Book Review: The Art of Computer Virus Research and Defense
The basic concept of a computer virus is a simple thing - a bit of code which can replicate itself. Of course, the mechanisms through which a virus replicates (does it infect files? the boot sector of a disk?) and the manner in which a virus protects itself from antivirus tools (spread only certain dates? stay active in memory and become a stealth virus?) has been evolving for several decades, and makes for a fascinating read for anyone interested in security with a (fairly strong) technical background. And not to worry, Peter Szor, author of the book, has been working in antivirus industries for years, starting with the creation of Pasteur (a DOS antivirus), he later moved on to work at Symantec (creators of Norton AntiVirus).
At first, the book starts off by introducing you to the theory behind computer viruses, comparing them to the self replicating structures of the natural world, and describing the history of this analogy (starting with von Neumann), and even explaining where the term “computer virus came from.
From there, it is deep into the techniques used by virus writers, where you’ll learn about the evolution of the DOS virus, and how the advent of Windows 9x and Windows NT lead to a redevelopment of viruses, eventually leading to the same type of sophistication that DOS viruses had before them.
There is a substantial amount of time spent on how virus authors protect their code from reverse engineering (and thus making it harder for antivirus vendors to deploy new definitions). Techniques discussed include obvious things like stealth viruses, which stay in memory and return modified results for file size and contents, but also viruses which change how they are encrypted at every infection (polymorphic viruses) and even viruses that change the main body of their code (metamorphic viruses). A chapter is also devoted to worms (which are a type of virus capable of moving to other computers without human intervention) and the exploits used by worms and hackers. It is worth noting here that very little virus code is in this book, and what does appear is only short code snippets. The author decided not to include any full virus code for ethical and legal reasons.
Having finished with the section about viruses, Szor discusses some of the defense techniques that have been deployed. This section includes the obvious approach of looking for code strings and analyzing checksums, but also using more advanced techniques such as heuristics and behavior blocking (where actions commonly used by viruses are blocked). Even more ambitious approaches are discussed (some of which we are told Symantec is already using) such as a system to identify new viruses, and then create definitions to detect and repair them without human intervention.
For all that there was good information in the defense section however, it is substantially less in-depth than the virus section - I suspect due to copyright and patent claims from various vendors.
All in all, if you have a decent technical background (I highly recommend at least a basic understanding of assembly) this is a great read. You can find it on Amazon, here.