The art of computer virus research and defense 0321304543, 9780321304544
Peter Szor takes you behind the scenes of anti-virus research, showing howthey are analyzed, how they spread, and--most
253 12 8MB
English Pages xxvii, 713 s.: illustrations [745] Year 2005
Table of contents :
Cover......Page 1
TABLE OF CONTENTS......Page 8
ABOUT THE AUTHOR......Page 22
PREFACE......Page 23
ACKNOWLEDGMENTS......Page 26
PART I: Strategies of the Attacker......Page 30
1 INTRODUCTION TO THE GAMES OF NATURE......Page 32
1.1 Early Models of Self-Replicating Structures......Page 33
1.2 Genesis of Computer Viruses......Page 46
1.3 Automated Replicating Code: The Theory and Definition of Computer Viruses......Page 47
References......Page 49
2 THE FASCINATION OF MALICIOUS CODE ANALYSIS......Page 52
2.1 Common Patterns of Virus Research......Page 55
2.2 Antivirus Defense Development......Page 56
2.3 Terminology of Malicious Programs......Page 57
2.4 Other Categories......Page 65
2.5 Computer Malware Naming Scheme......Page 67
2.6 Annotated List of Officially Recognized Platform Names......Page 71
References......Page 75
3 MALICIOUS CODE ENVIRONMENTS......Page 78
3.1 Computer Architecture Dependency......Page 81
3.2 CPU Dependency......Page 82
3.4 Operating System Version Dependency......Page 84
3.5 File System Dependency......Page 85
3.6 File Format Dependency......Page 88
3.7 Interpreted Environment Dependency......Page 95
3.9 Date and Time Dependency......Page 127
3.10 JIT Dependency: Microsoft .NET Viruses......Page 128
3.11 Archive Format Dependency......Page 129
3.12 File Format Dependency Based on Extension......Page 130
3.14 Source Code Dependency......Page 131
3.15 Resource Dependency on Mac and Palm Platforms......Page 133
3.16 Host Size Dependency......Page 134
3.17 Debugger Dependency......Page 135
3.18 Compiler and Linker Dependency......Page 137
3.19 Device Translator Layer Dependency......Page 138
3.20 Embedded Object Insertion Dependency......Page 141
3.21 Self-Contained Environment Dependency......Page 142
3.22 Multipartite Viruses......Page 144
3.23 Conclusion......Page 145
References......Page 146
4 CLASSIFICATION OF INFECTION STRATEGIES......Page 150
4.1 Boot Viruses......Page 151
4.2 File Infection Techniques......Page 158
4.3 An In-Depth Look at Win32 Viruses......Page 186
4.4 Conclusion......Page 212
References......Page 213
5 CLASSIFICATION OF IN-MEMORY STRATEGIES......Page 214
5.2 Memory-Resident Viruses......Page 215
5.3 Temporary Memory-Resident Viruses......Page 239
5.5 Viruses in Processes (in User Mode)......Page 240
5.6 Viruses in Kernel Mode (Windows 9x/Me)......Page 241
5.7 Viruses in Kernel Mode (Windows NT/2000/XP)......Page 242
5.8 In-Memory Injectors over Networks......Page 244
References......Page 245
6 BASIC SELF-PROTECTION STRATEGIES......Page 246
6.1 Tunneling Viruses......Page 247
6.2 Armored Viruses......Page 249
6.3 Aggressive Retroviruses......Page 276
References......Page 279
7 ADVANCED CODE EVOLUTION TECHNIQUES AND COMPUTER VIRUS GENERATOR KITS......Page 280
7.2 Evolution of Code......Page 281
7.3 Encrypted Viruses......Page 282
7.4 Oligomorphic Viruses......Page 288
7.5 Polymorphic Viruses......Page 290
7.6 Metamorphic Viruses......Page 298
7.7 Virus Construction Kits......Page 317
References......Page 322
8 CLASSIFICATION ACCORDING TO PAYLOAD......Page 324
8.1 No-Payload......Page 325
8.3 Nondestructive Payload......Page 326
8.4 Somewhat Destructive Payload......Page 329
8.5 Highly Destructive Payload......Page 330
8.6 DoS (Denial of Service) Attacks......Page 335
8.7 Data Stealers: Making Money with Viruses......Page 337
References......Page 341
9 STRATEGIES OF COMPUTER WORMS......Page 342
9.1 Introduction......Page 343
9.2 The Generic Structure of Computer Worms......Page 344
