VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Slade's Virus Books Reviews

Robert Slade
July 2010

[Back to index] [Comments]

The Art of Computer Virus Research and Defense

"The Art of Computer Virus Research and Defense", Peter Szor, 2005, 0-321-30454-3


The preface states that the book is a compilation of research over a fifteen year period. While it is not explicitly stated, Szor seems to indicate that the primary audience for the work consists of those professionally engaged in the field of malware research and protection. (He also admits that his writing might be a little rough, which is true. While his text is generally clear enough, it is frequently disjointed, and often appears incomplete or jumpy. Illustrations are habitually less than helpful, although this can't be attributed to a lack of command of English.) Given the stature of people he lists in the acknowledgements one can hope for good quality in the technical information.

Part one deals with the strategies of the attacker. Chapter one describes games and studies of natural ecologies relevant to computer viruses, as well as the early history (and even pre-history) of these programs. I could cavil that he misses some points (such as the 1980-81 Apple virus programs at two universities in Texas), or glosses over some important events (such as Shoch and Hupp's worm experiments at Xerox PARC), but the background is much better and broader than that found in most chronicles. The beginnings of malicious code analysis are provided in chapter two, although it concentrates on a glossary of malware types (albeit incomplete and not always universally agreed) and the CARO (Computer Antivirus Research Organization) naming convention. The environment in which viruses operate, particularly hardware and operating system platform dependencies, is reviewed in chapter three. This material is much more detailed than that given in any other virus related text. (Dependencies missing from the list seem to be those that utilize protective software itself, such as the old virus that used a function of the Thunderbyte antivirus to spread, or the more recent Witty worm, targeted at the BlackIce firewall. Companion viruses utilizing precedence priorities would seem to be related to operating system functions, but are not included in that section.) Unfortunately, the content will not be of direct and immediate use, since it primarily points out issues and relies on the reader's background to understand how to deal with the problems, but nonetheless the material is fascinating and the inventory impressive. Chapter four outlines infection strategies and is likewise comprehensive. Memory use and infection strategies are described in chapter five. The issue of viral self-protection; tactics to avoid detection and elimination; are given in chapter six. Chapter seven reviews variations on the theme of polymorphism, and also catalogues some of the virus generation kits. Payload types are enumerated in chapter eight. Oddly, botnets are mentioned neither here, nor in the material on worms, in chapter nine. (Szor's use of a modified Cohenesque definition of a virus as infecting files means that some of the items listed in this section are what would otherwise be called email viruses. His usage is not always consistent, as in the earlier mention of script viruses on page 81.) "Exploits," in chapter ten, covers a multitude of software vulnerabilities that might be used by a variety of malware categories for diverse purposes. This content is also some of the best that I've seen dealing with the matter of software vulnerabilities, and would be well recommended to those interested in building secure applications.

Part two moves into the area of defence. Chapter eleven describes the basic types of antiviral or antimalware programs, concentrating primarily on various forms of scanning, although change detection and activity monitoring/restriction are mentioned. It is often desireable to find and disable malware in memory. The means of doing so, particularly in the hiding-place riddled Win32 system, are described in chapter twelve. Means of blocking worm attacks are discussed in chapter thirteen, although most appear to be either forms of application proxy firewalling, or (somewhat ironically) activity monitoring. Chapter fourteen lists generic network protection mechanisms, such as firewalls and intrusion detection systems, although the section on the use of network sniffers to capture memory-only worms is intriguing to the researcher. Software analysis, and the tools therefore, is covered in chapter fifteen, emphasizing functional aspects of the malware. Chapter sixteen concludes with a register of Websites for further study and reference.

For those involved in malware research, Szor's book is easily the best since Ferbrache's "A Pathology of Computer Viruses" (cf. BKPTHVIR.RVW). It contains a wealth of information found nowhere else in book form. On the other hand, it is demanding of the reader, both in terms of the often uneven writing style, and the background knowledge of computer internals and programming that is required. The text does not provide material that would be suitable for general protection of computer systems and networks. On the other hand, intelligent amateur students of malicious software will find much to reward their investigation of this book.

AVIEN Malware Defense Guide for the Enterprise

"AVIEN Malware Defense Guide for the Enterprise", David Harley et al, 2007, 978-1-59749-164-8


The preface and introduction stress that this work is a collaborative effort, combining the views of a number of AVIEN (Anti-Virus Information Exchange Network) and AVIEWS (Anti-Virus Information and Early Warning System) members, trying to avoid the blind spots that result from perspectives limited to one individual or company.

Chapter one outlines the history of AVIEN, noting the tensions between the (rather small) community that has concentrated on research about malware and protection against the various threats and the general user population. (The general user population includes, for various reasons, many of the producers and vendors of antivirus products.) It is noted (although not stressed) that AVIEN concentrates on protection of medium to large companies, and this point is important in regard to protective approaches. A brief, historically-oriented, look at malware and related issues, in chapter two, tries to eliminate common confusion and sets a groundwork for further discussion. The Web is now a major source of security vulnerabilities, but the malware literature has seldom considered the problem as a specific category, so chapter three's excellent overview of the related technologies and exploits is particularly welcome. Botnets are a major threat (or threats: they are used in a variety of ways), and there is a good examination of the major associated concepts in chapter four. Unfortunately, the material is somewhat loosely structured and may be confusing to some readers, and occasionally emphasizes specific (and sometimes dated) technologies rather than the basic ideas. Chapter five examines the often-asked question of who writes malware, bringing up a good deal of interesting material. The text itself may be of scant use to system administrators, although the points made in the summary do indicate trends of concern.

Chapter six turns to protective measures, covering not just the usual antiviral technologies, but advising on layered defence, with the attendant required planning and management. Outsourcing, of security functions in general, and antiviral protection in particular, is reviewed in chapter seven, with attention paid to both the dangers and the conditions, agreements, and other factors that might provide success. Chapter eight's look at security awareness training and user education seems to be intended to promote the idea, but is weaker in providing solutions than other areas of the book, concentrating primarily on the difficulties and failures.

A variety of tools that might be used in malware analysis, ranging from system information utilities through debuggers to online virus detectors, are listed in chapter nine. Chapter ten considers aspects of evaluating antiviral products, and makes a good, general guide.

Chapter eleven notes that the AVIEN organization is changing, and feels like a promotional item to get the reader to become involved, but the lack of detail of what the institution might become does not seem calculated to appeal to busy administrators.

The book contains a tremendous wealth of information and references to specific resources and studies. This is not surprising, given the background of the authors, and would, alone, make the text worthwhile. Overall this work provides a solid overview and compendium of advice on the current malware situation, and should be a required starting point for anyone protecting corporate assets in the current, highly threatening, environment.

Bigelow's Virus Troubleshooting Pocket Reference

"Bigelow's Virus Troubleshooting Pocket Reference", Ken Dunham, 2000, 0-07-212627-2


Apparently somewhat before Dunham started work on this volume, he also started a mailing list of virus information. This mailing list names a number of viruses, but provides no details, protective strategies, or understanding of the basic antiviral concepts. Much the same is true of the book. In the very first paragraph of the book proper, we are told that computer viruses were explored by many people in the 1960s and 1970s (although many such claims are made, I've never, in thirteen years of research, found documented evidence of any such research), and that Fred Cohen formally defined viruses in a security experiment in 1983 (so trivial a mention of his pioneering work being almost insulting). Subsequent sentences have unsupported dates, idiosyncratic definitions, and claims and opinion presented as fact.

Ironically, the most accurate part of the whole work might be the disclaimer, warning you that nobody is going to take any responsibility for the mistakes in the book. (Although what "ac and high voltage power sources" have to do with computer viruses is a mystery to me.) The preface claims that the book is comprehensive, which it certainly isn't, and concise, which is questionable as well.

Chapter one looks at something of the history of viruses. Where Dunham has been given competing or contradictory versions of a story or fact he simply puts down everything, without evidence of any analysis to find out the truth. Assertions are laid down in some vaguely chronological order, without any relation to each other (Q. What do the inclusion of an antivirus with DOS, the emergence of the WildList, and the fact that SatanBug was written by someone below the legal drinking age have to do with each other? A. Nothing.), and without any explanation of the implications of developments or trends. (I take it back: the book states that the invention of System 7 for the Macintosh eliminated compatibility with previous viruses, which isn't always true.)

Although entitled "Malware," chapter two has little material on malicious software other than viruses. It is a grab bag of random content, looking briefly at many topics without staying long enough to effectively cover anything. There are many lists in the work, but the substance is not always reliable. Table 2.2, for example, on virus characteristics lists Whale as an example of an armored virus (Whale is usually considered an example of limited polymorphism, and "armored" does not have a commonly agreed technical meaning in virus research), doesn't mention prepending or appending of file infectors, describes Lehigh as a "cavity" virus (possibly technically correct, but only because of the odd file format of COMMAND.COM), and tells us that a multipartite virus "is often very successful In the Wild but is rare In the Wild."

There has to be some irony in the number of errors in a chapter called "Myths and Hoaxes." For instance, the simple statement that the Scores virus was only released to a company intranet and therefore was not an issue in the wild ignores the fact that Scores was developed before there were intranets and that Scores *did* make it into the wild, as attested by the fact that one of its aliases (noted in the previous chapter) celebrates a government institution it infected: NASA. The first item on the list of ways to detect a virus hoax says that the source of the email is unknown to the user: most hoaxes get passed around from friend to friend. (The list of classic virus hoax messages also contains the Gullibility Virus, which is a satire on the phenomenon. There is a brief mention that it is a joke, but that fact is certainly not clear from the inclusion.)

"Detecting Malware," in chapter four, starts off with the usual list of virus symptoms, most of which appear in all sloppy virus books, and none of which are any kind of dependable indication that you have an infection. The look at antiviral software concentrates, of course, almost exclusively on scanning. Dunham does mention change detection, although not in any comprehensive way, and also mentions "behavioral analysis," which is described as a "bold and progressive approach" by a new company. Otherwise known as activity monitoring, this is, in fact, the approach used by the oldest antivirus program, Flu-Shot. The chapter ends with procedures for capturing viruses that would only work by accident, and wouldn't work at all against the most common current email viruses, as listed by the book's own prevalence chart.

Chapter five, on preventative measures, is a real mixed bag. Some points are good, such as the recommendations about verification of installation, the risk of a lack of security policy, a parent-child contract for computer use, and the warning against the use of FDISK as a disinfectant. Most of the rest of the chapter, however, is incomplete, contestable, or misleading. "Black market software" has very little connection with viruses. Incomplete removal of software is a danger, but how is the naive user to determine that disinfection is concluded? Screen saver passwords have nothing to do with viruses, and are weak, in any case. Microsoft Office protections against macro viruses are, as the book notes, not failproof, but the point is not made with adequate emphasis. Boot disks cannot be made for Windows 9x or NT systems (at least not as suggested) and are of little use with FAT32 and NTFS file systems. Changing file associations is more complex than the text suggests. (And the section on F-Prot makes almost no sense at all.) This is definitely a case where if you can tell good advice from bad advice you don't need any advice: non-specialists simply cannot be sure about the counsel they are getting from this volume.

It is rather odd that there is a separate chapter for antivirus software, since both preceding chapters have extensive (if not very credible) software sections. However, the intent seems to be to concentrate on evaluation of an antivirus. Unfortunately, the material is fragmentary and inconsistent. The section on certification and reviews fails to point out that all the certification sites mentioned only do "zoo" tests (measures of how many viruses are identified from a given set), that some charge companies for submitting software for testing, and that the VTC (Virus Test Center) is the only site with its full protocol available online and a zoo that even approximates the tens of thousands of viruses that exist. Mini-reviews are given, but only for Mac software. There is an evaluation form, but only a very few specialists would be able to fill it out in its entirety. (Microsoft is also listed as an antivirus software update site.)

Chapter seven, on removing malware, is very short, and half of it is dedicated to telling you why you might not be able to disinfect your system. Still, some of the points are worthwhile, and, if you are infected by an old boot sector or file infector, nothing in this chapter should do you any harm. (The discussion is not relevant to more current macro or email infections.)

