The Art of Computer Virus Research and Defense (Paperback)
Peter Szor
- 出版商: Addison Wesley
- 出版日期: 2005-02-03
- 售價: $2,020
- 貴賓價: 9.5 折 $1,919
- 語言: 英文
- 頁數: 742
- 裝訂: Paperback
- ISBN: 0321304543
- ISBN-13: 9780321304544
-
相關分類:
資訊安全、駭客 Hack
無法訂購
買這商品的人也買了...
-
$970Introduction to Algorithms, 2/e
-
$650$553 -
$590$466 -
$820$804 -
$560$504 -
$2,340$2,223 -
$750$593 -
$490$382 -
$990$782 -
$890$703 -
$650$507 -
$520$406 -
$620$527 -
$1,300$1,235 -
$750$593 -
$560$437 -
$880$748 -
$580$522 -
$620$490 -
$680$646 -
$880$581 -
$550$468 -
$580$493 -
$890$757 -
$650$507
相關主題
商品描述
Description:
"Of all the computer-related books I've read recently, this one influenced my thoughts about security the most. There is very little trustworthy information about computer viruses. Peter Szor is one of the best virus analysts in the world and has the perfect credentials to write this book."
—Halvar Flake, Reverse Engineer, SABRE Security GmbH
Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more.
Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats.
Szor also offers the most thorough and practical primer on virus analysis ever published—addressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes
Discovering how malicious code attacks on a variety of platforms
Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more
Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic
Mastering empirical methods for analyzing malicious code—and what to do with what you learn
Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines
Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more
Using worm blocking, host-based intrusion prevention, and network-level defense strategies
Table of Contents:
About the Author.
Preface.
Acknowledgments.
I. STRATEGIES OF THE ATTACKER.
1. Introduction to the Games of Nature.
Early Models of Self-Replicating Structures
John von Neumann: Theory of Self-Reproducing Automata
Fredkin: Reproducing Structures
Conway: Game of Life
Core War: The Fighting Programs
Genesis of Computer Viruses
Automated Replicating Code: The Theory and Definition of Computer Viruses
References
2. The Fascination of Malicious Code Analysis.
Common Patterns of Virus Research
Antivirus Defense Development
Terminology of Malicious Programs
Viruses
Worms
Logic Bombs
Trojan Horses
Germs
Exploits
Downloaders
Dialers
Droppers
Injectors
Auto-Rooters
Kits (Virus Generators)
Spammer Programs
Flooders
Keyloggers
Rootkits
Other Categories
Joke Programs
Hoaxes: Chain Letters
Other Pests: Adware and Spyware
Computer Malware Naming Scheme
<family_name>
<malware_type>://
<platform>/
.<group_name>
<infective_length>
<variant>
[<devolution>]
