Peter Szor takes you behind the scenes of anti-virus research, showing howthey are analyzed, how they spread, and--most importantly--how to effectivelydefend against them. This book offers an encyclopedic treatment of thecomputer virus, including: a history of computer viruses, virus behavior,classification, protection strategies, anti-virus and worm-blocking techniques,and how to conduct an accurate threat analysis. The Art of Computer VirusResearch and Defense entertains readers with its look at anti-virus research, butmore importantly it truly arms them in the fight against computer viruses.As one of the lead researchers behind Norton AntiVirus, the most popularantivirus program in the industry, Peter Szor studies viruses every day. Byshowing how viruses really work, this book will help security professionals andstudents protect against them, recognize them, and analyze and limit thedamage they can do.

Table of Contents:
About the Author. Preface. Acknowledgments. I. STRATEGIES OF THE ATTACKER. 1. Introduction to the Games of Nature.     Early Models of Self-Replicating Structures       John von Neumann: Theory of Self-Reproducing Automata       Fredkin: Reproducing Structures       Conway: Game of Life       Core War: The Fighting Programs     Genesis of Computer Viruses     Automated Replicating Code: The Theory and Definition of Computer Viruses     References 2. The Fascination of Malicious Code Analysis.     Common Patterns of Virus Research     Antivirus Defense Development     Terminology of Malicious Programs       Viruses       Worms       Logic Bombs       Trojan Horses       Germs       Exploits       Downloaders       Dialers       Droppers       Injectors       Auto-Rooters       Kits (Virus Generators)       Spammer Programs       Flooders       Keyloggers       Rootkits     Other Categories       Joke Programs       Hoaxes: Chain Letters       Other Pests: Adware and Spyware     Computer Malware Naming Scheme             ://       /       .                   []             :       #       @m or @mm       !     Annotated List of Officially Recognized Platform Names     References 3. Malicious Code Environments.     Computer Architecture Dependency     CPU Dependency     Operating System Dependency     Operating System Version Dependency     File System Dependency       Cluster Viruses       NTFS Stream Viruses       NTFS Compression Viruses       ISO Image Infection     File Format Dependency       COM Viruses on DOS       EXE Viruses on DOS       NE (New Executable) Viruses on 16-bit Windows and OS/2       LX Viruses on OS/2       PE (Portable Executable) Viruses on 32-bit Windows       ELF (Executable and Linking Format) Viruses on UNIX       Device Driver Viruses       Object Code and LIB Viruses     Interpreted Environment Dependency       Macro Viruses in Microsoft Products       REXX Viruses on IBM Systems       DCL (DEC Command Language) Viruses on DEC/VMS       Shell Scripts on UNIX (csh, ksh, and bash)       VBScript (Visual Basic Script) Viruses on Windows Systems       BATCH Viruses       Instant Messaging Viruses in mIRC, PIRCH scripts       SuperLogo Viruses       JScript Viruses       Perl Viruses       WebTV Worms in JellyScript Embedded in HTML Mail       Python Viruses       VIM Viruses       EMACS Viruses       TCL Viruses       PHP Viruses       MapInfo Viruses       ABAP Viruses on SAP       Help File Viruses on Windows–When You Press F1…       JScript Threats in Adobe PDF       AppleScript Dependency       ANSI Dependency       Macromedia Flash ActionScript Threats       HyperTalk Script Threats       AutoLisp Script Viruses       Registry Dependency       PIF and LNK Dependency       Lotus Word Pro Macro Viruses       AmiPro Document Viruses       Corel Script Viruses       Lotus 1-2-3 Macro Dependency       Windows Installation Script Dependency       AUTORUN.INF and Windows INI File Dependency       HTML (Hypertext Markup Language) Dependency     Vulnerability Dependency     Date and Time Dependency     JIT Dependency: Microsoft .NET Viruses     Archive Format Dependency     File Format Dependency Based on Extension     Network Protocol Dependency     Source Code Dependency       Source Code Trojans     Resource Dependency on Mac and Palm Platforms     Host Size Dependency     Debugger Dependency       Intended Threats that Rely on a Debugger     Compiler and Linker Dependency     Device Translator Layer Dependency     Embedded Object Insertion Dependency     Self-Contained Environment Dependency     Multipartite Viruses     Conclusion     References 4. Classification of Infection Strategies.     