Other than a reprint of the Good Times Virus Hoax FAQ the appendices are not particularly useful.

Overall, the text is a mass of trivia, interspersing fact, speculation, and inaccuracy in an unreliable and misleading mix. The content, as presented, betrays almost no knowledge of the fundamental technologies, either on the virus or the antivirus side. When details are provided, they are thrown at the reader in an undifferentiated and unanalyzed lump, which will annoy the specialist, and confuse the average computer user. The book is small, but hardly pocket sized, and the internal structure is nowhere near being organized enough to lay claim to the appellation of reference.

As with Schmauder's "Virus Proof" (cf. BKVRSPRF.RVW), this latest attempt to fill the long gap in virus literature has almost nothing to contribute to the field.

Computer Viruses and Data Protection

Computer Viruses and Data Protection, Ralph Burger, 1991, 1-55755-123-5


A most telling quote is to be found on page 31 of this book. In answer to the question, " What do you think about the publication of information about computer viruses", Burger quotes a "highly knowledgeable" although "secret" source as saying:

"I feel that it's the people who know the least about it that talk the most. You tend to hear little from people who actually understand something about computer viruses. ... You don't have to include instructions on how to use computer viruses."

The quote is telling on three counts: 1) Burger tends to go on at great length (350 pages) without giving out much information, 2) there is little hard information in the book which would be of use to the average home or corporate user concerned about protection against viral programs, and 3) Burger's fancy for publishing viral source code seems to have no purpose except to build notoriety.

(Before all the virus-writer-wannabes rush out to order copies, let me state that he doesn't publish much, and what he publishes is not very good.)

Burger's propensity for publishing source code might be easier to take if the book itself was a valuable resource. It isn't. The writing style is disorganized and hard to follow, the information is untrustworthy and recommendations for security are weak, outlandish or aimed at problems unrelated to the current computer virus situation.

Even Burger's vocabulary bears little relation to the jargon of virus research. He invents the phrase "logical virus" in a section on viral-like programs. The definition makes little sense, and one suspects that Burger is simply confusing it with a "logic bomb". In another section the author confuses the aspect of the "von Neumann" computer architecture which means that the program and data share the same "storage" space with the "von Neumann bottleneck" having to do with limitations on processing speed.

One is left with the feeling that Burger has gathered a great volume of information, and is publishing it without truly understanding it. A section is devoted to the work of Fred Cohen. A subsection refers to "Cohen's Contradictory Virus". It seems to be related to Cohen's proof, by contradiction, that the problem of identification of any given program as "viral" or "non-viral" is undecidable. In Burger's book, however, there is no proof, little logic, and only patches of pseudo-code which really don't demonstrate anything.

In fact, a great deal of the book consists of statements which are made and never supported. I read my wife the section on "virus experts", and her immediate reaction was "doesn't he have to *prove* any of that?" (Among other things, the section seems to indicate that most virus research is being conducted in grave secrecy by governments and large corporations.) At the same time, Burger's closing statements and opinions are so weakly worded that one is reminded of the hapless TV reporter in "Doonesbury" who is never able to make a definitive proclamation on any subject, no matter how simple. (An amusing example of this: Chapter 3 is entitled "Computer Virus Dangers", Chapter 4 is "Is There a Danger?")

Burger's writing style is very difficult. Even with section headings and marginal annotations it is extremely difficult to follow the discussion. There is very little structure to the flow of arguments, and occasional bizarre changes of subject. At one point Burger reproduces a letter that he sent to various corporations, and then complains that the poor response he got indicates that the companies did not understand the gravity of the virus situation. While the one point that I can agree with Burger on is his repeated assertion that too few people are "virus literate", I can certainly sympathize with the companies. They probably couldn't understand his letter.

It is hard to understand why certain information was included, and other material was not. The chapter on specific viral programs spends five pages listing eight viral programs: it also spends five pages giving the names of thirty "trojan" programs, which presumably could be renamed at will. The "Lehigh" virus, generally thought to be almost extinct "in the wild", is described: "Stoned" and "Michelangelo" are quite notable by their absence. (While "Brain" is one of the viri described, the book nowhere deals with the functions of boot sector viral programs.) No Mac viri are described or listed although there is one example each from the Atari and Amiga environments.

The chapter on protection strategies, while it does have some useful points, also places heavy emphasis on such bizarre suggestions as writing custom software for all applications, or running everything from EPROMs. (It also suggests the use of CD-ROM for software media, apparently unaware of the fact that CD-ROMs have already been shipped with infected software.) A section on an "EDP High Security Complex" may prevent people from contaminating a keyboard with spilled coffee, but won't do much to prevent viral infections.

A specific recommendation is instructive. Burger twice suggests the use of the RENAME system proposed by A. G. Buchmeier. On an MS-DOS system, all .EXE files are to be renamed to .XXX extensions. There are then to be started with a simple START.BAT file which contains the instructions:

        ren %1.XXX %1.EXE
        ren %1.EXE %1.XXX

(To be fair, Burger does give a listing of a fuller START.BAT which deals with COM files as well.) While this system would be somewhat effective against most "direct action" viral programs, it would create great problems for the many systems today which rely on cooperation between programs which "call" each other at need. It would also be of no use against "resident" viral programs which infect on "file open": the programs would be infected as soon as they were renamed or run. (Interestingly, it would be rather effective against "system" or "FAT" viral programs.)

Errors are legion. Some mistakes are understandable and unimportant, such as referring to the "Jerusalem" virus as the "Israeli PC" and "TSR" virus (p. 68). Others might have more significance, such as the statement that the "Israeli PC" virus makes all infected files into TSRs (p. 68). In some places the book contradicts itself, warning against BBSes and shareware on page 129 and yet saying that the danger of receiving viri from data transfer is no higher than through other means on page 292. Still other statements are flatly impossible, such as the assertion that the DEFENDER trojan "[writes] to ROM BIOS" (p. 110). It would be pointless to try to list them all, but I would be willing to bet that there are not three consecutive pages in the book which do not contain errors of fact. Chapter 5 is supposed to give examples of viral programs. (In fact, most of the chapter is occupied by reprints of the McAfee VIRLIST.TXT and an early version of Jan Terpstra's virus signature list.) Of the virus description material that Burger wrote, the only entries which do not contain errors are those which don't contain any information.

(One of the errors that Burger makes is highly amusing. He examines Fred Cohen's calculations in support of the assertion that a virus could not appear spontaneously by a generation from random errors. "Correcting" Dr. Cohen's figures, and factoring in the increasing speed of computers, he comes up with a figure of ten to the 283rd power for the number of years before a virus is generated. He sees this as "slightly different" and indicative of the possibility of such a virus. He is obviously boggled by the large numbers: even given the most enthusiastic boosts for the increase in the number of computers and computing power, he still would come up with a figure that is not only longer than recorded history, but more than twenty five times greater than the entire age of the known universe.)

Burger's stated purpose in publishing the viral source (Preface, page viii) is to show how easy it is to write a virus. In this aim, he must be said to fail miserably. Although the assembly listings in the book will hold no terrors for those with a significant background in low-level programming in the MS-DOS environment, those people wouldn't need any direction on how to build a virus. A "batch" virus, which would be easily within the range of the intermediate user, turns out to use DEBUG in order to build some small but vital components, with completely unexplained parameters. Those who are familiar with the architecture know that building a virus is trivial: those who aren't will not find here a convincing demonstration of ease.

Another excuse for including the code (p. 315) is to "illustrate the weak points in your computer system". Again, this rationale is unconvincing. Few readers, outside of those familiar with assembly programming, would be either able or willing to compile and test the code provided. (Indeed, Burger, only five paragraphs beyond the previous statement, warns readers *not* to "proceed with risky tests of virus programs".) Certainly, the code itself proves nothing in terms of the strengths and weaknesses of any computer system. More extensive "case histories" of either viral infestations or specific viral programs would have been far more convincing.

Burger's attitude to this business of virus source code is strangely inconsistent. Although there is source code listed in the book, Burger specifically states that he will not publish the source for his VIRDEM.COM program. Although he doesn't publish the source, a copy of the VIRDEM program is supposed to be on the companion disk for the book. I didn't get one: the companion disk was not shipped with the book. I'm not hurt: VIRDEM is out in the wild anyway and I have a copy from another source.

The situation of the missing companion disk raises another point. The book advertises Burger's own "Virus Secure for Windows", as does a catalogue for other Abacus products bound into the back of the book. However, I have been informed by Abacus that "Virus Secure for Windows" is no longer available.

For all of its flaws, the book is a very complete overview of the topic in that it ranges over all possible related subjects. Although he often fails to distinguish between the "blue sky" possible and the "here and now" real, Burger's speculations do touch on a number of topics which are too often lost in the immediate concerns about current data security problems.

For those who are completely new to the field, this book is too untrustworthy to recommend as a primer. Neither will it be very useful to those looking for direction on protecting either home or corporate systems. For those with some serious study of viral programs or data security, the book raises interesting points for discussion, although the specifics asserted may have to be tested and challenged. For those who are interested in writing their own viral programs - fortunately, this book is *not* going to be a big help.

Compute!'s Computer Viruses

"Compute!'s Computer Viruses", Ralph Roberts, 1988, 0-87455-178-1


It might seem harsh to criticize the accuracy of a book written at that early stage of research into the computer virus problem. Still, the author did have assistance from such luminaries as Ross Greenberg, Pamela Kane, and Ray Glath - and apparently didn't take much advantage of it. (In fact it is amusing to compare the interviews and articles with the real researchers to earlier passages in the book. Spot the contradictions!)

The interviews are probably the most interesting part of the book at this late date. That, and the lists of "reviews" of software that doesn't exist anymore.

The Computer Virus Crisis

The Computer Virus Crisis, 2nd edition, Fites, Johnston, Kratz, 1992, 0-442-00649-7


For its professional appearance and impressive credentials, this work is an unfortunately sloppy and undisciplined approach to the problem. The looseness of the book starts with the definition of a virus: it really doesn't have one. There is a section of the introduction entitled "What is a computer virus", but, having stated that they prefer the Cohen or Adelman definitions (without quoting them), quoting the Podell/Abrams definition, and meandering around the related terms such as worms and trojans, no definition is ever finalized.

The book tends to read in a schizoid fashion. It often contradicts itself, again starting the with definition, where a "buggy" program which submitted jobs to the queue too frequently is first used as an example of a virus, and then is said to contradict the definition of a virus. Page ten gets points for stating that downloaded software is probably safe; page sixty loses them all again by stating that "bulletin boards present the greatest exposure to computer viruses"; and the very next sentence on page sixty states that bulletin boards are less risky than other means of obtaining software. Page 62 mentions the rumour that a virus was spread via email, dismisses CHRISTMA and the Internet Worm as non-viral, and then pooh-poohs the concept.

A mainframe, and corporate, bias is quite evident in the work. Mainframe professionals are said to know what viral programs are, and to be "ethical". (The more corporate of the computer and data processing associations are also given credit for the lack of mainframe viri.) However, this bias seems to preclude an accurate knowledge of personal and microcomputers. DOS (obviously referring to MS-DOS) is said to have "completely overwhelmed CP/M is the late 1970's" in spite of the fact that the PC wasn't marketed until 1981. Apple Corporation is credited with the invention of the "GUI" (and the Mac Toolbox is credited with the success of Mac viri, in spite of the fact that the Toolbox is primarily concerned with the user interface).

A number of myths are presented as fact. The recommended procedure for virus cleanup is a low-level format of the disk. "Physical damage" is listed as one fo the symptoms of a virus. A very odd list of non-viral computer attacks contains the "salami scam" (siphon off fractions of a penny) urban legend.

As with the Feudo book, almost half of the pages in this work are a reprint of the Hoffman Summary List (in this case "dated" January, 1991, but "copyright" 1990). Graphics are used to take up additional space: a number of the figures are used several times over, without ever really adding anything to the understanding of the subject under discussion at the time.

