The Art Of Computer Virus Research and Defense
by Peter Szor
Addison-Wesley 2005.
ISBN 0-321-30454-3. 713 pages, $49.99, Index and End of chapter references.
Reviewed by Robert Bruen March 14, 2005
This book appears to be one of the best resources for virus information. Peter Szor has added greatly to the field of viruses and more generally to malware understanding with The Art of Computer Virus Research and Defense. He treats viruses as the general category, everything else a subset including worms, which he terms network viruses. The distinction between code that needs help getting from one place another and code that can move itself has been with us for a while. As usual, the media does not really know or care about the distinction, blurring the boundaries of the terms. Szor has helped by organizing the concepts and definitions in an thoughtful manner. The main focus is self-replicating malware, however this is accomplished.
The book aimed at the professional and well grounded individual, not the casual reader, so assembly is required. The author skips through assembler, VB, Perl, C and other languages with no obvious difficulty. It does mean the reader needs to be able to follow, however, or important information can be lost. For example, if you are not Visual Basic coder, you most likely will be unfamiliar with all the calls available, such as shutting off the visibility of the VB editor. It is a simple statement, setting a variable to false, not difficult code, but if you are unfamiliar with it then it would look like magic.
The author happily states he is in the camp of the anti-virus (AV) world which takes the position that there is no value in teaching others how to write virus code. He believes that defenders need to know how to defend, and, moreover, the required expertise is within this book. Therefore, he claims, there is no exploit code in the book and you cannot glean enough information it to write viruses. I am not so sure. He has done a wonderful, detailed, job of describing the evolution of viruses and the techniques of both the attacker and the defender. Lots of code snippets appear throughout the book demonstrating techniques. This is not intended to be a criticism, but it is my opinion that the more you know about the attacker (and attacks) the easier it is to set up defenses.
If you are a virus writer, or just a wannabee, reading this book will help in many ways. The number of approaches described will certainly help in the design, as will the many defensive techniques. Of course, you will have to be an expert in areas such as operating systems and assembly language to be really good.
There are number of books on viruses going back to Fred Cohen's original work, but this one is highly recommended based on the quality and quantity of useful information, the excellent lists of references and the overall organization. If you want and/or need a real book on viruses, this is it.