Issue No. 04 - July/August (2005 vol. 3)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2005.86
Nathanael Paul , University of Virginia
Reviewed in this issue: Peter Szor, The Art of Computer Virus Research and Defense, Addison-Wesley, 2005, ISBN: 0-321-30454-3, 744 pages, US$49.99.
I first met Peter Szor at the 2004 Usenix Security conference, where he was giving an invited talk on malware. After discussing several malware issues with him, I was eager to read his upcoming book, The Art of Computer Virus Research and Defense. I was not disappointed. Szor's detailed explanations of attack strategies and his coverage of current antivirus (AV) defensive measures make his book a valuable resource that has found a permanent home on my bookshelf.
Although many security books briefly discuss malware, viruses and worms are this book's central theme. It's divided into two main sections, attack and defense. The first chapter discusses different models of replication, from John von Neumann's early theory of self-replicating automata to Fred Cohen's 1984 paper, "Computer Viruses: Theory and Experiments."
Some parts of the book read more like reference material than prose. For instance, chapter 2 defines the terminology used in the rest of the book, but these definitions are cumbersome to read straight through. Chapter 3 included many examples of the different file formats that viruses have used, which I found less interesting than other discussions in the book. Although both chapters have some interesting information, Szor could have shortened them in favor of expanding other parts of the book. That said, the rest is a pleasure to read, and the material is well-written and accompanied by numerous real-world examples.
The rest of the first section, chapters 4 through 10, covers the old and the new: viruses and present-day worms. Szor devotes an entire chapter to different methods of virus file infection, and another to memory-resident techniques for viruses. He includes considerable information about older 16-bit DOS viruses, but many past viral techniques are similar to current ones. The virus-protection techniques he describes in chapters 6 and 7 help clarify why viruses can be so difficult to identify.
To end this section, Szor examines different worm properties, including infection techniques, update procedures, control capabilities, and exploits used. Given that the examples are real viruses and worms, you can use the provided examples to find other online information for analysis if you wish to know more.
This book's first section helped me understand how prevalent viruses have become; the section on virus defense details both past and current methods to identify and slow the spread of viruses and worms. Many commercial AV scanners don't provide source code, so, in this section, Szor provides insight into how they actually work, and how we can attempt to stop these attacks.
One concern I did have in reading the book was that Szor seems to refer to the authors of many of the viruses or worms mentioned in somewhat glowing terms. I wonder if this could "fuel the fire"; in some ways—after all, many virus authors cite write-ups about their work in their source-code comments. It might have been better had Szor included virus authors as footnotes instead of including them in the main text. However, many of the authors have retired, making this a small complaint that in no way detracts from the book's excellent technical content.
I would definitely recommend The Art of Computer Virus Research and Defense to anyone wanting more information about viruses and worms, whether you're a practitioner or a researcher. Readers unfamiliar with assembly and computer architectures might have a difficult time understanding parts of the book, but such knowledge isn't necessary to understand its main points. Szor effectively presents a clear picture of past and present virus and worm development.
Nathanael Paul is a graduate student at the University of Virginia. Contact him at firstname.lastname@example.org.