It is very hard to find anything to recommend in this book. At best, the naive reader will be confused by the meandering nature of the text and the self-contradictions contained in it. For every positive statement (such as the fact that computer retail and repair shops are a source fo infections), there is nonsense such as the statement that when you discover the identity of the author of malicious software, you have a legal basis for action. (As a counter example, the AIDS trojan is thoroughly covered in this book, and we have recently learned that Popp's case was dismissed in Britain, although he was found guilty, in absentia, in Italy.)

Computer Viruses for Dummies

"Computer Viruses for Dummies", Peter Gregory, 2004, 0-7645-7418-3


This book isn't really about computer viruses. The introduction contains an awkwardly worded paragraph in Gregory refuses to define computer viruses, but makes it clear that he intends, in common with Humpty-Dumpty, to use the term "virus" in whichever way he chooses. Mostly he chooses to use it to mean "lots of things that can be annoying to your computing, including malware, spam, and other circumstances." To the non-specialist this might seem to be an advantage. After all, who cares what you call the problem as long as you're protected from it? Unfortunately, the different types of Bad Things out there work in different ways. So why tell the reader to use a firewall, and avoid getting their addresses on spam lists, when neither technology has anything to do with protecting you against viruses?

Part one is supposed to allow you to evaluate your virus situation. Chapter one, which purports to give you the information necessary to understand virus risks, contains a lot of generally irrelevant material, such as the various versions of Windows. (It is ironic that the most meager entry given is that for Windows XP, since XP was actually an important increase in virus risk. The internal structure of the operating system makes it harder to clean and protect - DCOM is more difficult to shut off, and System Restore makes it harder to get rid of risky utilities - and the increased wealth of hiding places makes disinfection much more problematic.) The symptoms listed in chapter two are not reliable indicators of the presence; or absence; of a virus. The section that repeats much of the content of chapter one is peculiar. The book is intended for, err ..., average to novice computer users, so having a chapter telling you how to find out if your computer actually has antiviral software already installed is possibly a good thing. But chapter three spends an awful lot of time telling you things about icons, and not as much time on how you might determine the version or signature update status.

Part two is concerned with actually protecting yourself. Chapter four suggests a reasonable process for installing new antiviral software once you have it. First, however, there is some questionable advice in regard to choosing said software. "Reputable" is not an easily quantifiable term: the ordinary user is going to have a hard time distinguishing between "is highly functional" and "costs a lot and has the biggest, brightest boxes and ads." In addition, Gregory strongly promotes the idea of bundled packages, without noting that such applications seldom have the "best of breed" in all categories, or that a failure in one component can often turn off the whole suite. Again, since this book is aimed at the typical user, chapter five's review of configuration options is not altogether useful: it does not always point out the dangers of certain actions. Chapter six, on scanning your computer and email, has very little helpful material. Dealing with infections, in chapter seven, is somewhat better. The content regarding interpretation of warning messages is worthwhile. But the terse accounts of modifying the Registry and restoring or reinstalling files may lead readers into difficulty.

Part three deals with maintenance of protection. Chapter eight, regarding updating of signatures, does not seem to have much value, and nine, on patching, really only has a couple of useful pages, and those only for Windows and Office. Firewalls and anti-spyware programs are important, but chapter ten fails to note how much you need to know about network traffic in order to effectively use a firewall, and that anti-spyware scanners don't detect viruses and vice versa. Some reasonable guidance on protecting your PDA (Personal Digital Assistant) is given in chapter eleven. Chapter twelve suggests making backups of your data, and has a few other points that might make you a bit safer. (I'd propose that telling people not to open attachments and avoid P2P/file sharing systems would result in better safety.)

Part four is supposed to tell us more about what viruses are. Chapter thirteen is a not-terribly-reliable history. (BRAIN was not the first, Concept was not a polymorph [and came later, anyway], and during the heyday of BBSes the dominant viruses were boot sector infectors - which couldn't be spread by BBSes. Also, it is highly ironic that Gregory seems to imply that the Norton product was the first antivirus - since Peter Norton spent over year telling people that viruses were a myth and computer users should not foolishly give their money to those antivirus-product-selling scammers.) (I agree with Gregory on the virus writers, though.) Other types of malware and scams are briefly discussed in chapter fourteen. Chapter fifteen has a little (and old) information on virus operations, and some other miscellaneous stuff.

Part five is the usual "Part of Tens," this time giving us nine myths and an actual situation (there are way more than ten myths), and minimal information about ten antivirals.

This book is addressed to people who aren't interested in viruses, and wouldn't want to read a book about viruses. (Which makes for an interesting marketing challenge.) It is difficult to say that nobody would ever benefit from reading this text. But it is much harder to envisage a situation in which this circumscribed data would save the day, and really easy to imagine situations in which the little information in this tome could be a very dangerous thing.

Crimeware: Understanding New Attacks and Defenses

"Crimeware: Understanding New Attacks and Defenses", Markus Jakobsson/Zulfikar Ramzan, 2008, 978-0-321-50195-0


The preface notes the change in incentive, for the production of malware, from intellectual curiosity to the profit motive. It also states that the book is intended for anyone with an interest in crimeware or computer security, including those with a background in education or public policy rather than technology.

Although chapter one promises, at various points, a structured and taxonomic overview of crimeware, it is little more than a grab bag of points possibly related to malware and information security, and, as such, is more confusing than educational. Gary McGraw's seven-point taxonomy of coding errors is given in chapter two. It's an excellent list, but has limited relevance to crimeware. Chapter three consists of two very distinct items: an interesting report on the spread of malware through peer-to-peer (P2P) file-sharing networks, and an account of one specific chain-mail hoax. Malware implementations in small devices, such as USB (Universal Serial Bus) and RFID (Radio Frequency IDentification), are explored in chapter four, which material does, at least, discuss how these technologies could be used for criminal activity. Although entitled "Crimeware in Firmware," most of chapter five is concerned with wireless LAN security, and is highly speculative. A few pieces of crimeware that run in Web browsers are described in chapter six. Chapter seven contains a reasonable, though superficial, overview of botnets. A number of calls used by specific rootkit packages are described in chapter eight. Fraud in online gaming is examined in chapter nine, although, oddly, the issue of theft of game goods for "real world" sale is not mentioned. Chapter ten covers politics and malicious online activity, but is primarily concerned with Web defacements and online defamation. Fraud, generally related to Web advertising, is in chapter eleven. "Crimeware Business Models," in chapter twelve, are confined to only a few types, although the section on adware is particularly good. Advice on how not to do education is provided in chapter thirteen. Chapter fourteen outlines a few US laws possibly relevant to crimeware. The activities of the Trusted Computing Group (TCG), particularly with regard to Digital Rights Management, are promoted in chapter fifteen. A simplistic look at a few defensive technologies is provided in chapter sixteen. Chapter seventeen provides a vague closing to the book.

The level of the writing and the technology varies from chapter to chapter, since the book has a wide variety of authors. Unfortunately, very little of the content is directly relevant to crimeware as such: most of the material is merely general information about malware. Some of the text is interesting, but much of it is vague, and little is new. The work is a fairly reasonable introduction to malware threats and protection, but does not add much to the existing literature.

Computer Viruses and Other Malicious Software

"Computer Viruses and Other Malicious Software", Organization for Economic Co-operation and Development, 2009, 978-92-64-05650-3


The executive summary doesn't tell us much except that malware is bad, and that this report is seen as a first step in addressing the issue in a global, comprehensive manner.

Part one, entitled "The Scope of Malware," is intended to provide background to the problem. Chapter one, as an overview, is a random collection of technical issues, with poor explanations. Although it is good to see that the malware situation is defined in terms that are more up-to-date than that of all too many security texts, the lack of any foundation will necessarily limit the perception of the issue for those readers who have not put in serious research themselves. Various stories of attacks and payloads (not all related to malware) are listed in an equally disjointed manner in chapter two. There are numerous errors, including in simple aspects like arithmetic. (20 million is not "5 times" one million.) The explanation of why we should be concerned, in chapter three, boils down to the fact that the net is important, and malware imposes costs.

Part two turns to the economics of malware. Chapter four, while it promises to deal with cybersecurity and economic incentives, just states that security is hard. Chapter five does deal with economic factors influencing decisions of key players on the Internet, but does so only on the basis of an opinion survey, rather than any measured costs or benefits. Descriptions of different types of economic situations are given in chapter six, but a final set of "findings" doesn't seem to have much background support.

Part three is supposed to contain recommendations about actions to take, or policies to follow, to address the malware issue.

Unfortunately, this work does not have sufficient technical depth on areas of malware to contribute to the literature. The idea of addressing the economic aspects is interesting, but is not sufficiently fulfilled. Overall, this text does not add to the existing information on the subject.

Robert Slade's Guide to Computer Viruses

"Robert Slade's Guide to Computer Viruses", Robert M. Slade, 1996, 0-387-94663-2

Please note that the following is a completely fair and unbiased review. I strive at all times to be even-handed in my reviewing. My vested interest in this work in no way can be said to influence my judgement. I mean, to say that just because I spent three solid years writing it means I might have a biased opinion about it is a prejudiced opinion on your part, isn't it? :-)

This is the most FANTASTIC virus book EVER WRITTEN! This is the most FANTASTIC virus book that EVER WILL BE WRITTEN!! The day this book was released the ENTIRE VIRUS WRITING COMMUNITY committed suicide from depression over the fact that no one would EVER BE HURT BY A VIRUS AGAIN!

Book stores are advised to have LARGE STOCKS of the book on hand, prominently displayed, and probably to hire extra staff for the crush of buyers. Grown men have been known to pull their own liver out when told that they could not buy the book! (And that was before it was PUBLISHED!)

When we sent the books to reviewers, they typically danced in the streets for joy for several days. However, we reprint here some of the less effusive comments:

"Mr. Slade's lists are more interesting than the NYC phone book." - Dr. Fred Cohen

"Obviously some johnny-come-lately upstart." - Harold Joseph Highland

"Is this guy some kind of comedian?" - William Murray

"i think its cute and i like the title but i have a few questions ..." - sara gordon

"Wonderful! It certainly cured my insomnia!" - Dorothy Denning

"A mantlepiece!" - Terry Jones

"I only have a hundred new samples that came in this week, and then I'll read it. Promise." - Fridrik Skulason

"Should have had more sample code." - Ralph Burger

"" - John McAfee (forwarded by Aryeh Goretsky)

"Vrooooom, vrooooom!" - Padgett Peterson

"Too long." - Ross Greenberg

"Still doesn't reliably detect MtE." - Vesselin Bontchev

"[A bruised read]" - PGN

"Should be powered off, cast in a block of conrete and sealed in a lead-lined room with armed guards - and even then I have my doubts." - Eugene H. Spafford

"Where's my baseball bat?" - Edwin Cleton

"Is this legal?" - Paul Ferguson

"I don't think this is funny." - Brad Templeton

"We're the federal government. We don't do that." - James Earl Jones

"Let me diagram that on a Turing machine for you ..." - Yaron Goland

"A great virus book. No, I meant a great antivirus book. No, I meant a great virus book. No ..." - John Buchanan

"Cool." - Ray Kaplan

"My title was better than his." - Cliff Stoll

"I elisted this book, and I have the password. Therefore I am now the author." - Gene Paris

"We probably shouldn't be publicising stuff like this." - J. B. Condat

"It sounds amusing. Is it Alive?" - Suzana Stojakovic Celustka

Cecil B. DeMille, Alfred Hitchcock, John Ford, John Houston and Federico Fellini are working on a co-production of the movie version. Casting is not yet complete, but rumours indicate that Tom Hanks will play frisk, Arnold Scwartzenegger will portray Padgett Peterson and Mark Ludwig will be Stoned. The part of Vesselin Bontchev will be played by a Cray YMP.

Top ten reasons why "Robert Slade's Guide to Computer Viruses" is better than Brand X:

  1. RSGCV is written in a single voice
  2. Chapter two, the "Beginner's Panic Guide"
  3. RSGCV is not limited to MS-DOS
  4. The disk with RSGCV contains software for both MS-DOS and Mac
  5. The disk with RSGCV contains software independently judged to be the best of its kind, and from five different vendors.
  6. Two words: more contacts.
  7. Not just a title list, but full reviews of almost all the books in the field.
  8. Author not beholden to any group or company.
  9. Antiviral Protection Checklist.

