دسترسی نامحدود
برای کاربرانی که ثبت نام کرده اند
برای ارتباط با ما می توانید از طریق شماره موبایل زیر از طریق تماس و پیامک با ما در ارتباط باشید
در صورت عدم پاسخ گویی از طریق پیامک با پشتیبان در ارتباط باشید
برای کاربرانی که ثبت نام کرده اند
درصورت عدم همخوانی توضیحات با کتاب
از ساعت 7 صبح تا 10 شب
دسته بندی: امنیت ویرایش: نویسندگان: Peter Szor سری: ISBN (شابک) : 0321304543, 9780321304544 ناشر: Addison-Wesley سال نشر: 2005 تعداد صفحات: 0 زبان: English فرمت فایل : CHM (درصورت درخواست کاربر به PDF، EPUB یا AZW3 تبدیل می شود) حجم فایل: 13 مگابایت
در صورت تبدیل فایل کتاب The art of computer virus research and defense به فرمت های PDF، EPUB، AZW3، MOBI و یا DJVU می توانید به پشتیبان اطلاع دهید تا فایل مورد نظر را تبدیل نمایند.
توجه داشته باشید کتاب هنر تحقیق و دفاع از ویروس کامپیوتری نسخه زبان اصلی می باشد و کتاب ترجمه شده به فارسی نمی باشد. وبسایت اینترنشنال لایبرری ارائه دهنده کتاب های زبان اصلی می باشد و هیچ گونه کتاب ترجمه شده یا نوشته شده به فارسی را ارائه نمی دهد.
محقق ارشد آنتی ویروس سیمانتک راهنمای قطعی تهدیدات ویروسی معاصر، تکنیک های دفاعی و ابزارهای تجزیه و تحلیل را نوشته است. برخلاف اکثر کتابهای مربوط به ویروسهای رایانهای، هنر تحقیقات و دفاع از ویروسهای رایانهای مرجعی است که صرفاً برای کلاههای سفید نوشته شده است: متخصصان فناوری اطلاعات و امنیت که مسئول محافظت از سازمانهای خود در برابر بدافزار هستند. پیتر زور به طور سیستماتیک همه چیزهایی را که باید بدانید، از جمله رفتار و طبقه بندی ویروس، استراتژی های محافظت، تکنیک های آنتی ویروس و مسدود کردن کرم ها و موارد دیگر را پوشش می دهد. Szor پیشرفتهترین فناوریها را در بدافزار و محافظت ارائه میکند و جزئیات فنی کاملی را که متخصصان برای مدیریت حملات پیچیدهتر به آن نیاز دارند، ارائه میکند. در طول مسیر، او اطلاعات گستردهای در مورد دگرگونی کد و سایر تکنیکهای در حال ظهور ارائه میدهد، بنابراین میتوانید تهدیدات آینده را پیشبینی کرده و برای آن آماده شوید. Szor همچنین کامل ترین و کاربردی ترین پرایمر در مورد تجزیه و تحلیل ویروس را ارائه می دهد که تا کنون منتشر شده است - به همه چیز از ایجاد آزمایشگاه شخصی شما تا خودکار کردن فرآیند تجزیه و تحلیل می پردازد. پوشش این کتاب شامل: • کشف چگونگی حمله کدهای مخرب به پلتفرم های مختلف • طبقه بندی استراتژی های بدافزار برای آلودگی، عملیات درون حافظه، محافظت از خود، تحویل محموله، بهره برداری، و موارد دیگر • شناسایی و پاسخ به تهدیدات مبهم سازی کد: رمزگذاری شده، چند شکلی و دگرگونی • تسلط بر روش های تجربی برای تجزیه و تحلیل کدهای مخرب - و اینکه با آنچه یاد می گیرید چه کار کنید • مهندسی معکوس کدهای مخرب با جداکنندهها، دیباگرها، شبیهسازها و ماشینهای مجازی • اجرای دفاع فنی: اسکن، شبیه سازی کد، ضد عفونی، تلقیح، بررسی یکپارچگی، جعبه شنی، هانی پات، مسدود کردن رفتار، و موارد دیگر • استفاده از مسدود کردن کرم، پیشگیری از نفوذ مبتنی بر میزبان، و استراتژیهای دفاعی در سطح شبکه
Symantec's chief antivirus researcher has written the definitive guide to contemporary virus threats, defense techniques, and analysis tools. Unlike most books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionals responsible for protecting their organizations against malware. Peter Szor systematically covers everything you need to know, including virus behavior and classification, protection strategies, antivirus and worm-blocking techniques, and much more. Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. Along the way, he provides extensive information on code metamorphism and other emerging techniques, so you can anticipate and prepare for future threats. Szor also offers the most thorough and practical primer on virus analysis ever published—addressing everything from creating your own personal laboratory to automating the analysis process. This book's coverage includes: • Discovering how malicious code attacks on a variety of platforms • Classifying malware strategies for infection, in-memory operation, self-protection, payload delivery, exploitation, and more • Identifying and responding to code obfuscation threats: encrypted, polymorphic, and metamorphic • Mastering empirical methods for analyzing malicious code—and what to do with what you learn • Reverse-engineering malicious code with disassemblers, debuggers, emulators, and virtual machines • Implementing technical defenses: scanning, code emulation, disinfection, inoculation, integrity checking, sandboxing, honeypots, behavior blocking, and much more • Using worm blocking, host-based intrusion prevention, and network-level defense strategies
