第1页 / 共617页
第2页 / 共617页
第3页 / 共617页
第4页 / 共617页
第5页 / 共617页
第6页 / 共617页
第7页 / 共617页
第8页 / 共617页
The Art of Computer Virus Research and Defense.pdf
Cover Page
Backcover
Copyright
About the Author
Who Should Read This Book
What I Cover
What I Do Not Cover
Acknowledgments
Contact Information
Part I. STRATEGIES OF THE ATTACKER
Chapter 1. Introduction to the Games of Nature
Section 1.1. Early Models of Self-Replicating Structures
Section 1.2. Genesis of Computer Viruses
Section 1.3. Automated Replicating Code: The Theory and Definition of Computer Viruses
References
Chapter 2. The Fascination of Malicious Code Analysis
Section 2.1. Common Patterns of Virus Research
Section 2.2. Antivirus Defense Development
Section 2.3. Terminology of Malicious Programs
Section 2.4. Other Categories
Section 2.5. Computer Malware Naming Scheme
Section 2.6. Annotated List of Officially Recognized Platform Names
References
Chapter 3. Malicious Code Environments
Section 3.1. Computer Architecture Dependency
Section 3.2. CPU Dependency
Section 3.3. Operating System Dependency
Section 3.4. Operating System Version Dependency
Section 3.5. File System Dependency
Section 3.6. File Format Dependency
Section 3.7. Interpreted Environment Dependency
Section 3.8. Vulnerability Dependency
Section 3.9. Date and Time Dependency
Section 3.10. JIT Dependency: Microsoft .NET Viruses
Section 3.11. Archive Format Dependency
Section 3.12. File Format Dependency Based on Extension
Section 3.13. Network Protocol Dependency
Section 3.14. Source Code Dependency
Section 3.15. Resource Dependency on Mac and Palm Platforms
Section 3.16. Host Size Dependency
Section 3.17. Debugger Dependency
Section 3.18. Compiler and Linker Dependency
Section 3.19. Device Translator Layer Dependency
Section 3.20. Embedded Object Insertion Dependency
Section 3.21. Self-Contained Environment Dependency
Section 3.22. Multipartite Viruses
Section 3.23. Conclusion
References
Chapter 4. Classification of Infection Strategies
Section 4.1. Boot Viruses
Section 4.2. File Infection Techniques
Section 4.3. An In-Depth Look at Win32 Viruses
Section 4.4. Conclusion
References
Chapter 5. Classification of In-Memory Strategies
Section 5.1. Direct-Action Viruses
Section 5.2. Memory-Resident Viruses
Section 5.3. Temporary Memory-Resident Viruses
Section 5.4. Swapping Viruses
Section 5.5. Viruses in Processes (in User Mode)
Section 5.6. Viruses in Kernel Mode (Windows 9x/Me)
Section 5.7. Viruses in Kernel Mode (Windows NT/2000/XP)
Section 5.8. In-Memory Injectors over Networks
References
Chapter 6. Basic Self-Protection Strategies
Section 6.1. Tunneling Viruses
Section 6.2. Armored Viruses
Section 6.3. Aggressive Retroviruses
References
Chapter 7. Advanced Code Evolution Techniques and Computer Virus Generator Kits
Section 7.1. Introduction
Section 7.2. Evolution of Code
Section 7.3. Encrypted Viruses
Section 7.4. Oligomorphic Viruses
Section 7.5. Polymorphic Viruses
Section 7.6. Metamorphic Viruses
Section 7.7. Virus Construction Kits
References
Chapter 8. Classification According to Payload
Section 8.1. No-Payload
Section 8.2. Accidentally Destructive Payload
Section 8.3. Nondestructive Payload
Section 8.4. Somewhat Destructive Payload
Section 8.5. Highly Destructive Payload
Section 8.6. DoS (Denial of Service) Attacks
Section 8.7. Data Stealers: Making Money with Viruses
Section 8.8. Conclusion
References
Chapter 9. Strategies of Computer Worms
Section 9.1. Introduction
Section 9.2. The Generic Structure of Computer Worms
Section 9.3. Target Locator
Section 9.4. Infection Propagators
Section 9.5. Common Worm Code Transfer and Execution Techniques
Section 9.6. Update Strategies of Computer Worms
Section 9.7. Remote Control via Signaling
Section 9.8. Intentional and Accidental Interactions
Section 9.9. Wireless Mobile Worms
References
Chapter 10. Exploits, Vulnerabilities, and Buffer Overflow Attacks
Section 10.1. Introduction
Section 10.2. Background
Section 10.3. Types of Vulnerabilities
Section 10.4. Current and Previous Threats
Section 10.5. Summary
References
Part II. STRATEGIES OF THE DEFENDER
Chapter 11. Antivirus Defense Techniques
Section 11.1. First-Generation Scanners