And the number one reason why RSGCV is better:

  1. Jeff Richards' "Laws of Data Security"

[For those who think that it is just a wee bit too self-indulgent for me to review my own book, here is an alternative voice. Howard Wood is the author/editor of "The Scanner" antiviral newsletter. Note that this is a review of the first edition - rms]

Mr. Slade takes the beginner and walks him through the mystical world of viruses unveiling the mystery. Chapter One and Two are to get the reader past the myths and misconceptions of viruses. He explains what they are and how they work. While this is at the basic level, the reader is not bombarded with "techno babble" and lost in the shuffle. His easy manner and "on the same level" approach allows the reader to gain the basics of viruses at ease.

From that point on the reader is taken into the basics of virus operations and how they work on various systems. The basics of ploymorhism, tunneling, and stealth as well as payloads and triggers are explored.

Chapters Five and Six get into anti-viral procedures and techniques and follow up with AV Software evaluations.

The "appendices are longer than the book" to quote Mr. Slade, however they are very informative. FAQs about viruses, quick reference antiviral review chart, vendors and contacts listing and a bookshelf review are well written and very well catalogued. The glossary is very helpful to the beginner trying to understand the terminology in AV.

Mr. Slade did a wonderful job bringing an otherwise complicated subject matter down to the grass roots level to where the everyday user can get a basic education in anti-virus prevention and techniques. I highly recommend this book to any beginner who is serious about learning all they can about computer viruses and protecting their systems.


Defense and Detection Strategies Against Internet Worms

"Defense and Detection Strategies Against Internet Worms", Jose Nazario, 2004, 1-58053-537-2


The preface states that the book is intended for security professionals, security researchers, and academics in the field of computer science. It is obvious that the author has attempted to write the material in a scholastic tone, but the necessary rigour and structure of thought is missing.

Chapter one, an introduction of sorts, provides random information of questionable utility, such as the table listing the discovery of vulnerabilities compared against the time that elapsed before those loopholes were first released in active worms: no particular pattern seems to be indicated.

Part one is supposed to be a background and taxonomy. Chapter two provides us with a definition. Nazario has obviously taken the Cohenesque definition of viruses (as attaching to files) and then assumed that a worm is any self-replicating program that does not so bind. The definition therefore appears to include almost all current viruses, and yet the author also attempts to ascribe certain characteristics to worms, such as control and construction of a network, and communication with other worm nodes. His later examples of worms, however, include a number that do not contain any of these aspects. He lists a number of components of worms, and yet the communications, command, and intelligence elements are not inherently part of much of modern malware, usually existing simply as specialized payloads. A simplistic growth pattern (and the fact that worms can generate network traffic) is presented in chapter three, but the actual traffic patterns examined do not fully correspond to the projected graph. The history and taxonomy given in chapter four has numerous errors: even the fictional representative, the tapeworm from Brunner's "The Shockwave Rider," is introduced erroneously, since it didn't shut down the network in the book, but rather opened it. Workstations affected by the infamous Xerox PARC worm could be restarted, and a vaccine was not needed or produced. The Morris Worm was an enormous nuisance, but it hardly "crashed the Internet." (And Loveletter did the rounds in 2000, not 2001.) There is a quick precis of a number of lesser known worms, and this may be helpful as a reference, but the analysis is very limited. The construction of a worm is described in chapter five, but the outline is often at odds with that given in chapter two.

Part two reviews worm trends. Chapter six reworks some of the material from five in a facile listing of infection patterns (and presents an artificial "Shockwave Rider" pattern that does not seem to have any correspondence to reality). "Targets of attack," in chapter seven, simply enumerates network connected devices. Nazario does attempt to bring in abstract concepts related to network topologies, but these have little practical bearing on worms in reality. The possible futures for worms, as expressed in chapter eight, deals mostly with existing and already used technologies. There is some effort made to model effects, but these are not fully analyzed.

Part three turns to detection. Chapter nine looks at traffic analysis, but only in terms of network based intrusion detection with rudimentary appraisal. Honeypots and "dark networks" (ranges of unused IP addresses) are said to be ways to detect and trap worms, but the explanation and dissection of the topic in chapter ten is very narrow. Signature based detection, in chapter eleven, revisits network based intrusion detection, and adds a brief mention of file scanning.

Part four looks at defences. Chapter twelve's review of host based defence deals primarily with system hardening, antivirus scanners, and the concept of throttling. Nazario seems very loath, in his discussion of firewalls in chapter thirteen, to admit that this is simply another type of signature. The use of scanning within application level proxies is examined in chapter fourteen, although there seems to be some confusion with circuit level proxies at points. Chapter fifteen, entitled "Attacking the Worm Network," outlines a number of active measures: except for the idea of "sticky" tarpits (after the LaBrea program model) all of them require extensive specific knowledge of individual worms. A concluding chapter is provided in sixteen.

Nazario's work does address the often neglected topic of worms, and he does break away from the mass of virus books that are locked into the traditional "file and boot infectors" model. His examples are drawn from more recent events, and he does attempt to analyze network effects and complications, rather than simply looking at systems in isolation. While he is to be commended for all this, his definition is too broad to provide for serious new modelling of the problem, and his analysis fails to provide a basis for future work. Still, for those who need a more complete picture of the malware threat, this work should be considered. It does provide new information, and does attempt to address the difference between worms, viruses, and other forms of malware. In this regard, it is a significant improvement over such lackluster spacefillers as Skoudis "Malware" (cf. BKMLWFMC.RVW), the "E-mail Virus Protection Handbook" (cf. BKEMLVRS.RVW), Dunham's "Bigelow's Virus Troubleshooting Pocket Reference" (cf. BKBVRTPR.RVW), Schmauder's "Virus Proof" (cf. BKVRSPRF.RVW), and even Grimes' somewhat better "Malicious Mobile Code" (cf. BKMLMBCD.RVW).

Digital Contagions: A Media Archaeology of Computer Viruses

"Digital Contagions: A Media Archaeology of Computer Viruses", Jussi Parikka, 2007, 978-0-8204-8837-0


Buried in the mass of verbiage that makes up the introduction there is an indication (far from clear) that the intent of the book is to examine the topic of computer viruses from a cultural, rather than a technical perspective. Further, the material Parikka proposes to use is not related to actual events or activities, but to reports, essays, and even fiction. (Hence the reference to "media archaeology" in the subtitle. The "contagion" of the title is intended, by the author, to refer not only to the reproductive spread of viral programs, but also the new ideas prompted by the existence of these reproductive applications.) The idea of examining what people think computer viruses do (instead of what they actually do) and how the programs are perceived (rather than how they actually operate) could possibly lead to some interesting observations. (I recall, in early seminars on computer viruses and discussions with the general public, how frequently I had to explain that viruses were programs and had authors, and correct the misperception that the applications had just evolved out of the general computer environment.) Unfortunately the introduction also indicates that while Parikka has done extensive research, he probably hasn't understood it all. There are a number of mistakes even in this early listing of events, including an extremely simplistic definition of viruses and worms themselves, and therefore the results of his analysis are suspect right from the start.

(In response to the draft of this review, the author stated that "the point exactly was to question [as the intro says quite clearly] who is able and allowed to produce knowledge concerning viruses, what is acknowledged as a "truth" in this context, what kind of alternative approaches one might be able to come up with. So beyond any ideas of relativism, it proposes an approach of relationalism: how viruses are part of broader structures of producing knowledge concerning digital culture [always in relations, that is.]" Again, I would have to say that this is a potentially fascinating study, but that it isn't articulated clearly, and that the resulting opinions are severely limited in value due to a lack of distinction between perception and technical reality.)

In chapter one, the author states that viruses have created fear in computer users. Unfortunately, he gives computer users too much credit in terms of their understanding of the processes involved, as well as overstating the concern felt by the majority of information security professionals. It is only in the past two years that surveys have started to show the overarching magnitude of the situation, and only in the past year that "endpoint security" has become a product selling point. His background analysis is also slipshod: insects didn't get into the Mark II because of lights at night, but due to (humanly inaccessible) windows that had to be left open for ventilation. (The use of this particular example in Parikka's work is rather fascinating, since the Mark II used Harvard Architecture, and would have been immune to viruses without a major shift in the underlying operational model.) The use of the term "bugs" for errors in Morse code was more likely due to the use of the term "bug" for the telegraph key: it was the user interface. (A similar term exists in the computer world to describe errors: pebkac, or "problem exists between keyboard and chair.") Parikka has not sufficiently understood the culture of the technical communities he is studying. In subsequent discussions, the author fails to appreciate the importance of the distinction between independent malware, and the more directly utilized blackhat programs such as network mappers and rootkits, as well as the distinction between malware activity and computer intruders. The historical overview seems to end rather abruptly circa 1995.

Although there are occasional mentions of, and references to, computer viral programs in chapter two, in general Parikka seems to turn away from the topic in order to explore cultural ideas of the body, biological viruses, AIDS, the face, and immunity. He does finish off with a section exploring the idea of virus writers as psychologically abnormal, but even here much of the content falls prey to the all-too-common confusion between virus writers and other blackhat groups.

Chapter three discusses ideas of artificial organisms and ecologies. Again, while viruses are remarked on, they are not central to the deliberation. It is, however, interesting to note Fred Cohen's comment that the Morris worm was possibly "the most powerful high-speed computation event" up to that date, particularly in light of estimates that the Storm botnet was, at one point, potentially the second most powerful supercomputer in existence.

A "Conclusion" is entitled "Media Archaeology as Ecology." The point seems to be that writings not only record what people have thought about certain events and conditions, but what they will think in the future.

Parikka seems to go out of his way to use abstruse words that are seldom used, and therefore probably poorly understood. The text is heavily larded with esoteric cultural references and unusual (and frequently poorly defined) terms or constructions. One gets the feeling that the author is possibly unsure of his own propositions, and is attempting to convince the reader by a kind of verbal hand-waving. The bibliography, and extensive footnotes, is impressive and even intimidating. A couple of my own works are cited frequently. Because of that, I know that statements and passages supposedly from, or supported by, those references sometimes are not buttressed by the credential in question. In any case, there are definitely errors of fact even in the "Timeline of Computer Viruses." No version of the Dellinger Apple virus of 1981 spread via the "Congo" game, although one variant interfered with it.

Another point that the author made in response to the draft of this review is that he is writing from a perspective in social science, and that what I dismiss as verbiage would make sense to his colleagues. Unfortunately, I have to believe that this attitude betrays the obligation a writer has to his readers, not all of whom may be from a specialized field. A creator of technical literature (aside from documentation or textbooks crafted specifically for a limited audience) has to be prepared to explain, in basic language, the intent and major concepts being presented. This requirement is as applicable to social science as it is to computer science, and Parikka has not addressed it sufficiently. If he is, indeed, to make a contribution in this field, presumably he has to be able to make his points clearly to us dummies in the malware research community, too.

Parikka's aim, in examining the influence of computer viruses on popular culture, as well as the prejudices that popular culture might impose upon attitudes toward viruses, is a good one, and could have resulted in some interesting insights. While other authors (despite the exaggerated claim by at least one reviewer) have addressed the history and development of viral programs, I cannot think of another work so dedicated to the "people" side of the problem. Unfortunately, the lack of rigour in Parikka's research and analysis (possibly exacerbated by his limited understanding of the underlying technologies) restricts the confidence one can have in his conclusions.

Dr. Solomon's Virus Encyclopedia

"Dr. Solomon's Virus Encyclopedia", Alan Solomon, 1995, 1-897661-00-2


Resources for details and reliable information on operations of the thousands of MS-DOS viral programs are rare. The virus listing chapter of "Dr. Solomon's Anti-Virus Toolkit" has often been recommended as a resource for such data. It has now been published separately from the program documentation and is available from the company.

The general discussion of viral programs is accurate, but fairly terse. There is a quick overview of what a virus is (which contains a very useful list of commons false alarms), as well as definitions of the most common terminology. There is a very short history from 1986 to 1994. Technical details are abundant, particularly in the extended discussion of stealth techniques.