Boot Viruses       Master Boot Record (MBR) Infection Techniques       DOS BOOT Record (DBR) - Infection Techniques       Boot Viruses That Work While Windows 95 Is Active       Possible Boot Image Attacks in Network Environments     File Infection Techniques       Overwriting Viruses       Random Overwriting Viruses       Appending Viruses       Prepending Viruses       Classic Parasitic Viruses       Cavity Viruses       Fractionated Cavity Viruses       Compressing Viruses       Amoeba Infection Technique       Embedded Decryptor Technique       Embedded Decryptor and Virus Body Technique       Obfuscated Tricky Jump Technique       Entry-Point Obscuring (EPO) Viruses       Possible Future Infection Techniques: Code Builders     An In-Depth Look at Win32 Viruses       The Win32 API and Platforms That Support It       Infection Techniques on 32-Bit Windows       Win32 and Win64 Viruses: Designed for Microsoft Windows?     Conclusion     References 5. Classification of In-Memory Strategies.     Direct-Action Viruses     Memory-Resident Viruses       Interrupt Handling and Hooking       Hook Routines on INT 13h (Boot Viruses)       Hook Routines on INT 21h (File Viruses)       Common Memory Installation Techniques Under DOS       Stealth Viruses       Disk Cache and System Buffer Infection     Temporary Memory-Resident Viruses     Swapping Viruses     Viruses in Processes (in User Mode)     Viruses in Kernel Mode (Windows 9x/Me)     Viruses in Kernel Mode (Windows NT/2000/XP)     In-Memory Injectors over Networks     References 6. Basic Self-Protection Strategies.     Tunneling Viruses       Memory Scanning for Original Handler       Tracing with Debug Interfaces       Code Emulation—Based Tunneling       Accessing the Disk Using Port I/O       Using Undocumented Functions     Armored Viruses       Antidisassembly       Encrypted Data       Code Confusion to Avoid Analysis       Opcode Mixing—Based Code Confusion       Using Checksum       Compressed, Obfuscated Code       Antidebugging       Antiheuristics       Antiemulation Techniques       Antigoat Viruses     Aggressive Retroviruses     References 7. Advanced Code Evolution Techniques and Computer Virus Generator Kits.     Introduction     Evolution of Code     Encrypted Viruses     Oligomorphic Viruses     Polymorphic Viruses       The 1260 Virus       The Dark Avenger Mutation Engine (MtE)       32-Bit Polymorphic Viruses     Metamorphic Viruses       What Is a Metamorphic Virus?       Simple Metamorphic Viruses       More Complex Metamorphic Viruses and Permutation Techniques       Mutating Other Applications: The Ultimate Virus Generator?       Advanced Metamorphic Viruses: Zmist       {W32, Linux}/Simile: A Metamorphic Engine Across Systems       The Dark Future–MSIL Metamorphic Viruses     Virus Construction Kits       VCS (Virus Construction Set)       GenVir       VCL (Virus Creation Laboratory)       PS-MPC (Phalcon-Skism Mass-Produced Code Generator)       NGVCK (Next Generation Virus Creation Kit)       Other Kits and Mutators       How to Test a Virus Construction Tool?     References 8. Classification According to Payload.     No-Payload     Accidentally Destructive Payload     Nondestructive Payload     Somewhat Destructive Payload     Highly Destructive Payload       Viruses That Overwrite Data       Data Diddlers       Viruses That Encrypt Data: The “Good,” the Bad, and the Ugly       Hardware Destroyers     DoS (Denial of Service) Attacks     Data Stealers: Making Money with Viruses       Phishing Attacks       Backdoor Features     Conclusion     References 9. Strategies of Computer Worms.     