Section 11.2. Second-Generation Scanners
Section 11.3. Algorithmic Scanning Methods
Section 11.4. Code Emulation
Section 11.5. Metamorphic Virus Detection Examples
Section 11.6. Heuristic Analysis of 32-Bit Windows Viruses
Section 11.7. Heuristic Analysis Using Neural Networks
Section 11.8. Regular and Generic Disinfection Methods
Section 11.9. Inoculation
Section 11.10. Access Control Systems
Section 11.11. Integrity Checking
Section 11.12. Behavior Blocking
Section 11.13. Sand-Boxing
Section 11.14. Conclusion
References
Chapter 12. Memory Scanning and Disinfection
Section 12.1. Introduction
Section 12.2. The Windows NT Virtual Memory System
Section 12.3. Virtual Address Spaces
Section 12.4. Memory Scanning in User Mode
Section 12.5. Memory Scanning and Paging
Section 12.6. Memory Disinfection
Section 12.7. Memory Scanning in Kernel Mode
Section 12.8. Possible Attacks Against Memory Scanning
Section 12.9. Conclusion and Future Work
References
Chapter 13. Worm-Blocking Techniques and Host-Based Intrusion Prevention
Section 13.1. Introduction
Section 13.2. Techniques to Block Buffer Overflow Attacks
Section 13.3. Worm-Blocking Techniques
Section 13.4. Possible Future Worm Attacks
Section 13.5. Conclusion
References
Chapter 14. Network-Level Defense Strategies
Section 14.1. Introduction
Section 14.2. Using Router Access Lists
Section 14.3. Firewall Protection
Section 14.4. Network-Intrusion Detection Systems
Section 14.5. Honeypot Systems
Section 14.6. Counterattacks
Section 14.7. Early Warning Systems
Section 14.8. Worm Behavior Patterns on the Network
Section 14.9. Conclusion
References
Chapter 15. Malicious Code Analysis Techniques
Section 15.1. Your Personal Virus Analysis Laboratory
Section 15.2. Information, Information, Information
Section 15.3. Dedicated Virus Analysis on VMWARE
Section 15.4. The Process of Computer Virus Analysis
Section 15.5. Maintaining a Malicious Code Collection
Section 15.6. Automated Analysis: The Digital Immune System
References
Chapter 16. Conclusion
Further Reading
Ripped by AaLl86
THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE
THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE
By Peter Szor
By Peter Szor
Publisher: Addison Wesley Professional
Publisher: Addison Wesley Professional
Pub Date: February 03, 2005
Pub Date: February 03, 2005
ISBN: 0-321-30454-3
ISBN: 0-321-30454-3
Pages: 744
Pages: 744
•
•
Table of
Table of
Contents
Contents
• Index
• Index
Symantec's chief antivirus researcher has written the definitive guide to
Symantec's chief antivirus researcher has written the definitive guide to
contemporary virus threats, defense techniques, and analysis tools. Unlike
contemporary virus threats, defense techniques, and analysis tools. Unlike
most books on computer viruses, The Art of Computer Virus Research
most books on computer viruses, The Art of Computer Virus Research
and Defense is a reference written strictly for white hats: IT and security
and Defense is a reference written strictly for white hats: IT and security
professionals responsible for protecting their organizations against
professionals responsible for protecting their organizations against
malware. Peter Szor systematically covers everything you need to know,
malware. Peter Szor systematically covers everything you need to know,
including virus behavior and classification, protection strategies, antivirus
including virus behavior and classification, protection strategies, antivirus
and worm-blocking techniques, and much more.
and worm-blocking techniques, and much more.
Szor presents the state-of-the-art in both malware and protection,
Szor presents the state-of-the-art in both malware and protection,
providing the full technical detail that professionals need to handle
providing the full technical detail that professionals need to handle
increasingly complex attacks. Along the way, he provides extensive
increasingly complex attacks. Along the way, he provides extensive
information on code metamorphism and other emerging techniques, so
information on code metamorphism and other emerging techniques, so
you can anticipate and prepare for future threats.
you can anticipate and prepare for future threats.