9.3 Target Locator......Page 348
9.4 Infection Propagators......Page 360
9.5 Common Worm Code Transfer and Execution Techniques......Page 367
9.6 Update Strategies of Computer Worms......Page 374
9.7 Remote Control via Signaling......Page 380
9.8 Intentional and Accidental Interactions......Page 383
9.9 Wireless Mobile Worms......Page 388
References......Page 390
10 EXPLOITS, VULNERABILITIES, AND BUFFER OVERFLOW ATTACKS......Page 394
10.1 Introduction......Page 395
10.2 Background......Page 396
10.3 Types of Vulnerabilities......Page 397
10.4 Current and Previous Threats......Page 423
10.5 Summary......Page 448
References......Page 449
Part II: STRATEGIES OF THE DEFENDER......Page 452
11 ANTIVIRUS DEFENSE TECHNIQUES......Page 454
11.1 First-Generation Scanners......Page 457
11.2 Second-Generation Scanners......Page 466
11.3 Algorithmic Scanning Methods......Page 470
11.4 Code Emulation......Page 480
11.5 Metamorphic Virus Detection Examples......Page 490
11.6 Heuristic Analysis of 32-Bit Windows Viruses......Page 496
11.7 Heuristic Analysis Using Neural Networks......Page 501
11.8 Regular and Generic Disinfection Methods......Page 503
11.9 Inoculation......Page 510
11.10 Access Control Systems......Page 511
11.11 Integrity Checking......Page 513
11.12 Behavior Blocking......Page 516
11.13 Sand-Boxing......Page 518
References......Page 520
12 MEMORY SCANNING AND DISINFECTION......Page 524
12.1 Introduction......Page 526
12.2 The Windows NT Virtual Memory System......Page 528
12.3 Virtual Address Spaces......Page 530
12.4 Memory Scanning in User Mode......Page 534
12.5 Memory Scanning and Paging......Page 544
12.6 Memory Disinfection......Page 546
12.7 Memory Scanning in Kernel Mode......Page 552
12.8 Possible Attacks Against Memory Scanning......Page 561
12.9 Conclusion and Future Work......Page 563
References......Page 564
13 WORM-BLOCKING TECHNIQUES AND HOST-BASED INTRUSION PREVENTION......Page 566
13.1 Introduction......Page 567
13.2 Techniques to Block Buffer Overflow Attacks......Page 572
13.3 Worm-Blocking Techniques......Page 586
13.4 Possible Future Worm Attacks......Page 604
13.5 Conclusion......Page 607
References......Page 609
14 NETWORK-LEVEL DEFENSE STRATEGIES......Page 612
14.1 Introduction......Page 613
14.2 Using Router Access Lists......Page 614
14.3 Firewall Protection......Page 617
14.4 Network-Intrusion Detection Systems......Page 620
14.5 Honeypot Systems......Page 622
14.6 Counterattacks......Page 625
14.8 Worm Behavior Patterns on the Network......Page 627
References......Page 638
15 MALICIOUS CODE ANALYSIS TECHNIQUES......Page 640
15.1 Your Personal Virus Analysis Laboratory......Page 641
15.2 Information, Information, Information......Page 644
15.3 Dedicated Virus Analysis on VMWARE......Page 645
15.4 The Process of Computer Virus Analysis......Page 647
15.6 Automated Analysis: The Digital Immune System......Page 690
References......Page 694
16 CONCLUSION......Page 696
Further Reading......Page 698
A......Page 704
B......Page 707
C......Page 709
D......Page 711
E......Page 713
F......Page 715
G......Page 716
H......Page 717
I......Page 718
K......Page 720
M......Page 721
N......Page 724
O......Page 725
P......Page 726
R......Page 728
S......Page 729
T......Page 733
V......Page 734
W......Page 736
Z......Page 742
Cover......Page 1
TABLE OF CONTENTS......Page 8
ABOUT THE AUTHOR......Page 22
PREFACE......Page 23
ACKNOWLEDGMENTS......Page 26
PART I: Strategies of the Attacker......Page 30
1 INTRODUCTION TO THE GAMES OF NATURE......Page 32
1.1 Early Models of Self-Replicating Structures......Page 33
1.2 Genesis of Computer Viruses......Page 46
1.3 Automated Replicating Code: The Theory and Definition of Computer Viruses......Page 47
References......Page 49
2 THE FASCINATION OF MALICIOUS CODE ANALYSIS......Page 52