Introduction     The Generic Structure of Computer Worms       Target Locator       Infection Propagator       Remote Control and Update Interface       Life-Cycle Manager       Payload       Self-Tracking     Target Locator       E-Mail Address Harvesting       Network Share Enumeration Attacks       Network Scanning and Target Fingerprinting     Infection Propagators       Attacking Backdoor-Compromised Systems       Peer-to-Peer Network Attacks       Instant Messaging Attacks       E-Mail Worm Attacks and Deception Techniques       E-Mail Attachment Inserters       SMTP Proxy—Based Attacks       SMTP Attacks       SMTP Propagation on Steroids Using MX Queries       NNTP (Network News Transfer Protocol) Attacks     Common Worm Code Transfer and Execution Techniques       Executable Code—Based Attacks       Links to Web Sites or Web Proxies       HTML-Based Mail       Remote Login-Based Attacks       Code Injection Attacks       Shell Code—Based Attacks     Update Strategies of Computer Worms       Authenticated Updates on the Web or Newsgroups       Backdoor-Based Updates     Remote Control via Signaling       Peer-to-Peer Network Control     Intentional and Accidental Interactions       Cooperation       Competition       The Future: A Simple Worm Communication Protocol?     Wireless Mobile Worms     References 10. Exploits, Vulnerabilities, and Buffer Overflow Attacks.     Introduction       Definition of Blended Attack       The Threat     Background     Types of Vulnerabilities       Buffer Overflows       First-Generation Attacks       Second-Generation Attacks       Third-Generation Attacks     Current and Previous Threats       The Morris Internet Worm, 1988 (Stack Overflow to Run  - Shellcode)       Linux/ADM, 1998 (“Copycatting” the Morris Worm)       The CodeRed Outbreak, 2001 (The Code Injection Attack)       Linux/Slapper Worm, 2002 (A Heap Overflow Example)       W32/Slammer Worm, January 2003 (The Mini Worm)       Blaster Worm, August 2003 (Shellcode-Based Attack on Win32)       Generic Buffer Overflow Usage in Computer Viruses       Description of W32/Badtrans.B@mm       Exploits in W32/Nimda.A@mm       Description of W32/Bolzano       Description of VBS/Bubbleboy       Description of W32/Blebla     Summary     References II. STRATEGIES OF THE DEFENDER. 11. Antivirus Defense Techniques.     First-Generation Scanners       String Scanning       Wildcards       Mismatches       Generic Detection       Hashing       Bookmarks       Top-and-Tail Scanning       Entry-Point and Fixed-Point Scanning       Hyperfast Disk Access     Second-Generation Scanners       Smart Scanning       Skeleton Detection       Nearly Exact Identification       Exact Identification     Algorithmic Scanning Methods       Filtering       Static Decryptor Detection       The X-RAY Method     Code Emulation       Encrypted and Polymorphic Virus Detection Using Emulation       Dynamic Decryptor Detection     Metamorphic Virus Detection Examples       Geometric Detection       Disassembling Techniques       Using Emulators for Tracing     Heuristic Analysis of 32-Bit Windows Viruses       Code Execution Starts in the Last Section       Suspicious Section Characteristics       Virtual Size Is Incorrect in PE Header       Possible “Gap” Between Sections       Suspicious Code Redirection       Suspicious Code Section Name       Possible Header Infection       Suspicious Imports from KERNEL32.DLL by Ordinal       Import Address Table Is Patched       Multiple PE Headers       Multiple Windows Headers and Suspicious KERNEL32.DLL Imports       Suspicious Relocations       Kernel Look-Up       Kernel Inconsistency       Loading a Section into the VMM Address Space       Incorrect Size of Code in Header       Examples of Suspicious Flag Combinations     Heuristic Analysis Using Neural Networks     Regular and Generic Disinfection Methods       Standard Disinfection       Generic Decryptors       How Does a Generic Disinfector Work?       