The bulk of the book lies in the listings of almost nine hundred viral programs and variants. A very useful and helpful reference, with both a high degree of accuracy and wide coverage of the known viral strains.

For those dealing with MS-DOS viral programs, this should likely be a standard bookshelf fixture.

Be cautious in obtaining the book from sources other that directly from S&S: the ISBN is the same as for the 1992 edition.

The Computer Virus Desk Reference

The Computer Virus Desk Reference, Chris Feudo, 1992


I must make one thing perfectly plain from the start, here. You are going to have to determine for yourself whether I am biased in favour of this book because it reprints a fair amount of my own writing, or whether I am biased against the book because I am not being paid for any of it.

The title is definitely correct. This is far too large a tome to be a handbook or a "quick" reference. Of the 556 pages in the book, more than 400 come from other sources. Patty Hoffman has contributed about 250 in the form of three sections from the Virus Summary list; Chris McDonald and myself are represented by about 50 pages of antiviral software reviews each. Jim Wright's list of antiviral archive sites is included, as is a copy of the "Dirty Dozen" list of "malware" sightings.

The structure of the work is as a small "book" with a lot of large appendices. The "book" part, unfortunately, is somewhat confused. On the one hand there are items which, if they are not perhaps in outright error, definitely mislead the naive reader. For example, the definitions at the beginning of the book tell us that a trojan horse "can easily implant itself in any normal program". The absolute distinction between a trojan horse and a viral program may not always be clear. A program infected with a virus may be seen as a type of trojan horse since it carries an undesired "payload". However, most researchers would agree that a trojan horse is the combination of carrier and payload, and that the distinction between a trojan and a virus is that the trojan does *not* have the ability to "implant itself" in another program. Reproduction is the domain of the viral program.

Feudo also makes reference, on page 34, to "replacement" viral programs. These he describes as programs which "recode" (and, presumably, recompile) other programs to include themselves. While this kind of activity is occasionally discussed by the research community, no such viral programs have ever been seen. The closest is "p1" in the fictional work "The Adolescence of P1" by Thomas J. Ryan.

It is difficult to see why other parts of the book, while interesting, are included in a computer virus reference. For example, there are three pages dedicated to the technology and vendors of wireless LANs. While the network spread of viral programs is a concern, there is no distinction at all between wired or wireless LANs in this regard.

The structure of the book overall is somewhat undisciplined. Chapter 2, entitled "Viral Attacks", turns very quickly into an extremely technical overview of the disk and program structure of MS-DOS computers. It then goes on to give case studies of a number of "case studies" of Mac specific viral programs. Two of these are repeated in chapter 4, "Viral Program Analysis", in which most of the MS-DOS case studies are done.

As previously mentioned, most of the "contributed" material is in appendices. This is not, however, the case with the bulk of the Hoffman Virus Summary List, which is chapter 5 of the book itself. (Interestingly, although the VTC/CARO Computer Virus Catalog is mentioned in the Acknowledgments, it is not reproduced in the book at all.)

The contributed reference material may be very helpful to those who have no access to computer network archives and sources. However, it should be noted that much of this is very "dated". Although the book has a copyright date of 1992, and I received a copy early in 1993, the Hoffman Summary List is dated August of 1991. If I recall correctly, the last of the reviews I sent to Chris Feudo were slightly before that. The contact info listed for me is even older: so old that all of the email addresses listed were invalid by the summer of 1991.

Aside from the dating of the material, there is much here that is not available in other printed works, or to those who do not have net access. However, this is primarily a reference work, and should be supplemented by more accurate conceptual material on viral operations and prevention. This is particularly true for beginning computer users, since much of the work is either highly technical, or requires additional background material as an aid to understanding.

Computer Virus Handbook

Computer Virus Handbook, Harold Joseph Highland, 1990, 0-946395-46-2


When Dr. Highland first offered to send me a copy of this work, late in 1992, he indicated that it was outdated. In some respects this is true. Some of the precautions suggested in a few of the essays which Dr. Highland did not write tend to sound quaint. As one example, with the advantage of hindsight, Jon David's ten page antiviral review checklist contains items of little use, and has a number of important gaps. However, for the "general", rather than "specialist" audience, this work has much to recommend it. The coverage is both broad and practical, and the information, although not quite up to date, is complete and accurate as far as it goes.

The book starts with, as the title has it, "Basic Definitions and Other Fundamentals". Dr. Highland has collected definitions from a number of sources here, which makes a refreshing change from some of the dogmatic assertions in other works. The fact that the reader is left to make his own final decision as to a working definition might be frustrating to some, but is likely reasonable given that the argument over the definition of a virus is still raging to this day. With the changes that are still taking place in terms of new "forms" of viral programs, it is unlikely that this debate will be settled any time soon.

Chapter one also contains important background information on the operation of the PC and the structure of MS-DOS format disks. The one shortcoming might be that so much of the book deals with MS-DOS machines that readers dealing with other systems may fail to note the generic concepts contained therein.

Chapter two is a concise but encompassing overview of the viral situation by William Hugh Murray. Using epidemiology as a model, he covers the broad outline of viral functions within a computing "environment", and examines some theoretical guidelines to direct the building of policy and procedures for prevention of viral infection. The article is broadly helpful without ever pushing the relation between computer viral and human epidemiology too far.

Chapter three deals with history and examples of specific viral programs. This section is an extremely valuable resource. While other works reviewed have contained similar sections, the quality of this segment in Highland's tome is impressive. Mention must be made of the reports by Bill Kenny of Digital Dispatch who provides detailed and accurate descriptions of the operations of a number of viral programs which are, unfortunately, all still too common. (Chapter four is similar, containing three reports of viral programs from other sources.)

Large sections of the handbook deal with the evaluation and review of antiviral software. (I must say that I had great sympathy with that part of the preface which dealt with some experiences encountered when trying to test various packages.) Chapter five gives an evaluation protocol and test methodology. The detail here may lead some to skip over it, but it is helpful to those who wish to determine how thoroughly the testing was conducted. Chapter six, an article by Jon David as mentioned earlier, is a suggested procedure and checklist for testing antiviral software. This chapter is unfortunately weak, and although there is some valuable direction, one comes away with the impression that the important thing to test is whether the program runs on a VGA monitor and has a bound manual. One must, of course, realize that antiviral testing was then in its infancy, and Mr. David's article reflects the general tone fo those times. Chapter seven is concerned with specific product evaluations, and, as most lists of its type do, shows its age. Of the twenty products listed, I recognize only seven as still being in existence,; of those that still do exist four have changed substantially in the intervening three years.

Chapter eight is an essay by Harry de Maio entitled "Viruses - A Management Issue", and it must be considered one of the "forgotten gems" of virus literature. It debunks a number of myths, and raises a number of issues seldom discussed in corporate security and virus management. Chapter nine is similar, being Dr. Highland's suggested procedures for reducing the risk of computer virus infection.

Chapter ten is a collection of essays on theoretical aspects of computer virus research and defence. Fred Cohen is heavily represented here, of course, but not as singularly as in, for example, Hoffman's "Rogue Programs".

Dated as the book may be in some respects, it is still a valuable overview for those wishing to study viral programs or the defence against them, particularly in a corporate environment. While some may find the book to be "academic" in tone, it never launches into "blue sky" speculations: all of the material here is realistic. The "aging" of the product reviews makes it difficult to consider it still a reference "handbook" or a "how to" resource, but Dr. Highland's work is by no means to be discarded yet.

E-mail Virus Protection Handbook

"E-mail Virus Protection Handbook", Brian Bagnall/Chris O. Broomes/Ryan Russell, 2000, 1-928994-23-7


In the introduction, the technical editor for the book tells the story of how he sent off his Visa number to an email address, and subsequently had fraudulent charges made against it. He then supposes that the reader will, at that point, have lost faith in him. In my case this was quite wrong. We all give out credit card information very freely, in many situations that are less secure than the one described. No, I lost faith in him two paragraphs down, where he states that he now knows "today's cutting edge technologies" that ensure against such a thing happening. He then mentions SMTP (Simple Mail Transfer Protocol), DNS (Domain Name System), packet sniffing, and encryption, which have little relation to online credit card fraud, and no connection at all to viruses.

Chapter one describes, rather tersely, a range of components and factors involved in email, some recent email viruses or worms, and a bit of virus terminology. There is also a little material on technologies loosely related to email security. However, there are also great gaping holes in the coverage, and a great many confidently stated errors. Servers aren't always "one to a box," viruses don't always have a payload (and trojans always do), and Melissa wasn't the first email worm to spread between users.

Chapters two and three list some security weaknesses, and possible provisions, in Outlook 2000, Outlook Express 5, and Eudora 4.3. The PGP (Pretty Good Privacy) program is also recommended, and some points are made about its operation and use. The chapters are not well organized, and quite unclear in places. The advice is not always useful: chapter two states that the recommendation that you not open any attachment you haven't requested has no merit, but suggests that you not open any attachment that hasn't been encrypted with PGP. Since fewer people use PGP than use email, requesting and confirming is easier than checking PGP signatures.

Some of the risks of using Web based email are discussed in chapter four, but the material concentrates on packet sniffing and other esoteric attacks and only peripherally notes that your email resides on someone else's machine (and is therefore subject to any security problems that they have). The installation processes for the McAfee, Norton, and PC-cillin antivirus programs are listed in chapter five. The overview of active content in chapter six is incomplete, contains numerous errors in the risk analysis, and is not clear about protection methods. Chapter seven superficially describes some commercial versions of the security grab bags known as personal firewalls.

Chapters eight to ten look at email server software, respectively discussing Windows 2000 Advanced Server and Red Hat Linux 6, MS Exchange 5.5, and Sendmail. Chapter nine is the most detailed and useful, the others basically suggesting that you shut everything down. Some content filters are briefly described in chapter eleven.

Very little in the book relates to viruses as such, and even less to email viruses specifically. On the other hand, the text is not sufficiently comprehensive to be considered as a general work on email security. For those who are managing email systems and have given no thought to security, this work may point out some initial actions to take. If you are using these specific programs and versions.

The Enterprise Anti-Virus Book

"The Enterprise Anti-Virus Book", Robert S. Vibert, 2000, 0-9687464-0-3


It is very difficult to know what to say about this book. For one thing, it isn't really a book. It seems to be printed on a "one-off" basis on each request, and is in a constant state of modification. (It is printed on standard letter sized sheets, and "bound" in a 3-ring binder.) To the specific points that I raise in this review, the most common response from Segura was that the item would be addressed in a future edition.

For another, the title, while not exactly wrong, needs some explanation. The introduction indicates (without really ever so stating) that this is a guide to buying antiviral software. It is similar to my own antivirus evaluation FAQ, although much more lengthy. More lengthy and much, much more complicated. There are 300 criteria on the checklist provided, and for each the user has to provide his or her own scoring and weighting system.

Chapter one describes yardsticks for measuring antiviral vendors, and makes a very strong promotional push for an expectation of support from vendors and VARs (Value Added Resellers). Since Vibert has most recently worked as a reseller of antivirus software, this should come as little surprise. (Segura Solutions, in response to the draft of this review, were most upset that this statement might suggest that he or they have any commercial ties to resellers.) More important, however, is that while the book lists a great many appropriate questions to ask, there is very little content that would allow non-specialists to intelligently analyze the answers they might receive. Users should ask what kind of training resales agents have received, but what standard training is available? Again, users should ask whether the vendor provides up to date virus information, but there is no gauge of the quality of that information. Yes, the queries are apposite; they are, in fact, very similar to the questions I ask as I am doing reviews of antiviral software, but I've got many years of experience in determining what the answers mean, and how important they are in the overall context of both an antiviral system, and a given work environment. Readers of Vibert's book are left not only to puzzle out what answers might be "correct," but how compliant different answers are in relation to each other (and some absolute standard), and how important each question might be to the company or enterprise they are trying to protect. Some very vague and general discussions touch on a few of the points, but many questions are simply listed with no discussion whatsoever.