Szor also offers the most thorough and practical primer on virus analysis
Szor also offers the most thorough and practical primer on virus analysis
ever publishedaddressing everything from creating your own personal
ever publishedaddressing everything from creating your own personal
laboratory to automating the analysis process. This book's coverage
laboratory to automating the analysis process. This book's coverage
includes
includes
Discovering how malicious code attacks on a variety of platforms
Discovering how malicious code attacks on a variety of platforms
Classifying malware strategies for infection, in-memory operation,
Classifying malware strategies for infection, in-memory operation,
self-protection, payload delivery, exploitation, and more
self-protection, payload delivery, exploitation, and more
Identifying and responding to code obfuscation threats: encrypted,
Identifying and responding to code obfuscation threats: encrypted,
polymorphic, and metamorphic
polymorphic, and metamorphic
Mastering empirical methods for analyzing malicious codeand what to
Mastering empirical methods for analyzing malicious codeand what to
do with what you learn
do with what you learn
Reverse-engineering malicious code with disassemblers, debuggers,
Reverse-engineering malicious code with disassemblers, debuggers,
emulators, and virtual machines
emulators, and virtual machines
Implementing technical defenses: scanning, code emulation,
Implementing technical defenses: scanning, code emulation,
disinfection, inoculation, integrity checking, sandboxing, honeypots,
disinfection, inoculation, integrity checking, sandboxing, honeypots,
behavior blocking, and much more
behavior blocking, and much more
Using worm blocking, host-based intrusion prevention, and network-
Using worm blocking, host-based intrusion prevention, and network-
level defense strategies
level defense strategies
Copyright
Many of the designations used by manufacturers and sellers to distinguish their products are
claimed as trademarks. Where those designations appear in this book, and the publisher was
aware of a trademark claim, the designations have been printed with initial capital letters or in all
capitals.
The author and publisher have taken care in the preparation of this book, but make no expressed
or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is
assumed for incidental or consequential damages in connection with or arising out of the use of
the information or programs contained herein.
Symantec Press Publisher: Linda McCarthy
Editor in Chief: Karen Gettman
Acquisitions Editor: Jessica Goldstein
Cover Designer: Alan Clements
Managing Editor: Gina Kanouse
Senior Project Editor: Kristy Hart
Copy Editor: Christal Andry
Indexers: Cheryl Lenser and Larry Sweazy
Compositor: Stickman Studio
Manufacturing Buyer: Dan Uhrig
The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases
or special sales, which may include electronic versions and/or custom covers and content
particular to your business, training goals, marketing focus, and branding interests. For more
information, please contact:
U. S. Corporate and Government Sales
(800) 382-3419
corpsales@pearsontechgroup.com
For sales outside the U. S., please contact:
International Sales
international@pearsoned.com
Visit us on the Web: www.awprofessional.com
Library of Congress Number: 2004114972
Copyright © 2005 Symantec Corporation
All rights reserved. Printed in the United States of America. This publication is protected by
copyright, and permission must be obtained from the publisher prior to any prohibited
reproduction, storage in a retrieval system, or transmission in any form or by any means,
electronic, mechanical, photocopying, recording, or likewise. For information regarding
permissions, write to:
Pearson Education, Inc.
Rights and Contracts Department
One Lake Street
Upper Saddle River, NJ 07458
Text printed in the United States on recycled paper at Phoenix BookTech in Hagerstown,
Maryland.
First printing, February, 2005
Dedication
to Natalia
About the Author
Peter Szor is a world renowned computer virus and security researcher. He has been actively
conducting research on computer viruses for more than 15 years, and he focused on the subject
of computer viruses and virus protection in his diploma work in 1991. Over the years, Peter has
been fortunate to work with the best-known antivirus products, such as AVP, F-PROT, and
Symantec Norton AntiVirus. Originally, he built his own antivirus program, Pasteur, from 1990 to
1995, in Hungary. Parallel to his interest in computer antivirus development, Peter also has years
of experience in fault-tolerant and secured financial transaction systems development.
He was invited to join the Computer Antivirus Researchers Organization (CARO) in 1997. Peter is
on the advisory board of Virus Bulletin Magazine and a founding member of the AntiVirus
Emergency Discussion (AVED) network. He has been with Symantec for over five years as a chief
researcher in Santa Monica, California.
Peter has authored over 70 articles and papers on the subject of computer viruses and security
for magazines such as Virus Bulletin, Chip, Source, Windows NT Magazine, and Information
Security Bulletin, among others. He is a frequent speaker at conferences, including Virus Bulletin,
EICAR, ICSA, and RSA and has given invited talks at such security conferences as the USENIX
Security Symposium. Peter is passionate about sharing his research results and educating others
about computer viruses and security issues.
Who Should Read This Book
Over the last two decades, several publications appeared on the subject of computer viruses, but
only a few have been written by professionals ("insiders") of computer virus research. Although
many books exist that discuss the computer virus problem, they usually target a novice audience
and are simply not too interesting for the technical professionals. There are only a few works that
have no worries going into the technical details, necessary to understand, to effectively defend
against computer viruses.