<modifiers>
:<locale_specifier>
#<packer>
@m or @mm
!<vendor-specific_comment>
Annotated List of Officially Recognized Platform Names
References
3. Malicious Code Environments.
Computer Architecture Dependency
CPU Dependency
Operating System Dependency
Operating System Version Dependency
File System Dependency
Cluster Viruses
NTFS Stream Viruses
NTFS Compression Viruses
ISO Image Infection
File Format Dependency
COM Viruses on DOS
EXE Viruses on DOS
NE (New Executable) Viruses on 16-bit Windows and OS/2
LX Viruses on OS/2
PE (Portable Executable) Viruses on 32-bit Windows
ELF (Executable and Linking Format) Viruses on UNIX
Device Driver Viruses
Object Code and LIB Viruses
Interpreted Environment Dependency
Macro Viruses in Microsoft Products
REXX Viruses on IBM Systems
DCL (DEC Command Language) Viruses on DEC/VMS
Shell Scripts on UNIX (csh, ksh, and bash)
VBScript (Visual Basic Script) Viruses on Windows Systems
BATCH Viruses
Instant Messaging Viruses in mIRC, PIRCH scripts
SuperLogo Viruses
JScript Viruses
Perl Viruses
WebTV Worms in JellyScript Embedded in HTML Mail
Python Viruses
VIM Viruses
EMACS Viruses
TCL Viruses
PHP Viruses
MapInfo Viruses
ABAP Viruses on SAP
Help File Viruses on Windows–When You Press F1…
JScript Threats in Adobe PDF
AppleScript Dependency
ANSI Dependency
Macromedia Flash ActionScript Threats
HyperTalk Script Threats
AutoLisp Script Viruses
Registry Dependency
PIF and LNK Dependency
Lotus Word Pro Macro Viruses
AmiPro Document Viruses
Corel Script Viruses
Lotus 1-2-3 Macro Dependency
Windows Installation Script Dependency
AUTORUN.INF and Windows INI File Dependency
HTML (Hypertext Markup Language) Dependency
Vulnerability Dependency
Date and Time Dependency
JIT Dependency: Microsoft .NET Viruses
Archive Format Dependency
File Format Dependency Based on Extension
Network Protocol Dependency
Source Code Dependency
Source Code Trojans
Resource Dependency on Mac and Palm Platforms
Host Size Dependency
Debugger Dependency
Intended Threats that Rely on a Debugger
Compiler and Linker Dependency
Device Translator Layer Dependency
Embedded Object Insertion Dependency
Self-Contained Environment Dependency
Multipartite Viruses
Conclusion
References
4. Classification of Infection Strategies.
Boot Viruses
Master Boot Record (MBR) Infection Techniques
DOS BOOT Record (DBR) - Infection Techniques
Boot Viruses That Work While Windows 95 Is Active
Possible Boot Image Attacks in Network Environments
File Infection Techniques
Overwriting Viruses
Random Overwriting Viruses
Appending Viruses
Prepending Viruses
Classic Parasitic Viruses
Cavity Viruses
Fractionated Cavity Viruses
Compressing Viruses
Amoeba Infection Technique
Embedded Decryptor Technique
Embedded Decryptor and Virus Body Technique
Obfuscated Tricky Jump Technique
Entry-Point Obscuring (EPO) Viruses
Possible Future Infection Techniques: Code Builders
An In-Depth Look at Win32 Viruses
The Win32 API and Platforms That Support It
Infection Techniques on 32-Bit Windows
Win32 and Win64 Viruses: Designed for Microsoft Windows?
Conclusion
References
5. Classification of In-Memory Strategies.
Direct-Action Viruses
Memory-Resident Viruses
Interrupt Handling and Hooking
Hook Routines on INT 13h (Boot Viruses)
Hook Routines on INT 21h (File Viruses)
Common Memory Installation Techniques Under DOS
Stealth Viruses
Disk Cache and System Buffer Infection
Temporary Memory-Resident Viruses
Swapping Viruses
Viruses in Processes (in User Mode)
Viruses in Kernel Mode (Windows 9x/Me)
Viruses in Kernel Mode (Windows NT/2000/XP)
In-Memory Injectors over Networks
References
6. Basic Self-Protection Strategies.
Tunneling Viruses
Memory Scanning for Original Handler
Tracing with Debug Interfaces
Code Emulation—Based Tunneling
Accessing the Disk Using Port I/O
Using Undocumented Functions
Armored Viruses
Antidisassembly
Encrypted Data
Code Confusion to Avoid Analysis
Opcode Mixing—Based Code Confusion
Using Checksum
Compressed, Obfuscated Code
Antidebugging
Antiheuristics
Antiemulation Techniques
Antigoat Viruses
Aggressive Retroviruses
References
7. Advanced Code Evolution Techniques and Computer Virus Generator Kits.
Introduction
Evolution of Code
Encrypted Viruses
Oligomorphic Viruses
Polymorphic Viruses
The 1260 Virus
The Dark Avenger Mutation Engine (MtE)
32-Bit Polymorphic Viruses
Metamorphic Viruses
What Is a Metamorphic Virus?
Simple Metamorphic Viruses
More Complex Metamorphic Viruses and Permutation Techniques
Mutating Other Applications: The Ultimate Virus Generator?