The second chapter deals with general antiviral aspects. The discussion of antiviral actions and functions does cover a wide range, but explanatory information is very limited. It is interesting that the introduction makes the point that all enterprises are different, but the text implies that one antiviral will fit all users, and places an extremely heavy emphasis on real time (on-access) scanners. In a similar way, the statement is made that all certification tests should use at least 100 versions of every polymorphic virus. The number isn't justified in any way, and this assertion ignores the fact that polymorphs vary greatly: Whale has only thirty variations while Tremor has almost six billion. Much space is occupied by material copied from certification company Web sites. There is also some confusing contradiction: ICSA is first promoted, but two pages later is not listed as a reputable tester. No mention is made of the fact that ICSA charges vendors for certification, or the implications that fact might have.

Chapter three states a concentration on desktop, or non-server, considerations, but duplicates much of the relevant material from chapter two. Again, the emphasis on certain subjects is odd: there is a large section on DOS TSRs (Terminate and Stay Resident programs) and only a terse mention of email. Chapter four then turns to server factors, but extraordinarily briefly.

The section on antivirus deployment and maintenance has the largest checklist in the book. There is a great deal of duplication, at least in terms of the concepts touched on. There is not much organization. Once again, there are many questions, but little content to help the reader analyze answers.

Email gets another mention in a chapter only four and a half pages long. The explanation of email operations is poor, and there is no discussion of the problem of "streaming" filtering at all. Chapter seven, on groupware, is really just a replay of a subset of email considerations. The last chapter, on firewalls, provides no background at all on firewall technology or types.

For those who have some background knowledge of viruses and antiviral technology, this book will provide you with a checklist to ensure that you don't forget any points. It does, however, seem a rather expensive checklist, and you will still be left with the problem of how to weight and evaluate the mass of data you collect. For those without a conceptual foundation, this work is as likely to confuse as to assist.

Rogue Programs: Viruses, Worms and Trojan Horses

Rogue Programs: Viruses, Worms and Trojan Horses, Ed. Lance J. Hoffman, 1990, 0-442-00454-0


Reading the list of contributors to this work was rather like "old home week" at VIRUS-L. The introduction states that the book arose from Hoffman's frustration over the lack of a suitable text for a virus seminar and that the seminar participants compiled the material from available sources. Even one of the seminar participants, Chris Feudo, has recently released a computer virus handbook (see BKFEUDO.RVW).

Hoffman's "big iron" bias shows through occasionally in his lack of distinction between "network" and "micro" viral programs (someone with a $1000 computer "within days can be writing viruses that attempt to break into world-wide networks") and insists upon destructive and "service denial" capabilities when defining a virus. Overall, however, he tries to present a balanced and realistic view of the virus situation.

The essays contained in the book are grouped into five sections. The distinctives between the sections are somewhat clearer than with Denning's "Computers Under Attack". The overall design of the book makes a lot of sense as a textbook (its primary purpose, after all), but may be less lucid to the home or business user looking for specific direction on protection of their system.

The first section contains papers that attempt to look at the broad overview of viral type programs. Although this book is primarily intended as a text in computer security courses (presumably at the university level), one still feels the lack of an initial concise and clear statement of what viral programs are today. This desire may be unrealistic: the majority of the works contained in the book were prepared, at least in initial form, prior to 1990. By the time the book was published, however, a larger view of the virus situation should have been possible. Still, as introduction and background material within the context of a virus related course, these papers are all of significant value.

The second part relates to social and legal topics. The current state of (American) law figures heavily in this section. The discussion of ethics is quite limited. Karen Forcht's article on the subject is very terse, seemingly being only a report of various surveys. (The most interestingly point I found in it was the contention, by CEOs, that ethics should be taught in the classroom, rather than on the job, which displays either a surprising confidence in the school system, or a definite unwillingness to face the issue themselves.)

Parts three and four separate the study of viral programs into the realms of personal (micro) computers and "network" situations. This distinction is important, and it is heartening to see it made here. The opening essay in the micro section, by Hoffman and Brad Stubbs, attempts to walk the line between giving information to the user who needs it without giving too much assistance to virus-writer-wannabes. In my own view it falls somewhat short in this, being perhaps more technical than an introductory article warrants. However, it is a good compilation of the technical background to viral programs in the MS-DOS environment. (The micro section closes on a slightly worse note, with the PC Magazine reviews that are starting to become somewhat infamous in the virus research community.)

The network virus section contains the two major "dissections" of the Internet Worm. Surprisingly, however, none of the other major network incidents, such as the CHRISTMA EXEC and the "WANK" worm, are mentioned. Some of the other papers in this section might have more general application to the virus problem overall, such as studies into cryptographic authentication. Others, such as an exploration of viral programs in "electronic warfare" seem to be "blue sky" exscursions with very little relation to reality.

The final section is entitled "Emerging Theory of Computer Viruses". It contains two articles by Fred Cohen, and one by Leonard Ableman reporting Fred's findings. With all due respect to Dr. Cohen, there might be room for works by other theoreticians here.

As a textbook, this tome contains a diverse range of material well suited to a seminar on viral programs. While some of the material is becoming dated, and some of the points of view are oversimplified, I have not yet found another book as well surited for raising topics for discussion. The one major flaw is the lack of balance and opposition to some of the wilder flights of fancy. It would be well to have someone point out that the human immune system cannot fully be used as an analogy of computer virus defence, or to point out the difficulties involved in transmitting a virus from a radio to a fighter aircraft to a military command centre. In the classroom, of course, this job belongs to the instructor.

Those looking for a reference for protection against viral programs may find this book to be unsuitable. It does, however, have a place as background material for those large firms in the process of planning overall corporate data security strategy. Again, it should be used to generate discussion on some issues which other "how to" books do not yet address.

(Post scriptum: Lance Hoffman, in responding to the initial draft of this review, has been most gracious. He has also acknowledged the shortcomings of the current version of the book. There are plans for a new version, which may be released some time in 1994. Hopefully the few gaps in the current work will be covered in that.)

Rid me of this Virus

"Rid me of this Virus", Bruce Hodge


At fifty-nine pages (including the glossary and a five page "chapter 1" which describes it) this seems to be more of a pamphlet than a book. Finding out that the author works in technical support at a university seems to explain it. The work seems to be a very brief, "off the top" overview of the virus problem, and some suggestions of how to avoid infection.

It is very brief. A list of antiviral software is just that: a list of the titles of thirteen programs, with no discussion of utility, price - or even contact information. This terseness is a little odd, especially in view of the fact that that six of the names are repeated three times, since there are actually three lists: one for detection, one for prevention and one for removal.

The informal tone of the book is certainly a change from some of the more weighty tomes in this area, and the "down to basics" style is much more useful for those who do not want to become virus experts, but simply want to protect their own machines. That said, there are some problems even in this area. The book is illustrated with cartoons. Some are amusing (I particularly liked the one about a software store "stocked" with viri), some are irrelevant, and some are downright confusing. Also, while the limitation on the topics is good, the coverage is very uneven.

The advice is a bit uneven as well. Page seven gets full marks for noting that the common advice to completely isolate a computer renders the computer almost useless. However, page twenty states that you should "never let anyone else use your computer", dubious advice at best in the usual office environment. (This same point uses "disk-swapping" as an example of "use by others": dangerous, yes, but most people would not see the connection.)

Except for the price, this might be a handy pamphlet to give to large groups of users (such as in a university or corporate enviroment) who do not need to be "virus literate", but should have some understanding of the subject. However, those in support positions should be well aware of the shortcomings of the book. It might better be used as a handout and discussion piece for a virus seminar for staff.

Computer Viruses and Anti-Virus Warfare

"Computer Viruses and Anti-Virus Warfare", Jan Hruska, 0-13-036377-4


Given the relationship between Hruska, Sophos, and Virus Bulletin, the similarity of material which also appears in "The Survivor's Guide to Computer Viruses" is not terribly surprising. We have the identical Virus Bulletin virus reports (frequency of total reports), the same interest in the AIDS Information diskette scam, the same vendor list (also without product information), the same insistence on calling the virus everyone else knows as Stoneed by the term, "New Zealand", and the same MS-DOS only emphasis.

There is no statement as to the intended audience for the book, but it seems to be directed at that very small segment of the population who are interested in computer virus research. Unfortunately, and very oddly, much of the material in this book is of as much use to the virus writer as to the antiviral researcher. There are no full virus samples in the book, but there are handy snippets such as a simple encryption scheme, a master boot record extractor and a chunk of the dBASE virus, with full instructions for turning it into a disk killer.

Those lowly souls who wish merely to protect their own systems may not be lost by this book, but will very probably be bemused by it all. There is a short but helpful (to the virus writer) section on disassembly of a virus. Two paragraphs are devoted to explaining how to use the DEBUG program to write your own code to extract the master boot record for examination. There follows the off-hand comment that the same thing can be done with common utility programs. The hygiene rules for reducing the risk of virus infection include the usual lame points regarding BBSes, shareware, and public domain programs. Recommended is a setup to "quarantine" a workgroup from outside disks (surprise, surprise: Sophos makes software to support this) and change detection antiviral software (surprise, surprise: Sophos makes such a program).

The book is good at the basic technical explanations. How viral programs function, and how antiviral programs function, are clearly set forth in basic terms. Most of the illustrations and figures are helpful, although some are extremely puzzling. (The inclusion of the full text of a virus source code opening comment seems to have no justification, nor does the highlighting of portions thereof.) An examination of Novell operations and testing against viral programs is probably a useful inclusion. As long as Hruska sticks with technical details, he's fine.

Given the names mentioned in the acknowledgements, parts of the commentary are very odd in their departure from general understanding within the research community. Hruska speaks of the recent rise of "network aware" viral programs. (I can recall, and he gives as an example, only one.) There is mention of a media sensation over the BRAIN virus in 1986; I don't recall any such thing. Early viral programs from 1987 are contrasted with more recent, destructive, viral programs; both Lehigh and Jerusalem caused erasure of materials. The ABC News report of the mythical Desert Storm/Iraqi printer virus is mentioned as barely believable, even though the story had been utterly debunked months before the book was written.

Chapter five, Who Writes Viruses, is astonishing. Hackers are defined as being "analogous to drug addicts". Then there are freaks, who have "serious social adjustment problems". University students are linked to software piracy. Employees are mentioned, even though employee "attacks" usually utilize insider knowledge which viral programs don't need. Computer clubs are mentioned (I get the impression Hruska is *not* a joiner) as are terrorist organizations. All of these profiles are caricatures, if not outright fabrications. Ultimately, this entire section is not only useless, but promotes misunderstanding of the situation by fostering false images. Virus writers tend to be self-important and irresponsible - but they aren't freaks (and they generally grow out of it).

For those with antiviral policies and procedures already in place, this work has a position in ongoing study and development.

It's Alive!

"It's Alive!", Fred Cohen, 1994, 0-471-00860-5


Other popular works have attempted to address the issue of artificial life and "living" computer programs. None, however, have had the technical depth and background that Cohen brings to this book. The originator of formal computer virus research, he has also been a strong proponent of the use of viral techniques for powerful solutions to common systems problems.

Much of the book deals with the difficulty of defining "life". It is remarkably troublesome to try and build a formula which includes all "living" things, but excludes entities such as crystals, fire, and mud. (A similar difficulty is experienced by those attempting to define computer viral programs as opposed to utilities and copy programs.) However, like the Creationists who point to gaps in the fossil record and a lack of proof that "special creation" didn't happen, Cohen tends to use the definition problem as a negative proof of the vitality of computer programs; we can't prove they aren't alive. Chapters two, three, eight and nine are all, basically, variations on this theme. Interesting, thoughtful, and well-written, but remarkably similar, nonetheless.

Chapter one introduces the book overall, and chapter four introduces the formalities necessary for defining viral programs. Chapters five, six and seven deal with real contenders for "living" programs. Conway's "Game of Life" is a repetitive, rule-based pattern generator, best explored with computer automation and graphics. Core Wars (or Corewar as Cohen refers to it) is a venerable programmers' sport of pitting programs against each other to see which can "survive" the longest. (A disk is included with the book, but the text indicates that neither a version of "Life" nor "Core Wars" is included. These programs can be found at various program archive sites on the nets.) Chapter six explores "living programs"; UNIX shell utilities which Cohen avoids calling viruses - but which might not be defined as viral, in any case.

