The Art of Computer Virus Research and Defense

nazarijo writes "I think by now we're all familiar with viruses and worms. It may have been a term paper diskette chewed up by a virus back in college, a family member's computer infected with the latest worm, or your email inbox clogged with a mass mailer of the week. But how do AV researchers dissect such malware, especially when virus writers have devoted so much time to avoiding detection and perfecting their craft with self-decrypting viruses, polymorphic shellcode, and obfuscated loops. Haven't you wanted a peek into how that's done, and how you would analyze such a monster that landed in your computer? Well, Peter Szor's book The Art of Computer Virus Research and Defense (TAOCVRD) has been gaining lots of critical acclaim lately for filling that gap, and rightfully so. (Before we begin, however, I should make one thing perfectly clear: I was a technical reviewer of this book. I enjoyed it when I read it originally, and I'm even more pleased with the final result. And now on to your regularly scheduled review.)" Read on for the rest.

The Art of Computer Virus Research and Defense
author	Peter Szor
pages	713
publisher	Addison Wesley Longman and Symantec Press
rating	9
reviewer	Jose Nazario
ISBN	0321304543
summary	Clear, sweeping coverage of virus history and technical details

TAOCVRD opens with Part 1: Strategies of the attacker. Here we get to start to think about malicious code from the original ideas and viewpoints of its makers. Chapter 1 opens up with various games of the classic computer science world, including Conway's Game of Life and Core Wars, which is still fun after all of these years. From this we can start to think about computer viruses as a natural extension of other self-replicating computer structures. What's great about this chapter is that you can actually understand, and share in, the fascination of replicating code. It's as if you can understand the pure world that some virus writers live in.

Chapter 2 starts off the virus-analysis section, including some of the basics (like the types of malicious programs and their key features), as well as the naming scheme. Chapter 3, "Malicious Code Environments," serves as a lengthy and complete description of how various viruses work. The dependencies that you would expect to see, including OS, CPU, file formats, and filesystems, are all described. Then Szor goes on to describe how viruses work with various languages, from REXX and DCL to Python and even Office macros. Not all of the descriptions are lengthy, but you get to see how flexible the world of writing a virus can be. What I most enjoyed about the book overall is represented in this chapter, namely Szor's command of the history of the virus as well as his technical prowess, which he drops in as appropriate.

Chapter 4 gets a bit more technical and now focuses on infection strategies. Again, Szor isn't afraid to delve into history or technical meat, including a lengthy and valuable section "An In-Depth Look at Win32 Viruses." If you don't feel armed to start dissecting viruses by this point, you're in luck: there's so much more to read. Chapter 5 covers in-memory strategies used by viruses to locate files, processes, and sometimes evade detection. Szor has a list of interrupts and their utility to the virus writer, providing a comprehensive resource to the virus analyst.

Chapters 6 and 7 cover basic and advanced self protection schemes, respectively, used by viruses. TAOCVRD's completeness of information in a usable space, together with very functional examples and descriptions, is again evident. Szor walks you through a basic decryptor routine, for example, showing you how a self-contained virus can be both evasive and functional at the same time. Sadly little attention is given to various virus construction kits at the end of chapter 7, though.

Chapters 8 and 9 get a little less technical and somewhat more historical. These chapters cover virus payloads and their classification (ie benevolent viruses, destructive viruses, etc) and computer worms, respectively. The overview of payloads is almost entirely historical, giving a great overview of how virus writers have used their techniques to cause havoc or just have "fun" from time to time. Chapter 9 gives a concise and valuable overview of computer worms, almost boiling about half of my worms book down into just one chapter in a clear and easy to use fashion.

Part 1 concludes with chapter 10, which covers exploits and attack techniques used by worms and viruses. Again, Szor's clarity of explanation shines as he artfully gives a concise overview of how a buffer overflow attack works (including stack layout and address manipulation), heap-based attacks, format string attacks, and related methods. He then discusses these techniques in light of various historical examples, clearly explaining how they operated and were successful. If you've been yearning for a short overview of attack techniques and how malware has used them, this chapter is for you.

Part 2 covers the defender's strategies. Chapter 11 serves as a nice introduction to this section by describing many of the current and advanced defense techniques such as some of the first and second generation scanners, code and system emulation, and metamorphic virus detection. This is all covered in nice technical detail, always at a reasonable level to not leave everyone in the dust. Through it all small examples are constantly given, which reinforce the text nicely. Chapter 12 is very similar, this time focusing on in-memory scanning and analysis techniques.

Chapter 13 covers worm blocking techniques, focusing on host-based methods which can prevent the buffer overflow from being successful or the code from arbitrarily gaining network access again. Chapter 14 complements this with network specific defenses, including ACLs and firewalls, IDS systems, honeypots, and even counterattacks. These two chapters are a lot less technical than the previous two, but still quite valuable.

By this point I'm sure you're ready to try your hand at virus analysis, and Szor is eager to help you out. In chapter 15 he gives you a great setup for virus analysis, including various tools and examples of how they work and what kind of information they give you. Finally, in chapter 16 you have the obligatory (and valuable) resource roundup which complements the references given in every chapter, as well.

Overall I find Szor's book to be amazing, both in terms of its technical prowess over so many specifics in the field but also for its presentation. Without dumbing it down, Szor's able to communicate to most readers with clarity in a manner they'll understand, learn from, and be able to use. I think that many of us, especially those of us who get plundered in our email inboxes with malware, are curious to spend some time dissecting these beasts using techniques AV professionals use, and Szor's book does an exemplary job of introducing that world to us all. I consider this to be one of the most important computer security books I own due to it's clarity and completeness of coverage.

---

You can purchase The Art of Computer Virus Research and Defense from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Re:Avoid The Obvious Punctuation Error...

