HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
"Of all the computer-related books I've read recently, this one influenced my thoughts about security the most. There is very little trustworthy information about computer viruses. Peter Szor is one of the best virus analysts in the world and has the perfect credentials to write this book."
–Halvar Flake, Reverse Engineer, SABRE Security GmbH
Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.
Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.
Szor also offers the most thorough and practical primer on virus analysis ever published–addressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes
Discovering how malicious code attacks on a variety of platforms
Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more
Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic
Mastering empirical methods for analyzing malicious code–and what to do with what you learn
Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines
Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more
Using worm blocking, host-based intrusion prevention, and network-level defense strategies
© Copyright Pearson Education. All rights reserved.
About the Author.
Preface.
Acknowledgments.
I. STRATEGIES OF THE ATTACKER.
1. Introduction to the Games of Nature.
Early Models of Self-Replicating Structures
John von Neumann: Theory of Self-Reproducing Automata
Fredkin: Reproducing Structures
Conway: Game of Life
Core War: The Fighting Programs
Genesis of Computer Viruses
Automated Replicating Code: The Theory and Definition of Computer Viruses
References
2. The Fascination of Malicious Code Analysis.
Common Patterns of Virus Research
Antivirus Defense Development
Terminology of Malicious Programs
Viruses
Worms
Logic Bombs
Trojan Horses
Germs
Exploits
Downloaders
Dialers
Droppers
Injectors
Auto-Rooters
Kits (Virus Generators)
Spammer Programs
Flooders
Keyloggers
Rootkits
Other Categories
Joke Programs
Hoaxes: Chain Letters
Other Pests: Adware and Spyware
Computer Malware Naming Scheme
<family_name>
<malware_type>://
<platform>/
.<group_name>
<infective_length>
<variant>
[<devolution>]
<modifiers>
:<locale_specifier>
#<packer>
@m or @mm
!<vendor-specific_comment>
Annotated List of Officially Recognized Platform Names
References
3. Malicious Code Environments.
Computer Architecture Dependency
CPU Dependency
Operating System Dependency
Operating System Version Dependency
File System Dependency
Cluster Viruses
NTFS Stream Viruses
NTFS Compression Viruses
ISO Image Infection
File Format Dependency
COM Viruses on DOS
EXE Viruses on DOS
NE (New Executable) Viruses on 16-bit Windows and OS/2
LX Viruses on OS/2
PE (Portable Executable) Viruses on 32-bit Windows
ELF (Executable and Linking Format) Viruses on UNIX
Device Driver Viruses
Object Code and LIB Viruses
Interpreted Environment Dependency
Macro Viruses in Microsoft Products
REXX Viruses on IBM Systems
DCL (DEC Command Language) Viruses on DEC/VMS
Shell Scripts on UNIX (csh, ksh, and bash)
