The Art of Computer Virus Research and Defense (Symantec Press) [Englisch] [Taschenbuch]

Peter Szor's 'The Art of Computer Virus Research and Defense' (TAOCVRAD) is one of the best technical books I've ever read, and I've reviewed over 150 security and networking books during the past 5 years. This book so thoroughly owns the subject of computer viruses that I recommend any authors seeking to write their own virus book find a new topic. Every technical computing professional needs to read this book, fast.

I read this book from cover to cover. The author does not lie when he says acquiring the same amount of information requires digging in obscure virus journals and analyzing malicious code. TAOCVRAD's single most powerful aspect is the author's persistence in naming one or more sample viruses that exemplify whatever concept he is discussing. In other words, all of his theory is backed by, or builds on, real-life examples. Each chapter contains moderate end-notes that provide pointers for additional research.

A truly great book has the power to change deeply-entrenched opinions, or make readers look at old problems in a new light. In my case, I altered my perception of the virus problem and ways to fight it. First, I changed my concept of viruses and worms. Peter builds on Fred Cohen's virus definition to say 'a computer virus is a program that recursively and explicitly copies a possibly evolved version of itself.' He calls worms a 'subclass of computer viruses.' I used to disagree with Peter; I believed a virus infects files and requires user interaction, and a worm spreads by itself via the network. Now I agree with Peter's viewpoint: 'worms are network viruses, primarily replicating on networks... If the primary vector of the virus is the network, it should be classified as a worm.' The distinction is subtle, but it makes sense to consider worms a subclass of viruses given Peter's extensive analysis of both types of malware.

Second, I recognized I held an opinion Peter considers unfortunate: 'some computer security people do not seem to consider computer viruses as a serious aspect of security, or they ignore the relationship between computer security and computer viruses.' I was guilty as charged. I used to positively detest viruses because they seemed like mindless automated code that did little but replicate. After reading about scores of real viruses, I have a profound appreciation for virus technology. Viruses introduced techniques for obfuscation, stealth, and exploitation a decade earlier, in some cases, than the single-shot exploit code we see today.

Third, Peter put a human face on the problems associated with closed-source operating systems like Microsoft Windows. Many so-called Native API calls are undocumented, and as such make life difficult for anti-virus developers. (Virus writers tend to know them.) With Microsoft entering the anti-virus market, will it leverage these secrets to outperform competitors lacking this internal knowledge?

Readers of Ed Skoudis' 'Malware' or Jose Nazario's 'Defense and Detection Strategies against Internet Worms' will find this new book greatly complements those two works. Those wishing to get the most value from TAOCVRAD should have Intel assembly coding skills and several years of hands-on security experience.

I had almost no issues with this book, which is striking given it is nearly 700 pages long. In a few places I found the language a little rough, but not enough to bother me. I believe a code listing on p. 372 should show a '<=' instead of '=', but I may be wrong. Although the author works for Symantec, I did not see an undue amount of Symantec-centric material. Chapter 13 is somewhat of an exception, but I do not fault the author. I felt the network section (ch 14) could have been stronger, since advice to block all IP fragments or ICMP at border routers isn't necessarily wise. I can't personally vouch for all of the author's virus analysis as his skill level exceeds mine by an order of magnitude.

TAOCVRAD is the must-buy security book of 2005. You could spend weeks learning from this book. Readers should be thankful Peter decided to share so much of his knowledge with us in an accessible and educational format.

If the phase "a bible of malware" weren't a cliché, I would have used it to describe this book without hesitation. I read a lot of security (and specifically, malware) titles, but I have never seen a book that comprehensive and detailed, period.

The author appears to know _everything_ that was going on in the malicious software space since the 80s (for example, who knew that there were viruses written in DEC's DCL language)... A lot of effort is spent classifying various infection, in-memory, self-protection, payload and other virus strategies. I loved the section on malware self-protection, such as anti-debugging and anti-disassembly tactics and even self-brute-forcing virus code (I never knew there are sooo many of those tricks). Nowhere else I saw the detailed explanation of oligomorphic, polymorphic and metamorphic viruses... Note that while the book does cover the fun historical viruses, its coverage extends all the way to phishing attacks of the 2004-2005.

My other favorite part is the chapter on worms. "Vanilla" viruses often feel like the creatures of the past, and the worms steal all the glory. The other holds a view that worms are just a type of viruses that he justifies fairly well. Indeed, there is no accepted definition of a "worm".

The book is obviously aimed towards virus defense, although both sides are covered in [at times] excruciating detail. The entire part is dedicated to history and technology of virus scanning. Personally, I never saw it covered with that level of detail. Finally, I had a chance to learn what `heuristic detection' means. On the defense side, the book also covers behavior blocking and host intrusion prevention, which has a chance of emerging as the main approaches of virus fighting, supplanting pure signature-based scanning. Similarly fun was a section on network-level defense strategies (such as using ACLs, firewalls, etc).

A surprisingly small chapter covers malicious code analysis techniques. I would have appreciated a more detailed info on using VMware for malware analysis.

Overall, the book is very technical, but (if need be) can be read without diving too deeply into PDP11 assembly  , just to get familiar with all the malware classifications, infection methods and other tricks. Highly recommended for technical security professionals, might also benefit others in IT and beyond. I think it will also fit the textbook profile for an advanced computer security course.

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II". In his spare time, he maintains his security portal info-secure.org

If you are interested in historical details about viruses/malware, if you are searching for details about various techniques getting used by malicious software and if you are interested how people in the AV industry work... This book is definatly THE reference. Peter, a very competent virus researcher, who is known through his various articles in the Virus Bulletin magazine shows you all the techniques you need to analyse, to detect and to remove malicious software. His technical overview includes the entire history of computer viruses and is written in a very impressive and entertaining style. While I have read many books and articles about exploiting software, he also serves the most understandable definition of exploiting techniques like the classical stack overflow etc. I must say that his style impressed me so much that I read through the book in one day, something normally happening to me when reading thrillers of James Patterson. But this book is so well written, that you can rarely lay it out of your hands. You just want to know where Peter leds to, the next step in the voyage through the malicious world of computer viruses and malware. This book is geared through everybody trying to understanding what's happening in the malicious code polluting the Internet. For me well worth the money I spent on it.