How Can the Disinfector Be Sure That the File Is Infected?       Where Is the Original End of the Host File?       How Many Virus Types Can We Handle This Way?       Examples of Heuristics for Generic Repair       Generic Disinfection Examples     Inoculation     Access Control Systems     Integrity Checking       False Positives       Clean Initial State       Speed       Special Objects       Necessity of Changed Objects       Possible Solutions     Behavior Blocking     Sand-Boxing     Conclusion     References 12. Memory Scanning and Disinfection.     Introduction     The Windows NT Virtual Memory System     Virtual Address Spaces     Memory Scanning in User Mode       The Secrets of NtQuerySystemInform-ation()       Common Processes and Special System Rights       Viruses in the Win32 Subsystem       Win32 Viruses That Allocate Private Pages       Native Windows NT Service Viruses       Win32 Viruses That Use a Hidden Window Procedure       Win32 Viruses That Are Part of the Executed Image Itself     Memory Scanning and Paging       Enumerating Processes and Scanning File Images     Memory Disinfection       Terminating a Particular Process That Contains Virus Code       Detecting and Terminating Virus Threads       Patching the Virus Code in the Active Pages       How to Disinfect Loaded DLLs and Running Applications     Memory Scanning in Kernel Mode       Scanning the User Address Space of Processes       Determining NT Service API Entry Points       Important NT Functions for Kernel-Mode Memory Scanning       Process Context       Scanning the Upper 2GB of Address Space       How Can You Deactivate a Filter Driver Virus?       Dealing with Read-Only Kernel Memory       Kernel-Mode Memory Scanning on 64-Bit Platforms     Possible Attacks Against Memory Scanning     Conclusion and Future Work     References 13. Worm-Blocking Techniques and Host-Based Intrusion Prevention.     Introduction       Script Blocking and SMTP Worm Blocking       New Attacks to Block: CodeRed, Slammer     Techniques to Block Buffer Overflow Attacks       Code Reviews       Compiler-Level Solutions       Operating System-Level Solutions and Run-Time Extensions       Subsystem Extensions–Libsafe       Kernel Mode Extensions       Program Shepherding     Worm-Blocking Techniques       Injected Code Detection       Send Blocking: An Example of Blocking Self-Sending Code       Exception Handler Validation       Other Return-to-LIBC Attack Mitigation Techniques       “GOT” and “IAT” Page Attributes       High Number of Connections and Connection Errors     Possible Future Worm Attacks       A Possible Increase of Retroworms       “Slow” Worms Below the Radar       Polymorphic and Metamorphic Worms       Largescale Damage       Automated Exploit Discovery–Learning from the Environment     Conclusion     References 14. Network-Level Defense Strategies.     Introduction     Using Router Access Lists     Firewall Protection     Network-Intrusion Detection Systems     Honeypot Systems     Counterattacks     Early Warning Systems     Worm Behavior Patterns on the Network       Capturing the Blaster Worm       Capturing the Linux/Slapper Worm       Capturing the W32/Sasser.D Worm       Capturing the Ping Requests of the W32/Welchia Worm       Detecting W32/Slammer and Related Exploits     Conclusion     References 15. Malicious Code Analysis Techniques.     Your Personal Virus Analysis Laboratory       How to Get the Software?     Information, Information, Information       Architecture Guides       Knowledge Base     Dedicated Virus Analysis on VMWARE     The Process of Computer Virus Analysis       Preparation       Unpacking       Disassembling and Decryption       Dynamic Analysis Techniques     Maintaining a Malicious Code Collection     Automated Analysis: The Digital Immune System     References 16. Conclusion.     Further Reading       Information on Security and Early Warnings       Security Updates       Computer Worm Outbreak Statistics       Computer Virus Research Papers       Contact Information for Antivirus Vendors       Antivirus Testers and Related Sites Index.