While the book is both easy to read and technically solid, the one flaw it has is a lack of breadth. It would have been interesting and, likely, edifying to have examined work in genetic programming, neural network research, or a number of other topics. This work is very good, as far as it goes, but it could have been significantly stronger.

A provoking book. I hope there are subsequent expanded editions. I hope Cohen puts more work into his contention that viruses can be used safely. (And I hope he includes an MS-DOS formatted disk, next time. I can't see my father-in-law giving me permission to extract these files on his computer.)

PC Security and Virus Protection Handbook

"PC Security and Virus Protection Handbook", Kane, 1994, 1-55851-390-6


Kane's book is an attractive and easily readable overview of the virus situation in the MS-DOS world. The text is friendly and aimed at a non-technical audience, while the content is accurate and helpful.

Chapter one defines not only what a computer virus is, but much of the current related jargon. A brief history of some infections is given in chapter two, with myths exposed in chapter three (including Sara Gordon's interview with the legendary Dark Avenger.) Chapters four through eight are discussions of general security assessment, hardware risks, software risks, privacy, and so forth. The overview of a computer's inner workings in chapter nine may not seem to be strictly related to security, but it is a nice introduction for those who want to delve deeper. Chapter eleven covers the various types of antiviral software, and chapter twelve looks at some of the dangers of "expert" advice.

Given that Kane, with Andy Hopkins, runs Panda Systems, it is not surprising that almost no other antiviral software is specifically mentioned. The Panda Pro change detection activity monitoring and operation restricting software is included with the book. Chapter thirteen is documentation for these utilities. The only other program mentioned is Microsoft's Anti-Virus, whose shortcomings are exposed in chapter ten, as well as in the excellent and detailed analysis by Yisrael Radai in appendix B.

Almost half of the book is taken up with the VIRUS-L Frequently Asked Questions (FAQ) list and the MS-DOS section of the Virus Catalog from the Virus Test Center of the University of Hamburg. This isn't quite the "A to Z catalog of all known viruses" promised by the cover, but it is certainly the most accurate in what it does cover.

For those working in the MS-DOS environment, this is an easy and helpful resource for protection.

The Computer Virus Handbook

The Computer Virus Handbook, Richard Levin, 1990, 0-07-881647-5


Unlike Highland's work by the same name (and, interestingly, the same year), this "Computer Virus Handbook" isn't really worthy of the name. The material is quite confused, and quite inconsistent in quality. Although there are some good points, they are lost in masses of verbiage which too often are mere handwaving and speculation.

The confusion starts even before the book does. Alfred Glossbrenner's foreword mentions two examples of viral situations - one of which is a trojan and the other a logic bomb. This lack of precision with nomenclature continues throughout the book, until one wonders whether it is really about viral programs at all. A number of rather spurious definitions are given at times. A "chameleon", as defined, sounds no different than a trojan, but the example given is for the "salami" (fractional pennies) scam urban legend. "Rabbit" programs are those which use up memory or disk space. There is a specific confusion of the boot sector with the master boot record. Some of the other terminology is recognizable, but quite different from that used generally: "multipurpose" for multipartite, "insertion" for overwriting, "redirectors" for system viri and "viral shell" for stealth.

(Levin also must be counted as one with those who include virus source code. Fortunately the "batch" language virus which he includes is an extremely crude virus. "Infectious", in a sense, but easily detected and more messy than destructive.)

Levin seems at once very optimistic and pessimistic. He states that local virus experts are widely available and easily found. (I suppose I would have to accept this as true - with the proviso that I, personally, would trust very few local "experts" to know what they are doing.) At the same time, he issues what seems to amount to a blanket condemnation of all antiviral software. Excepting his own: the book "Contains Money-Saving Coupons for [his] Outstanding Antivirus Utilities". If they are so outstanding I must admit to a failing in the CONTACTS.LST: until I reviewed this book I had never heard of them.

The book does contain some worthwhile material. He does, somewhat, debunk the "commercial software as protection" myth, and mentions that retail and repair outlets can be sources for infection. Chapter six, "Implementing an Effective Antivirus Policy", generally contains very reasonable and effective guidelines. In particular, he pays attention to the fact that too strict a policy will drive staff to find ways to circumvent it. Some weaknesses: he suggests the use of the "read only" attribute as protection, and recommends "low level formatting" for disinfection.

Levin's writing actually comprises less than a third of the volume. Part Three of the book gives us the C source code for four small utility programs, plus printed documentation for Flu-Shot, SCAN, CLEANUP and Levin's own CHECKUP. The "Appendices" contain an article on software law, a compilation of all the virus related newswire stories that appeared in "Compuserve Magazine" from 1987 to 1989, and a copy of the Hoffman Summary List from February of 1990.

There is unfortunately little here to interest or assist the reader. While the policy guidelines may be helpful, the remaining material is either too vague or error prone to provide more than additional background to a more authoritative work. While I would not recommend against it, this should not have much priority in the antivirus library.

The Little Black Book of Computer Viruses

The Little Black Book of Computer Viruses, Mark Ludwig


Let us make it clear, from the very beginning, that this is not a book which is going to help you to protect your computer against viral programs. This book is not really even, as stated in the Introduction, about viral programs. This book is written to help the person who wants to write a computer virus under MS-DOS.

Excerpt from the cover letter received with the review copy of the book:

"Please note that most of the official reviews of the book have been either negative or controversial ... It seems that for the most part, the computer press is all too ready to take their cues from the self-styled anti-virus experts, who hate the book because it gives away their secrets. This is a classic case of an insider's group trying to control people for their own benefit.

"I would really like to see a review that was more than just another whitewash - a real attempt to see what people who read the book think of it. Find out why the Writer's Foundation of America named this the best computer book of 1992!"

Well, Mark, you get your wish. This review certainly isn't going to be any whitewash ... at least, not of you.

It is very difficult to know where to begin this review. What do you say about a book which has a very important message ... and says it so very, very badly?

As you can see from the excerpt above, Mark Ludwig might be considered just a tad paranoid. One suspects that he has reason. There are a considerable number of people to whom the very thought of the writing of viral programs is anathema. The one positive contribution of the book is the challenge to consider the possibilities of the benefits of viral programming.

Viral programs have a potential for extraordinary power. The famous Xerox Worm was, after all, an experiment directed at using the otherwise wasted resources of networked machines. The ability of viral programs to reproduce is as great a jump as the ability of parallel processing machines to overcome the von Neumann bottleneck. In addition, although many viral programs are either hostile or a nuisance, it is not automatically true that self-reproduction must be evil.

However, the potential "merits" of viral programs have been argued before. Others, notably Dr. Fred Cohen, have put significant work into the field. (Substantially more, it should be noted, than Ludwig demonstrates.) Viral programs would appear to have many possible uses, particularly in a "distributed" computing environment.

It has not yet been conclusively demonstrated, though, that viral programs can be safely used in an uncontrolled environment. Viral programs must change the computing environment in some way. It is inherently impossible to determine in advance what will be "safe" and what won't. It might be stated that a certain program, whether viral or not, can be safely used in a "standard" computing environment, but anyone who has had anything to do with software development knows that the phrase is meaningless. As only one example, it is "well known" that MS-DOS is a "single tasking" operating system. I am writing this on a very old MS-DOS machine. There are currently two different TSR programs running, I have "shelled" out of a third "disk manager" in order to use the word processor, and I occasionally "shell" out of the editor in order to look up reference material.

The major problem with Ludwig's book, however, is not the difficulty of defending his premise that viral programs should be accessible. Both his defence, and his book, have major shortcomings.

The volume received is labelled as volume one of three. However, although more than two years have passed since it was published, volumes two and three are conspicuous by their absence. This is a pity. Volume two, supposedly a discussion of "artificial life", looks particularly interesting in the blurb it is given in the Introduction to this book. However, given the general quality of volume one, it might be a bit beyond Ludwig's scope.

In the Introduction, Ludwig attempts to justify his promulgation of viral code. First he states that viral programs are not necessarily destructive. Then he says that viral programs can be used to fight against the elite upper classes. Needless to say, his arguments are not very persuasive.

Most importantly (and probably fortunately so) Ludwig's information just is not that accurate. This is not someone who has been in the mainstream of virus research. (This may account for the frustration of his diatribes against "anti-virus experts".) Even his vocabulary seems a bit odd, using the word "extent" to refer to what everyone else calls filename extensions, and a definition of "worm" which is almost diametrically opposite to that of the mainstream.

There are nuggets of information in the book. There are even some premises which, at first glance, seem to have some merit in explaining viral operation. Ultimately, though, one finds that the valuable data is available in many other sources and that the explanations are only superficial. In the words of one particularly cruel editor, the book is both good and original, although the parts that are good aren't original, and the parts that are original aren't good.

The book does not cover any material that is not relevant to MS-DOS. There is no mention of any other operating system, and really no discussion of the general principles of viral operation. That material which is of value is related to MS-DOS program structure but, interestingly, stops short of a full explanation many times, with reference to other well-known MS-DOS programming texts.

To give credit where due, it must be said that the few commented assemblies listed in the book are far superior to those included in Ralph Burger's book. Not only is the code fully and completely commented, but many parts are used as examples in the general discussions. Unfortunately, Ludwig also gives "hex dump" listings of the programs. It is difficult to see the justification for this, as no skill or understanding is required in order to turn these listings into working viral code (although the typing involved might be tedious).

In the end, though, it appears that Ludwig's book, although controversial, has made little difference to the viral arena. The viral programs he lists cannot be said to be successful. In more than two years, none of them have become widespread "in the wild". It may be that everyone who has purchased the book has been responsible for ensuring that the code never "escaped". Since the likelihood of this is very slight, one is forced to the conclusion that the viral code isn't very good.

Virus!: the secret world of computer invaders that breed and destroy

Virus!: the secret world of computer invaders that breed and destroy, Allen Lundell, 1989


My initial reaction to "Virus!" was that it was another "gee-whiz!" virus book, long on enthusiasm and informality, and short on facts. However, trying to set that feeling aside, I did find a wealth of research had been done. Given the date of the book (most of it seems to have been written in the fall of 1988, with the final drafting done in early 1989) there is a lot of valuable information contained in it.

The reaction of the knowledgeable reader will likely depend upon the level of expectation. Those expecting accurate facts and astute analysis will be disappointed by the many errors and the lack of balance. Those expecting little may be pleasantly surprised by the easy readability and smorgasbord of details and gossip.

Neophyte readers will find Lundell's writing easy to follow, and will likely come away with quite a reasonable set of background information on computer viral programs. The journalistic and "storybook" style will make spending the two or three hours needed to read it all a very small challenge. This is in sharp contrast to numerous other works reviewed.

However, the book does have serious problems, and cannot be recommended as the "final word" by any means. Alongside of the valuable factual information, there is a great deal of error, myth, or misinterpretation. For example, while the coverage of the Internet Worm is generally clear and thorough, Lundell seems to have only the most tenuous grasp of the mechanics of the Worm itself. (This in spite of having obvious access to both the Eichin/Rochlis and Spafford papers.) His distinction between a virus and a worm, in the same chapter, is both lucid and accurate, and yet other parts of the book lump bugs, trojans, pranks and even games together under the viral heading. (Appendix B, a "software bestiary", includes a "Virus Hall of Flame": the only two entries are variations on the mythical "monitor exploding" virus.)

A more serious, and insidious, flaw, though, is the credulous nature of the work. Many times we get only one side of a given story. The theory that Bob Morris Senior was a party to RTM's actions is presented almost as an accomplished fact. A conversation on the highway with John McAfee is presented as golden insight. (To be fair, Lundell does eventually admit that McAfee's attempt to be the evaluation standard for antiviral software might pose a conflict of interest.) Transcripts of conversations (one hesitates to call them interviews) with hackers are reprinted with almost no critical analysis. (Although the BRAIN virus, and the Alvi brothers, are covered in depth, it is unclear whether Lundell actually spoke to any virus writers.)