VBScript (Visual Basic Script) Viruses on Windows Systems
BATCH Viruses
Instant Messaging Viruses in mIRC, PIRCH scripts
SuperLogo Viruses
JScript Viruses
Perl Viruses
WebTV Worms in JellyScript Embedded in HTML Mail
Python Viruses
VIM Viruses
EMACS Viruses
TCL Viruses
PHP Viruses
MapInfo Viruses
ABAP Viruses on SAP
Help File Viruses on Windows–When You Press F1…
JScript Threats in Adobe PDF
AppleScript Dependency
ANSI Dependency
Macromedia Flash ActionScript Threats
HyperTalk Script Threats
AutoLisp Script Viruses
Registry Dependency
PIF and LNK Dependency
Lotus Word Pro Macro Viruses
AmiPro Document Viruses
Corel Script Viruses
Lotus 1-2-3 Macro Dependency
Windows Installation Script Dependency
AUTORUN.INF and Windows INI File Dependency
HTML (Hypertext Markup Language) Dependency
Vulnerability Dependency
Date and Time Dependency
JIT Dependency: Microsoft .NET Viruses
Archive Format Dependency
File Format Dependency Based on Extension
Network Protocol Dependency
Source Code Dependency
Source Code Trojans
Resource Dependency on Mac and Palm Platforms
Host Size Dependency
Debugger Dependency
Intended Threats that Rely on a Debugger
Compiler and Linker Dependency
Device Translator Layer Dependency
Embedded Object Insertion Dependency
Self-Contained Environment Dependency
Multipartite Viruses
Conclusion
References
4. Classification of Infection Strategies.
Boot Viruses
Master Boot Record (MBR) Infection Techniques
DOS BOOT Record (DBR) - Infection Techniques
Boot Viruses That Work While Windows 95 Is Active
Possible Boot Image Attacks in Network Environments
File Infection Techniques
Overwriting Viruses
Random Overwriting Viruses
Appending Viruses
Prepending Viruses
Classic Parasitic Viruses
Cavity Viruses
Fractionated Cavity Viruses
Compressing Viruses
Amoeba Infection Technique
Embedded Decryptor Technique
Embedded Decryptor and Virus Body Technique
Obfuscated Tricky Jump Technique
Entry-Point Obscuring (EPO) Viruses
Possible Future Infection Techniques: Code Builders
An In-Depth Look at Win32 Viruses
The Win32 API and Platforms That Support It
Infection Techniques on 32-Bit Windows
Win32 and Win64 Viruses: Designed for Microsoft Windows?
Conclusion
References
5. Classification of In-Memory Strategies.
Direct-Action Viruses
Memory-Resident Viruses
Interrupt Handling and Hooking
Hook Routines on INT 13h (Boot Viruses)
Hook Routines on INT 21h (File Viruses)
Common Memory Installation Techniques Under DOS
Stealth Viruses
Disk Cache and System Buffer Infection
Temporary Memory-Resident Viruses
Swapping Viruses
Viruses in Processes (in User Mode)
Viruses in Kernel Mode (Windows 9x/Me)
Viruses in Kernel Mode (Windows NT/2000/XP)
In-Memory Injectors over Networks
References
6. Basic Self-Protection Strategies.
Tunneling Viruses
Memory Scanning for Original Handler
Tracing with Debug Interfaces
Code Emulation—Based Tunneling
Accessing the Disk Using Port I/O
Using Undocumented Functions
Armored Viruses
Antidisassembly
Encrypted Data
Code Confusion to Avoid Analysis
Opcode Mixing—Based Code Confusion
Using Checksum
Compressed, Obfuscated Code
Antidebugging
Antiheuristics
Antiemulation Techniques
Antigoat Viruses
Aggressive Retroviruses
References
7. Advanced Code Evolution Techniques and Computer Virus Generator Kits.
Introduction
Evolution of Code
Encrypted Viruses
Oligomorphic Viruses
Polymorphic Viruses
The 1260 Virus
The Dark Avenger Mutation Engine (MtE)
32-Bit Polymorphic Viruses
Metamorphic Viruses
What Is a Metamorphic Virus?
Simple Metamorphic Viruses
More Complex Metamorphic Viruses and Permutation Techniques
Mutating Other Applications: The Ultimate Virus Generator?
Advanced Metamorphic Viruses: Zmist
{W32, Linux}/Simile: A Metamorphic Engine Across Systems
The Dark Future–MSIL Metamorphic Viruses
Virus Construction Kits
VCS (Virus Construction Set)
GenVir
VCL (Virus Creation Laboratory)
PS-MPC (Phalcon-Skism Mass-Produced Code Generator)
NGVCK (Next Generation Virus Creation Kit)
Other Kits and Mutators
How to Test a Virus Construction Tool?