[Tipa]

Considering Symantec would instantly cease to exist as a company if it were ever found doing something like this, you can bet they aren't. There are top secret mailing lists used by AV companies and researchers where they pass around stuff as soon as they find it. Honeynet computers can catch viruses pretty quickly as well, and you can bet that all those AV companies have honeynets of their own just waiting to be infected.

Conspiracies?

[Spy der Mann]

I'm an old-schooler, I've read Norton's books like "Inside the IBM PC", when he spoke about bits, bytes, sectors, clusters, etc.

I remember using the famous Norton Utilities for say, defragging my HD or repairing the DOS FAT table.

Norton didn't enter the antivirus business until much later. The de-facto standard for cleaning up viruses was McAffee viruscan for DOS.

And I was shocked at the massive amount of viruses being written... or actually, the amount of viruses that the McAffee antivirus SAID had been written (this was BEFORE the internet as we know it; we used to get the antivirus from BBS's or in issues of computer magazines). I'm talking about 300 or more viruses being written PER MONTH.

The rumour of McAffee hiring virus writers was pretty extended.

Today is very different. Antivirus companies DON'T NEED to hire virus writers (they don't need to create their own market, Microsoft has done them the favor :). With websites dedicated to virii and similar stuff, irc channels, mailing lists, and specially the number of Windows vulnerabilities, it's almost as if virii wrote themselves.

Also, the jerks in the world seem to be multipying. And virus-writing tools are relatively easy to find. All it takes is a script kiddie and a virus writing toolkit. The real geniuses writing virii, are rare. However, all it takes is one original virus for several variants to appear in the next months.

So, conspiracy theories? I don't think so.
A bunch of self-organizing lamers? Very possible. Just look at the wikitorial invasion.

Re:Avoid The Obvious Punctuation Error...

[Anonymous Coward]

viola [reference.com] n.

1. A stringed instrument of the violin family, slightly larger than a violin, tuned a fifth lower, and having a deeper, more sonorous tone.
2. An organ stop usually of eight-foot or four-foot pitch yielding stringlike tones.

voilà [reference.com] interj.

1. Used to call attention to or express satisfaction with a thing shown or accomplished.

Re:How to defend against computer viruses...

[pestilence669]

On a Windows machine, you don't need to download anything. Just plug it into the Internet with a publically accessible IP address sometime. I'm not even being paranoid right now.

There are BOOTP attacks, buffer overflows for every type of service, even exploits against the network stack.

On my old company honeynet, we couldn't keep our machines up for more than a week. All recent "SP2 blah blah" patches. Both Windows XP and 2000. We even turned on the Windows "Firewall."

It's not a totally hopeless situation. You definately need a *HARDWARE* firewall with Windows. Relying on your ISP to block ports is unwise. Using Outlook is unwise. Opening Word documents from email is unwise.

I've even gone as far as to remove the VB & J Script engines from my machine. Less components = less to break. Who really even scripts MS Office documents anyway? When you connect your machine to every other person in the world, take some precautions for heavens sake.

Re:bookreview

[GT_Alias]

I'm only 1/3rd of the way through it, but up to this point the book has been about execution environments and infection strategies of both existing and theoretical viruses. I bought the book mostly to look at his analysis techniques, it looks like that part comes later. But if you care about a 1/3rd opinion, I've enjoyed everything I've read so far. It's been fascinating to see the different techniques applied to past viruses, you can appreciate the creativity virus writers put into their creations.

Re:Avoid The Obvious Punctuation Error...

[bluGill]

Script kiddies generally get bored before they get a working virus. If indeed the can follow the instructions to begin with.

Most viruses these days are written by organized crime. (Actually worm or trojan might be better terms) They create networks of infected computers, and then sell the network. spam is often sent from infected machines. There are a few other ways to earn money from an infected machine, but spam is the money maker.

Re:Missing something fundamental

[pyrrhonist]

Please show me how an application run from a user account can modify an executable owned by bin or root, for example.

You can use a local root exploit, such as the mremap(2) exploit [isec.pl]. This exploit will allow any unprivileged account to gain root privileges and can be used to execute arbitrary code with kernel level access.

This is just an example. There are much better unpatched exploits if you look hard enough. A far simpler method is to just scan for improper file permissions.

Some applications or libraries (zlib) have overflow and stack exploits that can be triggered by improperly formatted user data. If you provide a user with a data file to exploit this (i.e. a zip archive), you can then have the application run code to take advantage of the local root exploit.

Then show me how that process would continue to other executables.

Once you gain root access, you can easily replace executables, shutdown services, install kernel modules, etc. The way many distros are set up, you don't even need root access to do some rather malicious things.

Then show me how that would spread from machine to machine, over the Internet.

There's a lot more remote exploits out there than you think. One of my favorites involves the Buffalo LinkStation. The Buffalo LinkStation is a network appliance that runs Linux and uses Samba to serve files. There's a really fun exploit on it that will allow you run any command as root simply by sending it a properly formatted UDP packet. At this point, you can drop an auto-run installer into the SMB shares and infect every Windows machine that connects to the LinkStation, but I digress...

Then please show me a case where that's actually happened.

Well, it basically all started with the Morris Worm [wikipedia.org].

Here are some Linux specific cases:

Viruses: Staog, Bliss, Osf, RST, Binom, Alfa, Lindose, Adrastea, Amalthea, Btrq, Brunfly, BTM, Califax, Cassini, Debilove, Etap.d, Gildo, Glaurung, Guile, Gzid, Mcmd, Metis, Millen, Nel, Neox, Ovets, Satyr, Sickabs, Snoopy, Thebe, Winter, Xone

Worms: Adm, Cheese, Mighty, Ramen, Slapper, Lion, Scalper, Adore, Kork, Mighty,