2.1 Common Patterns of Virus Research......Page 55
2.2 Antivirus Defense Development......Page 56
2.3 Terminology of Malicious Programs......Page 57
2.4 Other Categories......Page 65
2.5 Computer Malware Naming Scheme......Page 67
2.6 Annotated List of Officially Recognized Platform Names......Page 71
References......Page 75
3 MALICIOUS CODE ENVIRONMENTS......Page 78
3.1 Computer Architecture Dependency......Page 81
3.2 CPU Dependency......Page 82
3.4 Operating System Version Dependency......Page 84
3.5 File System Dependency......Page 85
3.6 File Format Dependency......Page 88
3.7 Interpreted Environment Dependency......Page 95
3.9 Date and Time Dependency......Page 127
3.10 JIT Dependency: Microsoft .NET Viruses......Page 128
3.11 Archive Format Dependency......Page 129
3.12 File Format Dependency Based on Extension......Page 130
3.14 Source Code Dependency......Page 131
3.15 Resource Dependency on Mac and Palm Platforms......Page 133
3.16 Host Size Dependency......Page 134
3.17 Debugger Dependency......Page 135
3.18 Compiler and Linker Dependency......Page 137
3.19 Device Translator Layer Dependency......Page 138
3.20 Embedded Object Insertion Dependency......Page 141
3.21 Self-Contained Environment Dependency......Page 142
3.22 Multipartite Viruses......Page 144
3.23 Conclusion......Page 145
References......Page 146
4 CLASSIFICATION OF INFECTION STRATEGIES......Page 150
4.1 Boot Viruses......Page 151
4.2 File Infection Techniques......Page 158
4.3 An In-Depth Look at Win32 Viruses......Page 186
4.4 Conclusion......Page 212
References......Page 213
5 CLASSIFICATION OF IN-MEMORY STRATEGIES......Page 214
5.2 Memory-Resident Viruses......Page 215
5.3 Temporary Memory-Resident Viruses......Page 239
5.5 Viruses in Processes (in User Mode)......Page 240
5.6 Viruses in Kernel Mode (Windows 9x/Me)......Page 241
5.7 Viruses in Kernel Mode (Windows NT/2000/XP)......Page 242
5.8 In-Memory Injectors over Networks......Page 244
References......Page 245
6 BASIC SELF-PROTECTION STRATEGIES......Page 246
6.1 Tunneling Viruses......Page 247
6.2 Armored Viruses......Page 249
6.3 Aggressive Retroviruses......Page 276
References......Page 279
7 ADVANCED CODE EVOLUTION TECHNIQUES AND COMPUTER VIRUS GENERATOR KITS......Page 280
7.2 Evolution of Code......Page 281
7.3 Encrypted Viruses......Page 282
7.4 Oligomorphic Viruses......Page 288
7.5 Polymorphic Viruses......Page 290
7.6 Metamorphic Viruses......Page 298
7.7 Virus Construction Kits......Page 317
References......Page 322
8 CLASSIFICATION ACCORDING TO PAYLOAD......Page 324
8.1 No-Payload......Page 325
8.3 Nondestructive Payload......Page 326
8.4 Somewhat Destructive Payload......Page 329
8.5 Highly Destructive Payload......Page 330
8.6 DoS (Denial of Service) Attacks......Page 335
8.7 Data Stealers: Making Money with Viruses......Page 337
References......Page 341
9 STRATEGIES OF COMPUTER WORMS......Page 342
9.1 Introduction......Page 343
9.2 The Generic Structure of Computer Worms......Page 344
9.3 Target Locator......Page 348
9.4 Infection Propagators......Page 360
9.5 Common Worm Code Transfer and Execution Techniques......Page 367
9.6 Update Strategies of Computer Worms......Page 374
9.7 Remote Control via Signaling......Page 380
9.8 Intentional and Accidental Interactions......Page 383
9.9 Wireless Mobile Worms......Page 388
References......Page 390
10 EXPLOITS, VULNERABILITIES, AND BUFFER OVERFLOW ATTACKS......Page 394
10.1 Introduction......Page 395
10.2 Background......Page 396
10.3 Types of Vulnerabilities......Page 397
10.4 Current and Previous Threats......Page 423
10.5 Summary......Page 448
References......Page 449
Part II: STRATEGIES OF THE DEFENDER......Page 452
11 ANTIVIRUS DEFENSE TECHNIQUES......Page 454
11.1 First-Generation Scanners......Page 457
