The Art of Computer Virus Research and Defense
Peter Szor
Language: English
Pages: 744
ISBN: 0321304543
Format: PDF / Kindle (mobi) / ePub
Peter Szor takes you behind the scenes of anti-virus research, showing howthey are analyzed, how they spread, and--most importantly--how to effectivelydefend against them. This book offers an encyclopedic treatment of thecomputer virus, including: a history of computer viruses, virus behavior,classification, protection strategies, anti-virus and worm-blocking techniques,and how to conduct an accurate threat analysis. The Art of Computer VirusResearch and Defense entertains readers with its look at anti-virus research, butmore importantly it truly arms them in the fight against computer viruses.As one of the lead researchers behind Norton AntiVirus, the most popularantivirus program in the industry, Peter Szor studies viruses every day. Byshowing how viruses really work, this book will help security professionals andstudents protect against them, recognize them, and analyze and limit thedamage they can do.
Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks
The Rise of the American Corporate Security State: Six Reasons to Be Afraid
Governing Security: The Hidden Origins of American Security Agencies
Hacking Exposed Unified Communications & VoIP Security Secrets & Solutions (2nd Edition)
Crime Signals: How to Spot a Criminal Before You Become a Victim
Attacker wants11. For simplicity, the following explanations will assume an Intel CPU architecture, but the concepts can be applied to other processor designs. 10.3.2 First-Generation Attacks First-generation buffer overflows involve overflowing a buffer that is located on the stack. 10.3.2.1 Overflowing a Stack Buffer Listing 10.1 declares a buffer that is 256 bytes long. However, the program attempts to fill it with 512 bytes of the letter A (0x41). Listing 10.1. A.
(IBM researcher, Dave Chess, coined the term in the wild to describe computer viruses that were encountered on production systems. Not all viruses are in the wild. The viruses that only collectors or researchers have seen are named zoo viruses.) People welcomed the help, and I was happy because I wanted to assist them and learn more about virus hunting. I started to collect viruses from friends and wrote disinfection programs for them. Viruses such as Cascade, Vacsina, Yankee_Doodle, Vienna,.
Unnatural at first glance, but it is really “generated” by the strange interaction of the metamorphic engine routines. VAT can open several applications in parallel and run emulation instances multithreaded. This is very useful because after each emulated and decrypted instance, individual copies of the virus bodies can be compared to each other using VAT commands. This can highlight the similar code in the virus body in the different instances and greatly help to obtain exact identification.
Of address space (memory scanning), 527 user address space of processes (scanning), 523 virtual address spaces (Windows NT), 501–505 addresses GOT/IAT page attributes, 574 virtual, translation of, 500 AddressOfEntryPoint field (PE header), 164 Adleman, Leonard, 18 ADM (worm), avoiding buffer overflow attacks, 413 administration memory, 498–499 Virtual Memory Manager, 503 Admiral Bailey (virus writer), IVP (Instant Virus Production Kit), 292.
Files using regular direct-action techniques. • Alternatively, the virus loads before the original host program; it does not create any threads but infects files before the execution of its host. Usually the host is created as a temporary file on the disk and executed in its own process by passing command-line parameters of the original program. This is a very primitive but fairly common approach. • The virus also can run as its own process in user mode. • Furthermore, the virus.