References
8. Classification According to Payload.
No-Payload
Accidentally Destructive Payload
Nondestructive Payload
Somewhat Destructive Payload
Highly Destructive Payload
Viruses That Overwrite Data
Data Diddlers
Viruses That Encrypt Data: The “Good,” the Bad, and the Ugly
Hardware Destroyers
DoS (Denial of Service) Attacks
Data Stealers: Making Money with Viruses
Phishing Attacks
Backdoor Features
Conclusion
References
9. Strategies of Computer Worms.
Introduction
The Generic Structure of Computer Worms
Target Locator
Infection Propagator
Remote Control and Update Interface
Life-Cycle Manager
Payload
Self-Tracking
Target Locator
E-Mail Address Harvesting
Network Share Enumeration Attacks
Network Scanning and Target Fingerprinting
Infection Propagators
Attacking Backdoor-Compromised Systems
Peer-to-Peer Network Attacks
Instant Messaging Attacks
E-Mail Worm Attacks and Deception Techniques
E-Mail Attachment Inserters
SMTP Proxy—Based Attacks
SMTP Attacks
SMTP Propagation on Steroids Using MX Queries
NNTP (Network News Transfer Protocol) Attacks
Common Worm Code Transfer and Execution Techniques
Executable Code—Based Attacks
Links to Web Sites or Web Proxies
HTML-Based Mail
Remote Login-Based Attacks
Code Injection Attacks
Shell Code—Based Attacks
Update Strategies of Computer Worms
Authenticated Updates on the Web or Newsgroups
Backdoor-Based Updates
Remote Control via Signaling
Peer-to-Peer Network Control
Intentional and Accidental Interactions
Cooperation
Competition
The Future: A Simple Worm Communication Protocol?
Wireless Mobile Worms
References
10. Exploits, Vulnerabilities, and Buffer Overflow Attacks.
Introduction
Definition of Blended Attack
The Threat
Background
Types of Vulnerabilities
Buffer Overflows
First-Generation Attacks
Second-Generation Attacks
Third-Generation Attacks
Current and Previous Threats
The Morris Internet Worm, 1988 (Stack Overflow to Run
- Shellcode)
Linux/ADM, 1998 (“Copycatting” the Morris Worm)
The CodeRed Outbreak, 2001 (The Code Injection Attack)
Linux/Slapper Worm, 2002 (A Heap Overflow Example)
W32/Slammer Worm, January 2003 (The Mini Worm)
Blaster Worm, August 2003 (Shellcode-Based Attack on Win32)
Generic Buffer Overflow Usage in Computer Viruses
Description of W32/Badtrans.B@mm
Exploits in W32/Nimda.A@mm
Description of W32/Bolzano
Description of VBS/Bubbleboy
Description of W32/Blebla
Summary
References
II. STRATEGIES OF THE DEFENDER.
11. Antivirus Defense Techniques.
First-Generation Scanners
String Scanning
Wildcards
Mismatches
Generic Detection
Hashing
Bookmarks
Top-and-Tail Scanning
Entry-Point and Fixed-Point Scanning
Hyperfast Disk Access
Second-Generation Scanners
Smart Scanning
Skeleton Detection
Nearly Exact Identification
Exact Identification
Algorithmic Scanning Methods
Filtering
Static Decryptor Detection
The X-RAY Method
Code Emulation
Encrypted and Polymorphic Virus Detection Using Emulation
Dynamic Decryptor Detection
Metamorphic Virus Detection Examples
Geometric Detection
Disassembling Techniques
Using Emulators for Tracing
Heuristic Analysis of 32-Bit Windows Viruses
Code Execution Starts in the Last Section
Suspicious Section Characteristics
Virtual Size Is Incorrect in PE Header
Possible “Gap” Between Sections
Suspicious Code Redirection
Suspicious Code Section Name
Possible Header Infection
Suspicious Imports from KERNEL32.DLL by Ordinal
Import Address Table Is Patched
Multiple PE Headers
Multiple Windows Headers and Suspicious KERNEL32.DLL Imports
Suspicious Relocations
Kernel Look-Up
Kernel Inconsistency
Loading a Section into the VMM Address Space
Incorrect Size of Code in Header
Examples of Suspicious Flag Combinations
Heuristic Analysis Using Neural Networks
Regular and Generic Disinfection Methods
Standard Disinfection
Generic Decryptors
How Does a Generic Disinfector Work?