About the Author.Preface.Acknowledgments.I. STRATEGIES OF THE ATTACKER.1. Introduction to the Games of Nature. Early Models of Self-Replicating Structures John von Neumann: Theory of Self-Reproducing Automata Fredkin: Reproducing Structures Conway: Game of Life Core War: The Fighting Programs Genesis of Computer Viruses Automated Replicating Code: The Theory and Definition of Computer Viruses References2. The Fascination of Malicious Code Analysis. Common Patterns of Virus Research Antivirus Defense Development Terminology of Malicious Programs Viruses Worms Logic Bombs Trojan Horses Germs Exploits Downloaders Dialers Droppers Injectors Auto-Rooters Kits (Virus Generators) Spammer Programs Flooders Keyloggers Rootkits Other Categories Joke Programs Hoaxes: Chain Letters Other Pests: Adware and Spyware Computer Malware Naming Scheme :// / . [] : # @m or @mm ! Annotated List of Officially Recognized Platform Names References3. Malicious Code Environments. Computer Architecture Dependency CPU Dependency Operating System Dependency Operating System Version Dependency File System Dependency Cluster Viruses NTFS Stream Viruses NTFS Compression Viruses ISO Image Infection File Format Dependency COM Viruses on DOS EXE Viruses on DOS NE (New Executable) Viruses on 16-bit Windows and OS/2 LX Viruses on OS/2 PE (Portable Executable) Viruses on 32-bit Windows ELF (Executable and Linking Format) Viruses on UNIX Device Driver Viruses Object Code and LIB Viruses Interpreted Environment Dependency Macro Viruses in Microsoft Products REXX Viruses on IBM Systems DCL (DEC Command Language) Viruses on DEC/VMS Shell Scripts on UNIX (csh, ksh, and bash) VBScript (Visual Basic Script) Viruses on Windows Systems BATCH Viruses Instant Messaging Viruses in mIRC, PIRCH scripts SuperLogo Viruses JScript Viruses Perl Viruses WebTV Worms in JellyScript Embedded in HTML Mail Python Viruses VIM Viruses EMACS Viruses TCL Viruses PHP Viruses MapInfo Viruses ABAP Viruses on SAP Help File Viruses on Windows-When You Press F1... JScript Threats in Adobe PDF AppleScript Dependency ANSI Dependency Macromedia Flash ActionScript Threats HyperTalk Script Threats AutoLisp Script Viruses Registry Dependency PIF and LNK Dependency Lotus Word Pro Macro Viruses AmiPro Document Viruses Corel Script Viruses Lotus 1-2-3 Macro Dependency Windows Installation Script Dependency AUTORUN.INF and Windows INI File Dependency HTML (Hypertext Markup Language) Dependency Vulnerability Dependency Date and Time Dependency JIT Dependency: Microsoft .NET Viruses Archive Format Dependency File Format Dependency Based on Extension Network Protocol Dependency Source Code Dependency Source Code Trojans Resource Dependency on Mac and Palm Platforms Host Size Dependency Debugger Dependency Intended Threats that Rely on a Debugger Compiler and Linker Dependency Device Translator Layer Dependency Embedded Object Insertion Dependency Self-Contained Environment Dependency Multipartite Viruses Conclusion References4. Classification of Infection Strategies. Boot Viruses Master Boot Record (MBR) Infection Techniques DOS BOOT Record (DBR) - Infection Techniques Boot Viruses That Work While Windows 95 Is Active Possible Boot Image Attacks in Network Environments File Infection Techniques Overwriting Viruses Random Overwriting Viruses Appending Viruses Prepending Viruses Classic Parasitic Viruses Cavity Viruses Fractionated Cavity Viruses Compressing Viruses Amoeba Infection Technique Embedded Decryptor Technique Embedded Decryptor and Virus Body Technique Obfuscated Tricky Jump Technique Entry-Point Obscuring (EPO) Viruses Possible Future Infection Techniques: Code Builders An In-Depth Look at Win32 Viruses The Win32 API and Platforms That Support It Infection Techniques on 32-Bit Windows Win32 and Win64 Viruses: Designed for Microsoft Windows? Conclusion References5. Classification of In-Memory Strategies. Direct-Action Viruses Memory-Resident Viruses Interrupt Handling and Hooking Hook Routines on INT 13h (Boot Viruses) Hook Routines on INT 21h (File Viruses) Common Memory Installation Techniques Under DOS Stealth Viruses Disk Cache and System Buffer Infection Temporary Memory-Resident Viruses Swapping Viruses Viruses in Processes (in User Mode) Viruses in Kernel Mode (Windows 9x/Me) Viruses in Kernel Mode (Windows NT/2000/XP) In-Memory Injectors over Networks