion of a `companion virus', which does not necessarily modify the code of other programs.
The author is also very thorough in his treatment of the different viruses and their association with specific computer platforms. In addition, he gives a detailed treatment of how to analyze a computer virus using disassemblers, debuggers, emulators, virtual machines, virus test networks, and unpackers, along with various other tools. Readers will definitely benefit from knowledge of assembly code.
For non-experts in virus research (such as this reviewer) but who have a strong mathematical background, a natural question to ask is whether one could develop a highly sophisticated computer immune system that would be able to detect any kind of computer virus within a reasonable time scale. The author believes that this cannot be accomplished, quoting a result by the mathematician Frederick Cohen (the inventor of the term "computer virus") indicating that such an immune system is not possible. The Cohen proof is not included in the book unfortunately, but a perusal of the literature will reveal that the proof is based, as expected, on the theory of computability and Turing machines. What Cohen showed was that the detection of generic computer viruses is undecidable by showing that if such a procedure existed, it would solve the halting problem for Turing machines.
Given the Cohen result, it is appropriate to ask whether viruses can come in such a wide variety as to make their detection and annihilation unique to the actual virus. In addition, it would appear that after a reasonable amount of time, it would become more difficult for virus writers to come up with `exotic' viruses that elude detection. Have most of the effective or interesting viruses already been invented, and therefore countered, by anti-virus programs? When reading this book one gets the impression that this is the case. However, the author shows that such a judgment would be premature, and he spends a fair amount of time in the book discussing possible future developments in computer viruses, particularly in distributed environments.
Even if virus writers are exhausting the possibilities for effective viruses, they can still find ways of evading the detection programs, using encryption for example. The author discusses several different approaches to the encryption of viruses, all of these having varying degrees of success, depending of course on the resources and knowledge base of the virus analyst. An interesting topic discussed in this connection is the origin of `oligomorphic' viruses, which change their decryptors in new generations. The `polymorphic' viruses, which are the next stage in complexity, are also discussed in this context, these allowing the mutation of their decryptors in possibly millions of different forms. When a virus is able to create new generations of itself that look different, it is called a 'metamorphic' virus. The author gives examples of these, how thay are detected, and the possibility of using them to construct a virus generator able to create new virus mutations on the fly without any human intervention. One of the metamorphic viruses, named W95/Zmist, is described by the author as being one the most complex binary viruses ever created. For that reason it is discussed in detail in the book. This discussion is fascinating reading, and one would have hoped that the source code was supplied in the book in order to allow responsible and curious individuals to create the W95/Zmist virus and study its behavior in real systems under controlled laboratory conditions.
The author does not distinguish between computer worms and viruses, except to say that the former are sometimes distinguished from the latter in the way they infect networks. A worm does not usually need to infect files but can propagate as a standalone program. However, the author gives examples of worms that do propagate by the infection of files. Illicit information gathering is the purpose of most worms, and the author discusses several different techniques that worms use to obtain this information. Particularly interesting to read about are the different techniques that computer worms are used to propagate themselves. One of these involves instant messaging, which because of its popularity will certainly be one that is given more attention by future attackers.
Virus writers will become more creative in the future, and their efforts will no doubt be discussed in future editions of this book. But it is the more subtle approaches that remain undiscovered that are the most devastating to both individuals and businesses. One gets the impression when reading this book that most of the viruses are created by pranksters who gain emotional reinforcement by the success of the exploits. The antivirus defense techniques work in the latter but not the former.
Customer Rating:
Summary: definitive text on antivirus methods
Comment: Szor's book appears to be the current definitive text on antivirus methods. The breadth of coverage of methods is good. So too is the level of detail.
The book makes you appreciate how hard the task is of finding these darned viruses. In general, you are trying to discern malware intent in an arbitrary file. Where this file is often binary. But, as Szor is careful to explain, there can certainly be source code viruses as well. These could be in Postscript, PDF or scripting files. He also points out that the Microsoft Office data files are really binary programs, that run under the Microsoft Office applications.
The book shows the considerable level of ingenuity on both sides of this struggle. As in how antivirus companies like Symantec often run a suspected virus in an emulator, stepping through the code. But in response, some viruses try to detect if they are being run inside an emulator. How they do this is very crafty and simple. (Shades of the "Matrix"!) It is examples of tactics like this that give the book its worth.
Customer Rating:
Summary: The Art of Computer Virus Research and Defense
Comment: Peter Szor has been involved with Computer viruses for a long time. If fact, I believe I saw him at a Virus Bulliten conference back in the 90's. This book is an excellant source in understanding the tactics used by Virus creators.
Although this book has knowledge easily grasped, some of it requires some coding knowledge (Assembly Language, TASM, MASM, etc.)to get the full benifit. This book is probably not for a novice.
This book makes a good reference book on understanding virus technques of creating viruses and also techniques for hunting them down.