How Can the Disinfector Be Sure That the File Is Infected?
Where Is the Original End of the Host File?
How Many Virus Types Can We Handle This Way?
Examples of Heuristics for Generic Repair
Generic Disinfection Examples
Inoculation
Access Control Systems
Integrity Checking
False Positives
Clean Initial State
Speed
Special Objects
Necessity of Changed Objects
Possible Solutions
Behavior Blocking
Sand-Boxing
Conclusion
References
12. Memory Scanning and Disinfection.
Introduction
The Windows NT Virtual Memory System
Virtual Address Spaces
Memory Scanning in User Mode
The Secrets of NtQuerySystemInform-ation()
Common Processes and Special System Rights
Viruses in the Win32 Subsystem
Win32 Viruses That Allocate Private Pages
Native Windows NT Service Viruses
Win32 Viruses That Use a Hidden Window Procedure
Win32 Viruses That Are Part of the Executed Image Itself
Memory Scanning and Paging
Enumerating Processes and Scanning File Images
Memory Disinfection
Terminating a Particular Process That Contains Virus Code
Detecting and Terminating Virus Threads
Patching the Virus Code in the Active Pages
How to Disinfect Loaded DLLs and Running Applications
Memory Scanning in Kernel Mode
Scanning the User Address Space of Processes
Determining NT Service API Entry Points
Important NT Functions for Kernel-Mode Memory Scanning
Process Context
Scanning the Upper 2GB of Address Space
How Can You Deactivate a Filter Driver Virus?
Dealing with Read-Only Kernel Memory
Kernel-Mode Memory Scanning on 64-Bit Platforms
Possible Attacks Against Memory Scanning
Conclusion and Future Work
References
13. Worm-Blocking Techniques and Host-Based Intrusion Prevention.
Introduction
Script Blocking and SMTP Worm Blocking
New Attacks to Block: CodeRed, Slammer
Techniques to Block Buffer Overflow Attacks
Code Reviews
Compiler-Level Solutions
Operating System-Level Solutions and Run-Time Extensions
Subsystem Extensions–Libsafe
Kernel Mode Extensions
Program Shepherding
Worm-Blocking Techniques
Injected Code Detection
Send Blocking: An Example of Blocking Self-Sending Code
Exception Handler Validation
Other Return-to-LIBC Attack Mitigation Techniques
“GOT” and “IAT” Page Attributes
High Number of Connections and Connection Errors
Possible Future Worm Attacks
A Possible Increase of Retroworms
“Slow” Worms Below the Radar
Polymorphic and Metamorphic Worms
Largescale Damage
Automated Exploit Discovery–Learning from the Environment
Conclusion
References
14. Network-Level Defense Strategies.
Introduction
Using Router Access Lists
Firewall Protection
Network-Intrusion Detection Systems
Honeypot Systems
Counterattacks
Early Warning Systems
Worm Behavior Patterns on the Network
Capturing the Blaster Worm
Capturing the Linux/Slapper Worm
Capturing the W32/Sasser.D Worm
Capturing the Ping Requests of the W32/Welchia Worm
Detecting W32/Slammer and Related Exploits
Conclusion
References
15. Malicious Code Analysis Techniques.
Your Personal Virus Analysis Laboratory
How to Get the Software?
Information, Information, Information
Architecture Guides
Knowledge Base
Dedicated Virus Analysis on VMWARE
The Process of Computer Virus Analysis
Preparation
Unpacking
Disassembling and Decryption
Dynamic Analysis Techniques
Maintaining a Malicious Code Collection
Automated Analysis: The Digital Immune System
References
16. Conclusion.
Further Reading
Information on Security and Early Warnings
Security Updates
Computer Worm Outbreak Statistics
Computer Virus Research Papers
Contact Information for Antivirus Vendors
Antivirus Testers and Related Sites
Index.