Part of the problem is that existing books have littleif anyinformation about the current complexity
of computer viruses. For example, they lack serious technical information on fast-spreading
computer worms that exploit vulnerabilities to invade target systems, or they do not discuss
recent code evolution techniques such as code metamorphism. If you wanted to get all the
information I have in this book, you would need to spend a lot of time reading articles and papers
that are often hidden somewhere deep inside computer virus and security conference
proceedings, and perhaps you would need to dig into malicious code for years to extract the
relevant details.
I believe that this book is most useful for IT and security professionals who fight against computer
viruses on a daily basis. Nowadays, system administrators as well as individual home users often
need to deal with computer worms and other malicious programs on their networks.
Unfortunately, security courses have very little training on computer virus protection, and the
general public knows very little about how to analyze and defend their network from such attacks.
To make things more difficult, computer virus analysis techniques have not been discussed in any
existing works in sufficient length before.
I also think that, for anybody interested in information security, being aware of what the
computer virus writers have "achieved" so far is an important thing to know.
For years, computer virus researchers used to be "file" or "infected object" oriented. To the
contrary, security professionals were excited about suspicious events only on the network level.
In addition, threats such as CodeRed worm appeared to inject their code into the memory of
vulnerable processes over the network, but did not "infect" objects on the disk. Today, it is
important to understand all of these major perspectivesthe file (storage), in-memory, and
network viewsand correlate the events using malicious code analysis techniques.
During the years, I have trained many computer virus and security analysts to effectively analyze
and respond to malicious code threats. In this book, I have included information about anything
that I ever had to deal with. For example, I have relevant examples of ancient threats, such as 8-
bit viruses on the Commodore 64. You will see that techniques such as stealth technology
appeared in the earliest computer viruses, and on a variety of platforms. Thus, you will be able to
realize that current rootkits do not represent anything new! You will find sufficient coverage on
32-bit Windows worm threats with in-depth exploit discussions, as well as 64-bit viruses and
"pocket monsters" on mobile devices. All along the way, my goal is to illustrate how old
techniques "reincarnate" in new threats and demonstrate up-to-date attacks with just enough
technical details.
I am sure that many of you are interested in joining the fight against malicious code, and
perhaps, just like me, some of you will become inventors of defense techniques. All of you should,
however, be aware of the pitfalls and the challenges of this field!
That is what this book is all about.
What I Cover
The purpose of this book is to demonstrate the current state of the art of computer virus and
antivirus developments and to teach you the methodology of computer virus analysis and
protection. I discuss infection techniques of computer viruses from all possible perspectives: file
(on storage), in-memory, and network. I classify and tell you all about the dirty little tricks of
computer viruses that bad guys developed over the last two decades and tell you what has been
done to deal with complexities such as code polymorphism and exploits.
The easiest way to read this book is, well, to read it from chapter to chapter. However, some of
the attack chapters have content that can be more relevant after understanding techniques
presented in the defense chapters. If you feel that any of the chapters are not your taste, or are
too difficult or lengthy, you can always jump to the next chapter. I am sure that everybody will
find some parts of this book very difficult and other parts very simple, depending on individual
experience.
I expect my readers to be familiar with technology and some level of programming. There are so
many things discussed in this book that it is simply impossible to cover everything in sufficient
length. However, you will know exactly what you might need to learn from elsewhere to be
absolutely successful against malicious threats. To help you, I have created an extensive
reference list for each chapter that leads you to the necessary background information.
Indeed, this book could easily have been over 1,000 pages. However, as you can tell, I am not
Shakespeare. My knowledge of computer viruses is great, not my English. Most likely, you would
have no benefit of my work if this were the other way around.
What I Do Not Cover
I do not cover Trojan horse programs or backdoors in great length. This book is primarily about
self-replicating malicious code. There are plenty of great books available on regular malicious
programs, but not on computer viruses.
I do not present any virus code in the book that you could directly use to build another virus. This
book is not a "virus writing" class. My understanding, however, is that the bad guys already know
about most of the techniques that I discuss in this book. So, the good guys need to learn more
and start to think (but not act) like a real attacker to develop their defense!
Interestingly, many universities attempt to teach computer virus research courses by offering
classes on writing viruses. Would it really help if a student could write a virus to infect millions of
systems around the world? Will such students know more about how to develop defense better?
Simply, the answer is no…
Instead, classes should focus on the analysis of existing malicious threats. There are so many
threats out there waiting for somebody to understand themand do something against them.
Of course, the knowledge of computer viruses is like the "Force" in Star Wars. Depending on the
user of the "Force," the knowledge can turn to good or evil. I cannot force you to stay away from
the "Dark Side," but I urge you to do so.
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