Customer Rating:
Summary: Learn the basics of malware analysis
Comment: I think by now we're all familiar with viruses and worms. It may have been a term paper diskette chewed up by a virus back in college, a family member's computer infected with the latest worm, or your email inbox clogged with a mass mailer of the week. But how do AV researchers dissect such malware, especially when virus writers have devoted so much time to avoiding detection and perfecting their craft with self-decrypting viruses, polymorphic shellcode, and obfuscated loops. Haven't you wanted a peek into how that's done, and how you would analyze such a monster that landed in your computer? Well, Peter Szor's book The Art of Computer Virus Research and Defense (TAOCVRD) has been gaining lots of critical acclaim lately for filling that gap, and rightfully so. (Before we begin, however, I should make one thing perfectly clear: I was a technical reviewer of this book. I enjoyed it when I read it originally, and I'm even more pleased with the final result. And now on to your regularly scheduled review.)
TAOCVRD opens with Part 1: Strategies of the attacker. Here we get to start to think about malicious code from the original ideas and viewpoints of its makers. Chapter 1 opens up with various games of the classic computer science world, including Conway's Game of Life and Core Wars, which is still fun after all of these years. From this we can start to think about computer viruses as a natural extension of other self-replicating computer structures. What's great about this chapter is that you can actually understand, and share in, the fascination of replicating code. It's as if you can understand the pure world that some virus writers live in.
Chapter 2 starts off the virus-analysis section, including some of the basics (like the types of malicious programs and their key features), as well as the naming scheme. Chapter 3, "Malicious Code Environments," serves as a lengthy and complete description of how various viruses work. The dependencies that you would expect to see, including OS, CPU, file formats, and filesystems, are all described. Then Szor goes on to describe how viruses work with various languages, from REXX and DCL to Python and even Office macros. Not all of the descriptions are lengthy, but you get to see how flexible the world of writing a virus can be. What I most enjoyed about the book overall is represented in this chapter, namely Szor's command of the history of the virus as well as his technical prowess, which he drops in as appropriate.
Chapter 4 gets a bit more technical and now focuses on infection strategies. Again, Szor isn't afraid to delve into history or technical meat, including a lengthy and valuable section "An In-Depth Look at Win32 Viruses." If you don't feel armed to start dissecting viruses by this point, you're in luck: there's so much more to read. Chapter 5 covers in-memory strategies used by viruses to locate files, processes, and sometimes evade detection. Szor has a list of interrupts and their utility to the virus writer, providing a comprehensive resource to the virus analyst.
Chapters 6 and 7 cover basic and advanced self protection schemes, respectively, used by viruses. TAOCVRD's completeness of information in a usable space, together with very functional examples and descriptions, is again evident. Szor walks you through a basic decryptor routine, for example, showing you how a self-contained virus can be both evasive and functional at the same time. Sadly little attention is given to various virus construction kits at the end of chapter 7, though.
Chapters 8 and 9 get a little less technical and somewhat more historical. These chapters cover virus payloads and their classification (ie benevolent viruses, destructive viruses, etc) and computer worms, respectively. The overview of payloads is almost entirely historical, giving a great overview of how virus writers have used their techniques to cause havoc or just have "fun" from time to time. Chapter 9 gives a concise and valuable overview of computer worms, almost boiling about half of my worms book down into just one chapter in a clear and easy to use fashion.
Part 1 concludes with chapter 10, which covers exploits and attack techniques used by worms and viruses. Again, Szor's clarity of explanation shines as he artfully gives a concise overview of how a buffer overflow attack works (including stack layout and address manipulation), heap-based attacks, format string attacks, and related methods. He then discusses these techniques in light of various historical examples, clearly explaining how they operated and were successful. If you've been yearning for a short overview of attack techniques and how malware has used them, this chapter is for you.
Part 2 covers the defender's strategies. Chapter 11 serves as a nice introduction to this section by describing many of the current and advanced defense techniques such as some of the first and second generation scanners, code and system emulation, and metamorphic virus detection. This is all covered in nice technical detail, always at a reasonable level to not leave everyone in the dust. Through it all small examples are constantly given, which reinforce the text nicely. Chapter 12 is very similar, this time focusing on in-memory scanning and analysis techniques.
Chapter 13 covers worm blocking techniques, focusing on host-based methods which can prevent the buffer overflow from being successful or the code from arbitrarily gaining network access again. Chapter 14 complements this with network specific defenses, including ACLs and firewalls, IDS systems, honeypots, and even counterattacks. These two chapters are a lot less technical than the previous two, but still quite valuable.
By this point I'm sure you're ready to try your hand at virus analysis, and Szor is eager to help you out. In chapter 15 he gives you a great setup for virus analysis, including various tools and examples of how they work and what kind of information they give you. Finally, in chapter 16 you have the obligatory (and valuable) resource roundup which complements the references given in every chapter, as well.
Overall I find Szor's book to be amazing, both in terms of its technical prowess over so many specifics in the field but also for its presentation. Without dumbing it down, Szor's able to communicate to most readers with clarity in a manner they'll understand, learn from, and be able to use. I think that many of us, especially those of us who get plundered in our email inboxes with malware, are curious to spend some time dissecting these beasts using techniques AV professionals use, and Szor's book does an exemplary job of introducing that world to us all. I consider this to be one of the most important computer security books I own due to it's clarity and completeness of coverage.
Customer Rating:
Summary: Over my head
Comment: This book has many typograhical errors. Many of the author's descriptions are incomprehensible to me, leaving me more puzzled after reading than before. I am a beginner in this field, perhaps beginners should avoid this title until they are familiar with the jargon of the field.
|
|
|
