Computer Viruses

Review by John Matlock:

The one thing about viruses that I’ve always wanted to know: why do people want to write and propagate virus programs. Surprisingly he does make some comments about virus writers, not to specifically identify them, but to give some history and general comments. I don’t know that this was a help, but it’s at least interesting.

Beyond viruses, this book also goes into other forms of nasty programs like Trojan Horses, HiJackers (that replace your home page with theirs), worms, Phishing Scams, and Spyware. I’d have liked to have seen just a little more about some of these, such as an evaluation of the anti- software that is available.

Like all the For Dummies books, this is a good introductory book, not the final word. But if you have a computer connected to the web, you’d best be paying at least some attention to Viruses, and this is a good start.

Review by Richard Bejtlich:

Peter Szor’s ‘The Art of Computer Virus Research and Defense’ (TAOCVRAD) is one of the best technical books I’ve ever read, and I’ve reviewed over 150 security and networking books during the past 5 years. This book so thoroughly owns the subject of computer viruses that I recommend any authors seeking to write their own virus book find a new topic. Every technical computing professional needs to read this book, fast.

I read this book from cover to cover. The author does not lie when he says acquiring the same amount of information requires digging in obscure virus journals and analyzing malicious code. TAOCVRAD’s single most powerful aspect is the author’s persistence in naming one or more sample viruses that exemplify whatever concept he is discussing. In other words, all of his theory is backed by, or builds on, real-life examples. Each chapter contains moderate end-notes that provide pointers for additional research.

A truly great book has the power to change deeply-entrenched opinions, or make readers look at old problems in a new light. In my case, I altered my perception of the virus problem and ways to fight it. First, I changed my concept of viruses and worms. Peter builds on Fred Cohen’s virus definition to say ‘a computer virus is a program that recursively and explicitly copies a possibly evolved version of itself.’ He calls worms a ‘subclass of computer viruses.’ I used to disagree with Peter; I believed a virus infects files and requires user interaction, and a worm spreads by itself via the network. Now I agree with Peter’s viewpoint: ‘worms are network viruses, primarily replicating on networks… If the primary vector of the virus is the network, it should be classified as a worm.’ The distinction is subtle, but it makes sense to consider worms a subclass of viruses given Peter’s extensive analysis of both types of malware.

Second, I recognized I held an opinion Peter considers unfortunate: ‘some computer security people do not seem to consider computer viruses as a serious aspect of security, or they ignore the relationship between computer security and computer viruses.’ I was guilty as charged. I used to positively detest viruses because they seemed like mindless automated code that did little but replicate. After reading about scores of real viruses, I have a profound appreciation for virus technology. Viruses introduced techniques for obfuscation, stealth, and exploitation a decade earlier, in some cases, than the single-shot exploit code we see today.

Third, Peter put a human face on the problems associated with closed-source operating systems like Microsoft Windows. Many so-called Native API calls are undocumented, and as such make life difficult for anti-virus developers. (Virus writers tend to know them.) With Microsoft entering the anti-virus market, will it leverage these secrets to outperform competitors lacking this internal knowledge?

Readers of Ed Skoudis’ ‘Malware’ or Jose Nazario’s ‘Defense and Detection Strategies against Internet Worms’ will find this new book greatly complements those two works. Those wishing to get the most value from TAOCVRAD should have Intel assembly coding skills and several years of hands-on security experience.

I had almost no issues with this book, which is striking given it is nearly 700 pages long. In a few places I found the language a little rough, but not enough to bother me. I believe a code listing on p. 372 should show a ‘

Review by Dr Anton Chuvakin:

If the phase “a bible of malware” weren’t a cliché, I would have used it to describe this book without hesitation. I read a lot of security (and specifically, malware) titles, but I have never seen a book that comprehensive and detailed, period.

The author appears to know _everything_ that was going on in the malicious software space since the 80s (for example, who knew that there were viruses written in DEC’s DCL language)… A lot of effort is spent classifying various infection, in-memory, self-protection, payload and other virus strategies. I loved the section on malware self-protection, such as anti-debugging and anti-disassembly tactics and even self-brute-forcing virus code (I never knew there are sooo many of those tricks). Nowhere else I saw the detailed explanation of oligomorphic, polymorphic and metamorphic viruses… Note that while the book does cover the fun historical viruses, its coverage extends all the way to phishing attacks of the 2004-2005.

My other favorite part is the chapter on worms. “Vanilla” viruses often feel like the creatures of the past, and the worms steal all the glory. The other holds a view that worms are just a type of viruses that he justifies fairly well. Indeed, there is no accepted definition of a “worm”.

The book is obviously aimed towards virus defense, although both sides are covered in [at times] excruciating detail. The entire part is dedicated to history and technology of virus scanning. Personally, I never saw it covered with that level of detail. Finally, I had a chance to learn what `heuristic detection’ means. On the defense side, the book also covers behavior blocking and host intrusion prevention, which has a chance of emerging as the main approaches of virus fighting, supplanting pure signature-based scanning. Similarly fun was a section on network-level defense strategies (such as using ACLs, firewalls, etc).

A surprisingly small chapter covers malicious code analysis techniques. I would have appreciated a more detailed info on using VMware for malware analysis.

Overall, the book is very technical, but (if need be) can be read without diving too deeply into PDP11 assembly  , just to get familiar with all the malware classifications, infection methods and other tricks. Highly recommended for technical security professionals, might also benefit others in IT and beyond. I think it will also fit the textbook profile for an advanced computer security course.