Advanced Metamorphic Viruses: Zmist
{W32, Linux}/Simile: A Metamorphic Engine Across Systems
The Dark Future–MSIL Metamorphic Viruses
Virus Construction Kits
VCS (Virus Construction Set)
GenVir
VCL (Virus Creation Laboratory)
PS-MPC (Phalcon-Skism Mass-Produced Code Generator)
NGVCK (Next Generation Virus Creation Kit)
Other Kits and Mutators
How to Test a Virus Construction Tool?
References
8. Classification According to Payload.
No-Payload
Accidentally Destructive Payload
Nondestructive Payload
Somewhat Destructive Payload
Highly Destructive Payload
Viruses That Overwrite Data
Data Diddlers
Viruses That Encrypt Data: The “Good,” the Bad, and the Ugly
Hardware Destroyers
DoS (Denial of Service) Attacks
Data Stealers: Making Money with Viruses
Phishing Attacks
Backdoor Features
Conclusion
References
9. Strategies of Computer Worms.
Introduction
The Generic Structure of Computer Worms
Target Locator
Infection Propagator
Remote Control and Update Interface
Life-Cycle Manager
Payload
Self-Tracking
Target Locator
E-Mail Address Harvesting
Network Share Enumeration Attacks
Network Scanning and Target Fingerprinting
Infection Propagators
Attacking Backdoor-Compromised Systems
Peer-to-Peer Network Attacks
Instant Messaging Attacks
E-Mail Worm Attacks and Deception Techniques
E-Mail Attachment Inserters
SMTP Proxy—Based Attacks
SMTP Attacks
SMTP Propagation on Steroids Using MX Queries
NNTP (Network News Transfer Protocol) Attacks
Common Worm Code Transfer and Execution Techniques
Executable Code—Based Attacks
Links to Web Sites or Web Proxies
HTML-Based Mail
Remote Login-Based Attacks
Code Injection Attacks
Shell Code—Based Attacks
Update Strategies of Computer Worms
Authenticated Updates on the Web or Newsgroups
Backdoor-Based Updates
Remote Control via Signaling
Peer-to-Peer Network Control
Intentional and Accidental Interactions
Cooperation
Competition
The Future: A Simple Worm Communication Protocol?
Wireless Mobile Worms
References
10. Exploits, Vulnerabilities, and Buffer Overflow Attacks.
Introduction
Definition of Blended Attack
The Threat
Background
Types of Vulnerabilities
Buffer Overflows
First-Generation Attacks
Second-Generation Attacks
Third-Generation Attacks
Current and Previous Threats
The Morris Internet Worm, 1988 (Stack Overflow to Run
- Shellcode)
Linux/ADM, 1998 (“Copycatting” the Morris Worm)
The CodeRed Outbreak, 2001 (The Code Injection Attack)
Linux/Slapper Worm, 2002 (A Heap Overflow Example)
W32/Slammer Worm, January 2003 (The Mini Worm)
Blaster Worm, August 2003 (Shellcode-Based Attack on Win32)