References6. Basic Self-Protection Strategies. Tunneling Viruses Memory Scanning for Original Handler Tracing with Debug Interfaces Code Emulation-Based Tunneling Accessing the Disk Using Port I/O Using Undocumented Functions Armored Viruses Antidisassembly Encrypted Data Code Confusion to Avoid Analysis Opcode Mixing-Based Code Confusion Using Checksum Compressed, Obfuscated Code Antidebugging Antiheuristics Antiemulation Techniques Antigoat Viruses Aggressive Retroviruses References7. Advanced Code Evolution Techniques and Computer Virus Generator Kits. Introduction Evolution of Code Encrypted Viruses Oligomorphic Viruses Polymorphic Viruses The 1260 Virus The Dark Avenger Mutation Engine (MtE) 32-Bit Polymorphic Viruses Metamorphic Viruses What Is a Metamorphic Virus? Simple Metamorphic Viruses More Complex Metamorphic Viruses and Permutation Techniques Mutating Other Applications: The Ultimate Virus Generator? Advanced Metamorphic Viruses: Zmist {W32, Linux}/Simile: A Metamorphic Engine Across Systems The Dark Future-MSIL Metamorphic Viruses Virus Construction Kits VCS (Virus Construction Set) GenVir VCL (Virus Creation Laboratory) PS-MPC (Phalcon-Skism Mass-Produced Code Generator) NGVCK (Next Generation Virus Creation Kit) Other Kits and Mutators How to Test a Virus Construction Tool? References8. Classification According to Payload. No-Payload Accidentally Destructive Payload Nondestructive Payload Somewhat Destructive Payload Highly Destructive Payload Viruses That Overwrite Data Data Diddlers Viruses That Encrypt Data: The \"Good,\" the Bad, and the Ugly Hardware Destroyers DoS (Denial of Service) Attacks Data Stealers: Making Money with Viruses Phishing Attacks Backdoor Features Conclusion References9. Strategies of Computer Worms. Introduction The Generic Structure of Computer Worms Target Locator Infection Propagator Remote Control and Update Interface Life-Cycle Manager Payload Self-Tracking Target Locator E-Mail Address Harvesting Network Share Enumeration Attacks Network Scanning and Target Fingerprinting Infection Propagators Attacking Backdoor-Compromised Systems Peer-to-Peer Network Attacks Instant Messaging Attacks E-Mail Worm Attacks and Deception Techniques E-Mail Attachment Inserters SMTP Proxy-Based Attacks SMTP Attacks SMTP Propagation on Steroids Using MX Queries NNTP (Network News Transfer Protocol) Attacks Common Worm Code Transfer and Execution Techniques Executable Code-Based Attacks Links to Web Sites or Web Proxies HTML-Based Mail Remote Login-Based Attacks Code Injection Attacks Shell Code-Based Attacks Update Strategies of Computer Worms Authenticated Updates on the Web or Newsgroups Backdoor-Based Updates Remote Control via Signaling Peer-to-Peer Network Control Intentional and Accidental Interactions Cooperation Competition The Future: A Simple Worm Communication Protocol? Wireless Mobile Worms References10. Exploits, Vulnerabilities, and Buffer Overflow Attacks. Introduction Definition of Blended Attack The Threat Background Types of Vulnerabilities Buffer Overflows First-Generation Attacks Second-Generation Attacks Third-Generation Attacks Current and Previous Threats The Morris Internet Worm, 1988 (Stack Overflow to Run - Shellcode) Linux/ADM, 1998 (\"Copycatting\" the Morris Worm) The CodeRed Outbreak, 2001 (The Code Injection Attack) Linux/Slapper Worm, 2002 (A Heap Overflow Example) W32/Slammer Worm, January 2003 (The Mini Worm) Blaster Worm, August 2003 (Shellcode-Based Attack on Win32) Generic Buffer Overflow Usage in Computer Viruses Description of W32/Badtrans.B@mm Exploits in W32/Nimda.A@mm Description of W32/Bolzano Description of VBS/Bubbleboy Description of W32/Blebla Summary ReferencesII. STRATEGIES OF THE DEFENDER.11. Antivirus Defense Techniques. First-Generation Scanners String Scanning Wildcards Mismatches Generic Detection Hashing Bookmarks Top-and-Tail Scanning Entry-Point and Fixed-Point Scanning Hyperfast Disk Access Second-Generation Scanners Smart Scanning Skeleton Detection Nearly Exact Identification Exact Identification Algorithmic Scanning Methods Filtering Static Decryptor Detection The X-RAY Method Code Emulation Encrypted and Polymorphic Virus Detection Using Emulation Dynamic Decryptor Detection Metamorphic Virus Detection Examples Geometric Detection Disassembling Techniques Using Emulators for