Peter Szor takes you behind the scenes of anti-virus research, showing how they are analyzed, how they spread, and--most importantly--how to effectively defend against them.

This book offers an encyclopedic treatment of the computer virus, including: a history of computer viruses, virus behavior, classification, protection strategies, anti-virus and worm-blocking techniques, and how to conduct an accurate threat analysis.

The Art of Computer Virus Research and Defense entertains readers with its look at anti-virus research, but more importantly it truly arms them in the fight against computer viruses. As one of the lead researchers behind Norton AntiVirus, the most popular antivirus program in the industry, Peter Szor studies viruses every day. By showing how viruses really work, this book will help security professionals and students protect against them, recognize them, and analyze and limit the damage they can do.

"Of all the computer-related books I've read recently, this one influenced my thoughts about security the most. There is very little trustworthy information about computer viruses. Peter Szor is one of the best virus analysts in the world and has the perfect credentials to write this book."

―Halvar Flake, Reverse Engineer, SABRE Security GmbH

Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.

Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.

Szor also offers the most thorough and practical primer on virus analysis ever published―addressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes

• Discovering how malicious code attacks on a variety of platforms
• Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more
• Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic
• Mastering empirical methods for analyzing malicious code―and what to do with what you learn
• Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines
• Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more
• Using worm blocking, host-based intrusion prevention, and network-level defense strategies

Table of Contents

PART I: Strategies of the Attacker

1 INTRODUCTION TO THE GAMES OF NATURE

2 THE FASCINATION OF MALICIOUS CODE ANALYSIS

3 MALICIOUS CODE ENVIRONMENTS

4 CLASSIFICATION OF INFECTION STRATEGIES

5 CLASSIFICATION OF IN-MEMORY STRATEGIES

6 BASIC SELF-PROTECTION STRATEGIES

7 ADVANCED CODE EVOLUTION TECHNIQUES AND COMPUTER VIRUS GENERATOR KITS

8 CLASSIFICATION ACCORDING TO PAYLOAD

9 STRATEGIES OF COMPUTER WORMS

10 EXPLOITS, VULNERABILITIES, AND BUFFER OVERFLOW ATIACKS

Part II: STRATEGIES OF THE DEFENDER

11 ANTIVIRUS DEFENSE TECHNIQUES

12 MEMORY SCANNING AND DISINFECTION

13 WORM-BLOCKING TECHNIQUES AND HOST-BASED INTRUSION PREVENTION

14 NETWORK-LEVEL DEFENSE STRATEGIES

15 MALICIOUS CODE ANALYSIS TECHNIQUES

16 CONCLUSION

About the Author

Peter Szor is security architect for Symantec Security Response, where he has been designing and building antivirus technologies for the Norton AntiVirus product line since 1999. From 1990 to 1995, Szor wrote and maintained his own antivirus program, Pasteur. A renowned computer virus and security researcher, Szor speaks frequently at the Virus Bulletin, EICAR, ICSA, and RSA conferences, as well as the USENIX Security Symposium. He currently serves on the advisory board of Virus Bulletin magazine, and is a founding member of the AVED (AntiVirus Emergency Discussion) network.