Generic Buffer Overflow Usage in Computer Viruses
Description of W32/Badtrans.B@mm
Exploits in W32/Nimda.A@mm
Description of W32/Bolzano
Description of VBS/Bubbleboy
Description of W32/Blebla
Summary
References
II. STRATEGIES OF THE DEFENDER.
11. Antivirus Defense Techniques.
First-Generation Scanners
String Scanning
Wildcards
Mismatches
Generic Detection
Hashing
Bookmarks
Top-and-Tail Scanning
Entry-Point and Fixed-Point Scanning
Hyperfast Disk Access
Second-Generation Scanners
Smart Scanning
Skeleton Detection
Nearly Exact Identification
Exact Identification
Algorithmic Scanning Methods
Filtering
Static Decryptor Detection
The X-RAY Method
Code Emulation
Encrypted and Polymorphic Virus Detection Using Emulation
Dynamic Decryptor Detection
Metamorphic Virus Detection Examples
Geometric Detection
Disassembling Techniques
Using Emulators for Tracing
Heuristic Analysis of 32-Bit Windows Viruses
Code Execution Starts in the Last Section
Suspicious Section Characteristics
Virtual Size Is Incorrect in PE Header
Possible “Gap” Between Sections
Suspicious Code Redirection
Suspicious Code Section Name
Possible Header Infection
Suspicious Imports from KERNEL32.DLL by Ordinal
Import Address Table Is Patched
Multiple PE Headers
Multiple Windows Headers and Suspicious KERNEL32.DLL Imports
Suspicious Relocations
Kernel Look-Up
Kernel Inconsistency
Loading a Section into the VMM Address Space
Incorrect Size of Code in Header
Examples of Suspicious Flag Combinations
Heuristic Analysis Using Neural Networks
Regular and Generic Disinfection Methods
Standard Disinfection
Generic Decryptors
How Does a Generic Disinfector Work?
How Can the Disinfector Be Sure That the File Is Infected?
Where Is the Original End of the Host File?
How Many Virus Types Can We Handle This Way?
Examples of Heuristics for Generic Repair
Generic Disinfection Examples
Inoculation
Access Control Systems
Integrity Checking
False Positives
Clean Initial State
Speed
Special Objects
Necessity of Changed Objects
Possible Solutions
Behavior Blocking
Sand-Boxing
Conclusion
References
12. Memory Scanning and Disinfection.
Introduction
The Windows NT Virtual Memory System
Virtual Address Spaces
Memory Scanning in User Mode
The Secrets of NtQuerySystemInform-ation()
商品描述(中文翻譯)
描述:
這本書是關於當代病毒威脅、防禦技術和分析工具的權威指南,由Symantec的首席防病毒研究員Peter Szor撰寫。與大多數關於電腦病毒的書籍不同,《電腦病毒研究與防禦的藝術》是一本專為白帽子(IT和安全專業人員)撰寫的參考書籍,他們負責保護組織免受惡意軟體的侵害。Peter Szor系統地介紹了您需要了解的一切,包括病毒行為和分類、保護策略、防病毒和防蠕蟲技術等等。Szor提供了關於惡意軟體和防護的最新技術細節,為專業人士處理日益複雜的攻擊提供了全面的技術支持。在此過程中,他還提供了關於代碼變形和其他新興技術的廣泛信息,以便您能夠預見和應對未來的威脅。
Szor還提供了有關病毒分析的最全面和實用的入門指南,包括從建立個人實驗室到自動化分析過程的一切。本書的內容包括:
- 發現惡意代碼對各種平台的攻擊方式
- 對感染、內存操作、自我保護、載荷傳遞、利用等惡意軟體策略進行分類
- 識別和應對代碼混淆威脅:加密、多態和變形
- 掌握分析惡意代碼的實證方法,以及如何應對所學到的知識
- 使用反編譯器、調試器、仿真器和虛擬機器進行惡意代碼逆向工程
- 實施技術防禦:掃描、代碼仿真、消毒、接種、完整性檢查、沙盒、誘餌系統、行為阻斷等等
- 使用阻擋蠕蟲、基於主機的入侵預防和網絡層防禦策略目錄:
- 作者簡介
- 前言
- 致謝
- 第一部分:攻擊者的策略
- 第1章:自然界的遊戲介紹類似商品
- VIP 95折
Malware: Fighting Malicious Code (Paperback)$2,050$1,948- 60折
$792Windows Internet Security- 27折
$399Trojans, Worms, and Spyware : A Computer Security Professional's Guide to Malicious Code (Paperback) Foundations of Computer Security$1,400$1,372- VIP 90折
Malicious Mobile Code: Virus Protection for Windows$1,411$1,337- 80折
$1,584Mobile Malware Attacks and Defense- 50折
$680Buffer Overflow Attacks- VIP 95折
Aggressive Network Self-defense$2,150$2,043- VIP 95折
Exploiting Software : How to Break Code (Paperback)$2,275$2,161- VIP 95折
Best Free Antivirus Software: 2015 Edition$890$846