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book “Security Warrior” and a contributor to “Know Your Enemy II”. In his spare time, he maintains his security portal info-secure.org

Review by W Boudville:

Filiol takes an ab initio approach to computer viruses. He gives a description rooted in the use of a Turing machine. But also using ideas from cellular automata research. The idea is to give a rigorous understanding of viruses, that is independent of any given hardware or software. A key theme is that the code be somehow able to reproduce.

But the book is not just for a theorist. He also directs it towards the user who has to devise an antivirus detector. So source code for several different types of viruses are given (in C). This lets you get a hands-on approach to tackling the problem. Of course, not all possible viruses are covered. This may be a theoretical impossibility. But enough examples are given that you can confidently understanding much that is out there.

Review by R. Smith:

Fred Cohen did pioneering research work in viruses and this book is a survey of virus technology. The book covers the general topic of malicious software from a solid technical level. The book provides no magic bullets either for stopping viruses nor for writing them (there aren’t any), but he nails the technology right on. Sill a worthwhile book even though it predates the popularization of active content like Java and the outbreaks of macro viruses in Office applications.

Review by Kevin D. Peterson:

This book is not about how to write viruses or how to protect yourself from them. It’s about the theoretical aspects of viruses. It’s a good book. Not great writing, sometimes too difficult theory, leaves out some stuff that could be included now. It’s pretty much required reading if you want to really understand how viruses work, not just how to operate your anti virus software, or how to create a new variant of an Outlook virus. It can elevate your thinking about viruses above the specifics of what is going on with today’s viruses under today’s security models.

Review by Winnie:

“Sydney” is a great character, she has lots of “faults” but she is aware of them. She is spunky and impulsive, sort of like a “Lois Lane” character. Other characters are good and very believable (except for the characters in the —- well, I don’t want to give anything away, but there is a group of hilarious characters later in the story!) “Tommy” is a real surprise, and the book is fast-moving and hard to put down. I left it in the car and ran out in the rain to get it so I could keep reading it!

Review by Miguel Rodriguez:

I’ve been in the computer consulting field for over 10 years (DOS, Novell, and Microsoft), and during all that time I’ve been fighting viruses, and now emailing worms, for my clients. I’ve always installed the latest antivirus software and told my clients how to treat suspicious emails or files. And while this advice has always worked on my company’s network, it seems rarely to have worked at my customer’s locations. Mr. Grimes talks about the same experiences in the book. (I was passed an early copy of the book by one of my friends in the antivirus industry). To make a long story short, the book’s advice works. It’s all commonsense stuff after you read it, and it showed me some new prevention tactics that I will continue to use with existing and future clients.As for example, one of my clients, with about 100 workstations, seemed to get infected about every three days no matter what I would tell them (one person in particular). And although I love the consulting dollars, it really became a pain disinfecting their network again and again. I followed the steps in the book, and my clients haven’t been infected since. It’s only been a month, but they went from dozens of infections per week, to none.Every chapter in the book covers a particular topic, like Windows viruses, Instant Messaging attacks, Email attacks, etc. Mr. Grimes begins by describing the underlying technology, talks about specific attacks, and then tells how to detect and prevent them. Each chapter has dozens of recommendations and his last chapter (actually second to last) talks about what steps you should take on each PC you supervise. This was nice because trying to remember the dozens of steps to take all at once would have been tough. He even covers how to make an anti-virus plan, but that doesn’t really apply to my consulting work; however I’m sure it would help a company system admin type.I can easily say I learned more about Virus attacks on Windows, Java, VBA, and Internet apps than I knew before. I was really surprised by how many places bad programs can hide to automatically start on a computer. There are over a dozen. And for a technical book it was really easy reading. It was the best book I’ve ever read, and used, on computer viruses. The book included his email address and I sent a question to him and he answered it the same day. The book covers Windows, no Linux or Mac, but doesn’t cover Novell Groupwise in the email chapter but it is well worth the read. Although most of my clients are Microsoft shops, I’ve still have some Novell shops. It mentions, but doesn’t discuss automated distribution tools, like SMS or ZenWorks. If you’ve got a very large network, you’re going to need a good way to automate all the steps. There are few typos and grammar errors, but certainly not enough to take away from the message. Also, like most other antivirus books, it doesn’t say what antivirus product to get. Mr. Grimes mentions a few different products, but I was really looking for his recommendation (or anyone) to tell me the best antivirus product out there. It seems they all miss something. Other than these few issues, great book and I highly recommend it.

Review by J. J. Kwashnak:

Keeping up with computer security is a full time job. Grimes has given a clear, precise primer of one aspect of computer security – viruses, trojans, worms – collectively known as malicious mobile code. The book is DOS/Windows centric, but this focus helps you see a) where the threats for the most part, and b) allows you to extend the types of threats into other operating systems. You are taken step by step through the development of malicious code and how and why they can work on some systems, but less effectively on others. The constant refrain of the book shows the author’s philosophy: Use an up to date anti-virus product. But if somethign slips by, Grimes shows you ways to react, and lessen the impact if not to this once computer, but to the rest on the network. It is easily one of the most readable books I have encountered on the subject.This book is an essential reference for any computer manager’s toolkit. We can’t stop the code writers from producing thier output, but we can work to lessen the impact they can have on us.