11.2 Second-Generation Scanners......Page 466
11.3 Algorithmic Scanning Methods......Page 470
11.4 Code Emulation......Page 480
11.5 Metamorphic Virus Detection Examples......Page 490
11.6 Heuristic Analysis of 32-Bit Windows Viruses......Page 496
11.7 Heuristic Analysis Using Neural Networks......Page 501
11.8 Regular and Generic Disinfection Methods......Page 503
11.9 Inoculation......Page 510
11.10 Access Control Systems......Page 511
11.11 Integrity Checking......Page 513
11.12 Behavior Blocking......Page 516
11.13 Sand-Boxing......Page 518
References......Page 520
12 MEMORY SCANNING AND DISINFECTION......Page 524
12.1 Introduction......Page 526
12.2 The Windows NT Virtual Memory System......Page 528
12.3 Virtual Address Spaces......Page 530
12.4 Memory Scanning in User Mode......Page 534
12.5 Memory Scanning and Paging......Page 544
12.6 Memory Disinfection......Page 546
12.7 Memory Scanning in Kernel Mode......Page 552
12.8 Possible Attacks Against Memory Scanning......Page 561
12.9 Conclusion and Future Work......Page 563
References......Page 564
13 WORM-BLOCKING TECHNIQUES AND HOST-BASED INTRUSION PREVENTION......Page 566
13.1 Introduction......Page 567
13.2 Techniques to Block Buffer Overflow Attacks......Page 572
13.3 Worm-Blocking Techniques......Page 586
13.4 Possible Future Worm Attacks......Page 604
13.5 Conclusion......Page 607
References......Page 609
14 NETWORK-LEVEL DEFENSE STRATEGIES......Page 612
14.1 Introduction......Page 613
14.2 Using Router Access Lists......Page 614
14.3 Firewall Protection......Page 617
14.4 Network-Intrusion Detection Systems......Page 620
14.5 Honeypot Systems......Page 622
14.6 Counterattacks......Page 625
14.8 Worm Behavior Patterns on the Network......Page 627
References......Page 638
15 MALICIOUS CODE ANALYSIS TECHNIQUES......Page 640
15.1 Your Personal Virus Analysis Laboratory......Page 641
15.2 Information, Information, Information......Page 644
15.3 Dedicated Virus Analysis on VMWARE......Page 645
15.4 The Process of Computer Virus Analysis......Page 647
15.6 Automated Analysis: The Digital Immune System......Page 690
References......Page 694
16 CONCLUSION......Page 696
Further Reading......Page 698
A......Page 704
B......Page 707
C......Page 709
D......Page 711
E......Page 713
F......Page 715
G......Page 716
H......Page 717
I......Page 718
K......Page 720
M......Page 721
N......Page 724
O......Page 725
P......Page 726
R......Page 728
S......Page 729
T......Page 733
V......Page 734
W......Page 736
Z......Page 742
![Brain-Computer Interface Research: A State-of-the-Art Summary 10 [1 ed.]
3030792862, 9783030792862](https://ebin.pub/img/200x200/brain-computer-interface-research-a-state-of-the-art-summary-10-1nbsped-3030792862-9783030792862.jpg)
![Brain–Computer Interface Research: A State-of-the-Art Summary 8 [1st ed.]
9783030495824, 9783030495831](https://ebin.pub/img/200x200/braincomputer-interface-research-a-state-of-the-art-summary-8-1st-ed-9783030495824-9783030495831.jpg)
![Brain-Computer Interface Research: A State-of-the-Art Summary 10 [1 ed.]
3030792862, 9783030792862](https://ebin.pub/img/200x200/brain-computer-interface-research-a-state-of-the-art-summary-10-1nbsped-3030792862-9783030792862-p-2575480.jpg)
![Zika Virus Biology, Transmission, and Pathways: Volume 1: The Neuroscience of Zika Virus [1]
0128202688, 9780128202685](https://ebin.pub/img/200x200/zika-virus-biology-transmission-and-pathways-volume-1-the-neuroscience-of-zika-virus-1-0128202688-9780128202685.jpg)
![Cybercrime: The Investigation, Prosecution and Defense of a Computer-Related Crime [3 ed.]
1594608539, 9781594608537](https://ebin.pub/img/200x200/cybercrime-the-investigation-prosecution-and-defense-of-a-computer-related-crime-3nbsped-1594608539-9781594608537.jpg)