Tracing Heuristic Analysis of 32-Bit Windows Viruses Code Execution Starts in the Last Section Suspicious Section Characteristics Virtual Size Is Incorrect in PE Header Possible \"Gap\" Between Sections Suspicious Code Redirection Suspicious Code Section Name Possible Header Infection Suspicious Imports from KERNEL32.DLL by Ordinal Import Address Table Is Patched Multiple PE Headers Multiple Windows Headers and Suspicious KERNEL32.DLL Imports Suspicious Relocations Kernel Look-Up Kernel Inconsistency Loading a Section into the VMM Address Space Incorrect Size of Code in Header Examples of Suspicious Flag Combinations Heuristic Analysis Using Neural Networks Regular and Generic Disinfection Methods Standard Disinfection Generic Decryptors How Does a Generic Disinfector Work? How Can the Disinfector Be Sure That the File Is Infected? Where Is the Original End of the Host File? How Many Virus Types Can We Handle This Way? Examples of Heuristics for Generic Repair Generic Disinfection Examples Inoculation Access Control Systems Integrity Checking False Positives Clean Initial State Speed Special Objects Necessity of Changed Objects Possible Solutions Behavior Blocking Sand-Boxing Conclusion References12. Memory Scanning and Disinfection. Introduction The Windows NT Virtual Memory System Virtual Address Spaces Memory Scanning in User Mode The Secrets of NtQuerySystemInform-ation() Common Processes and Special System Rights Viruses in the Win32 Subsystem Win32 Viruses That Allocate Private Pages Native Windows NT Service Viruses Win32 Viruses That Use a Hidden Window Procedure Win32 Viruses That Are Part of the Executed Image Itself Memory Scanning and Paging Enumerating Processes and Scanning File Images Memory Disinfection Terminating a Particular Process That Contains Virus Code Detecting and Terminating Virus Threads Patching the Virus Code in the Active Pages How to Disinfect Loaded DLLs and Running Applications Memory Scanning in Kernel Mode Scanning the User Address Space of Processes Determining NT Service API Entry Points Important NT Functions for Kernel-Mode Memory Scanning Process Context Scanning the Upper 2GB of Address Space How Can You Deactivate a Filter Driver Virus? Dealing with Read-Only Kernel Memory Kernel-Mode Memory Scanning on 64-Bit Platforms Possible Attacks Against Memory Scanning Conclusion and Future Work References13. Worm-Blocking Techniques and Host-Based Intrusion Prevention. Introduction Script Blocking and SMTP Worm Blocking New Attacks to Block: CodeRed, Slammer Techniques to Block Buffer Overflow Attacks Code Reviews Compiler-Level Solutions Operating System-Level Solutions and Run-Time Extensions Subsystem Extensions-Libsafe Kernel Mode Extensions Program Shepherding Worm-Blocking Techniques Injected Code Detection Send Blocking: An Example of Blocking Self-Sending Code Exception Handler Validation Other Return-to-LIBC Attack Mitigation Techniques \"GOT\" and \"IAT\" Page Attributes High Number of Connections and Connection Errors Possible Future Worm Attacks A Possible Increase of Retroworms \"Slow\" Worms Below the Radar Polymorphic and Metamorphic Worms Largescale Damage Automated Exploit Discovery-Learning from the Environment Conclusion References14. Network-Level Defense Strategies. Introduction Using Router Access Lists Firewall Protection Network-Intrusion Detection Systems Honeypot Systems Counterattacks Early Warning Systems Worm Behavior Patterns on the Network Capturing the Blaster Worm Capturing the Linux/Slapper Worm Capturing the W32/Sasser.D Worm Capturing the Ping Requests of the W32/Welchia Worm Detecting W32/Slammer and Related Exploits Conclusion References15. Malicious Code Analysis Techniques. Your Personal Virus Analysis Laboratory How to Get the Software? Information, Information, Information Architecture Guides Knowledge Base Dedicated Virus Analysis on VMWARE The Process of Computer Virus Analysis Preparation Unpacking Disassembling and Decryption Dynamic Analysis Techniques Maintaining a Malicious Code Collection Automated Analysis: The Digital Immune System References16. Conclusion. Further Reading Information on Security and Early Warnings Security Updates Computer Worm Outbreak Statistics Computer Virus Research Papers Contact Information for Antivirus Vendors Antivirus Testers and Related SitesIndex.