The extensive digging Lundell has done is sometimes overshadowed by his almost blind acceptance of what he has been told. The careful reader, even without background knowledge, can pick out some of the flaws. Early in the book the discussion of the MacMag/Peace/Brandow virus points out that the standard injunction against shareware and BBSs is rendered almost meaningless in the face of contaminated "shrink-wrapped" commercial software. Yet that same "buy only commercial" advice is repeated as gospel later in the book.

(The interviews and research also seem to have a regional bias. Many of Lundell's contacts seem to have been obtained from VIRUS-L contributors: definitely a good source. However, John McAfee is given a great deal of ink, while Ross Greenberg, at the time much more visible and respected on the Net, is not even mentioned. Might this be because John lives in California, while Ross is on the East Coast?)

Despite the numerous flaws, I find it somewhat odd that the book should have been so hard to find, given its readability, information and precedence. While a good dose of skepticism and a more accurate fact base is needed as an adjunct, it still has a place as one of the few books that a "naive" user could read and still get something out of.

Computer Viruses, Worms, Data Diddlers, Killer Programs ...

Computer Viruses, Worms, Data Diddlers, Killer Programs and Other Threats to Your System: what they are, how they work and how to defend your PC, Mac or mainframe, John McAfee and Colin Hayes, 1989, 0-312-02889-X


If you buy only one book to learn about computer viral programs - this is not the one to get. As a part of a library of other materials it may raise some interesting questions, but it is too full of errors to serve as a "single source" reference.

I began to have my doubts about the validity of this book in the foreword, written by no less a virus researcher than John C. Dvorak. He states that what we need, in order to stem the virus problem, is a

"... Lotus 1-2-3 of virus code. Something that is so skillfully [sic] designed and marvelously [sic] elegant that all other virus programs will be subject to ridicule and scorn."

(Aside from a rather naive view of human nature, this was obviously written before his more recent PC Magazine editorial in which he states that virus writers are the most skilful programmers we have.)

The prologue seems to be a paean of praise to one John McAfee, frequently identified as Chairman of the Computer Virus Industry Association. He is also identified as head of Interpath Corporation. Intriguingly, there is no mention of McAfee Associates or the VIRUSCAN/SCAN suite of programs. Given that the "chronology" of computer viral programs ends after 1988, the present company may not have been a formal entity at the time.

The first six chapters give the impression of being a loose and somewhat disorganized collection of newspaper articles decrying "hackers". Some stories, such as that of the Morris/Internet Worm, are replayed over and over again in an unnecessary and redundant manner, repetitively rehashing the same topic without bringing any new information forward. (Those having trouble with the preceding sentence will have some idea of the style of the book.)

Chapters seven to thirteen begin to show a bit more structure. The definition of terms, some examples, recovery, prevention, reviewing antivirals and the future are covered. There are also appendices; the aforementioned chronology, some statistics, a glossary, and interestingly, a piece on how to write antiviral software.

Given what is covered in the book, am I being too hard on it in terms of accuracy? Well, let's let the book itself speak at this point. The errors in the book seem to fall into four main types. The least important is simple confusion. The Chaos Computer Club of Europe are stated to be "arch virus spreaders" (p. 13). The Xerox Worm gets confused with the Core Wars game (p. 25). The PDP-11 "cookie" prank program is referred to as "Cookie Monster", and is said to have been inspired by Sesame Street.

At another level, there is the "little knowledge is a dangerous thing" inaccuracies. These might be the understandable result of a journalist trying to "flesh out" limited information. The Internet Worm is said to have used a "trapdoor", an interesting description of the sendmail "debug" feature (p. 12). ("Trapdoor" is obviously an all-encompassing term. The "Joshua" program in the movie "Wargames" is also so described on page 78.) Conway's "Game of LIFE" is defined as a virus, obviously confusing the self-reproducing nature of "artificial life" and not understanding the boundaries of the programming involved, nor the conceptual nature of Conway's proposal (p. 25). Mac users will be interested to learn that "through much of 1988" they were spreading the MacMag virus, even though it was identified so early that few, if any, ever reached the "target date" of March 2, 1988, and that none would have survived thereafter (p. 30).

Some of the information is simply wild speculation, such as the contention that terrorists could use microcomputers to spread viral software to mainframes (p. 12). Did you know that because of the Jerusalem virus, some computer users now think it wiser to switch the computer off and go fishing on Friday the 13th (p. 30)? Or that rival MS-DOS and Mac users use viral programs to attack each others systems (p.43)? That the days of public bulletin boards and shareware are numbered, and that by the early 1990's, only 7000 BBSes will remain, with greatly reduced activity (p. 43)? Chapter thirteen purports to deal with the possible future outcomes of viral programs, but should be recognizable to anyone as, at best, pulp fiction.

Some of the information is just flat out wrong. Page 75, "... worms do not contain instructions to replicate ..." Or, on page 95, a diagram of the operations of the BRAIN virus, showing it infecting the hard disk.

We won't delve too deeply into the statements about the CVIA and Interpath Corporation. It is interesting to note, though, that of the antiviral software "reviewed", only one product still remains in anything like the same form. Flu-Shot, at the time the most widely used antiviral software, is not reviewed (although it is mentioned later in the book - in a very negative sense).

In a sense I am being too hard on the book. It does contain nuggets of good information, and even some interesting speculation. However, the sheer weight of "dross" makes it extremely difficult to recommend it. If you are not familiar with the real situation with regard to viral programs, this book can give you a lot of unhelpful, and potentially even harmful, information. If you are familiar with the reality, why bother with it?

Malicious Cryptography

"Malicious Cryptography: Exposing Cryptovirology", Adam L. Young/Moti Yung, 2004, 0-7645-4975-8


Both the foreword and the introduction are turgid, and bloated with excessive verbiage, while never giving a clear indication of what the book is actually about. Does it have to do with viruses at all? Is it about the use of cryptography in any kind of criminal or unethical endeavour? The initial material does not make this clear. Occasionally the text becomes so flowery that sentences have no meaning at all.

The lack of clarity is not assisted by the creation of new and idiosyncratic terms, or the use of existing jargon in non-standard ways. In chapter one, a fictional and glacially slow trip through the mind of a virus writer, we are told that self-checking modules that some programs use to detect modification in their own code are "beneficial Trojans" or "battleprogs." The term multipartite is defined in such a way that merely copying the program into RAM (Random Access Memory) qualifies: that would make every virus ever written, and every program, for that matter, multipartite. "Kleptogram" is used throughout the book, but only defined (and not very clearly) in the last chapter. Releasing any virus is seen as having something to do with "information warfare," which would agree with many sensationalistic journalists who have written on the subject, but would probably surprise legitimate experts such as Dorothy Denning. "Virology" itself (and the more specialized "cryptovirology") is an excellent term for computer virus research - it just isn't used very widely. There is a glossary: it defines commonly known terms and does not define the specialized jargon that the authors have used.

The confusion is not limited to terminology. There is no technical sense to the statement (on page twenty five) that a certain layer of the network stack is "high enough to facilitate rapid software development" (compilers don't care where their software ends up) but low enough to escape detection (files, processes, and network packets are all visible). A disk locking program, as described, would have no effect on the operations of a remote access trojan. And, of course, our fictional protagonist is constantly creating new versions of the mythical "undetectable" virus, without there being any indication of how this might be done.

(The fictional aspects of the book are not limited to chapter one. Throughout the work, examples are taken from fiction: it certainly feels like more illustrations come from works like "Shockwave Rider" and "Alien" than from real life.)

Chapter two starts to get a bit better. The authors introduce the idea of using asymmetric cryptography in order to create a virus (or other piece of malware) that, rather than merely destroying data, provides for a reversible denial of access to data, and therefore the possibility of extortion. The idea is academically interesting, but there might be a few practical details to be worked out.

Chapter three seems to move further into the academic realm, with an interesting overview of issues in regard to the generation of random, or pseudorandom, numbers. There is also an initial exploration of anonymity, with an insufficient description of "mix networks" (onion routing being one example). A little more discussion of anonymity starts off chapter four, which then moves on to another use of asymmetric cryptography in malware: the "deniable" recovery of stolen information, via distribution over public channels. Cryptocounters, which could be used to store generational or other information about the spread of a virus, without such data being accessible to virus researchers, are discussed in chapter five. Chapter six looks at aspects of searching for, and retrieving, information without disclosing the fact that an exploration is occurring. However, much of the material appears to be some highly abstract solutions rather desperately in search of problems. Varying the extortion scenario, chapter seven proposes a viral network that could retaliate for disinfection of any node by threatening disclosure of sensitive information. While the analysis of the structure of the attack is sound, the assumption of payoffs, coercion, and undetectability leave something to be desired.

Chapter eight examines the standard antiviral processes (signature scanning, activity monitoring, and change detection) with some miscellaneous explorations, although the discussion is prejudiced by the assumption that we are dealing with traditional (and no longer widely used) file infectors. Trojan horse programs are not terribly well defined in chapter nine. (I was amused at the disclaimer given when the issue of "salami" scams was raised: I have found reliable evidence for only one, extremely minor, instance of the device.) Subliminal channels are means of passing information via cryptographic keys, but chapter ten is not very clear in regard to their use. SETUPs (Secretly Embedded Trapdoor with Universal Protection) are discussed in chapter eleven, although the authors appear to admit that this is only an academic exercise: there are easier attacks. Another form is discussed in chapter twelve.

Does this book fulfill its function? That rather depends on what the intent of the work was, which is far from clear. Was the text intended to be a reference for some interesting topics in cryptography? The verbiage and lack of structure would be a difficulty for those seeking to use it so. Is the publication directed at the general public? The audience of those who read number theoretical manuscripts for fun might be a bit limited. (I've got to say that "Algebraic Aspects of Cryptography" [cf. BKALASCR.RVW] was an easier read, and it makes no pretence of being other than an scholastic paper.)

Is the volume supposed to be a serious warning against new forms of malware? The inclusion of a great deal of extraneous content and the lack of clear explanations or examples of some basic concepts limit the value of the work in this regard. In addition, much of the material concentrates on building more malign malware, rather than dealing with defence against it. (I'm not too worried about vxers getting ideas from Young and Yung: implementing crypto properly is a painstaking task, and from almost twenty years experience of studying blackhat products and authors, I'm fairly sure there'd be lots of bugs in what might be released. On the other hand, somebody in a government office might be working on Magic Lantern version 3.01 ...)

For those seriously involved in the study of viruses and malware this book has some interesting points that should be examined, but little of practical use. For ardent students of cryptography, the work notes some interesting areas of work. For those seeking examples of writing styles to emulate, please look elsewhere.

Malicious Mobile Code

"Malicious Mobile Code", Roger A. Grimes, 2001, 1-56592-682-X


I have to admit to a very definite bias. My co-authors and I have just finished a book that attempts to provide up to date virus protection information to sysadmins. As I understand it, ours will be printed about three weeks after this one.

I also have a problem with the title. Grimes appears to be trying to carve himself out a niche by promoting a term that nobody else is currently using. And the subtitle should more properly be, "Risk Mitigation for Microsoft Software." However, if you are using Windows, there is a good deal of information is this book that, with some diligience and additional work on your part, can help improve your security.

Grimes starts off the book by listing some fallacies that we have always believed. "You can't get a virus by simply reading an email." (OK, Microsoft has amply demonstrated that they've added virus capabilities to their mail software.) "Malicious code can't harm hardware." (Well, quibbles about terminology aside, it usually can't.) "A virus can't hide from a booted write-protected diskette." (Ummm, I'm not sure that sentence even means anything.)

Melissa and the Love Bug were serious nuisances, and even worse, but is it really accurate to say that they shut down tens of thousands of networks?

This book is intended for intermediate and advanced users and system administrators, and addresses only the Microsoft Windows operating systems. While I would agree that Windows is the system most in need of virus protection and help, this focus does limit the audience. Grimes also tries to avoid the virus/worm/replicating trojan argument with the use of the term malicious mobile code, and states that the book does not deal with attacks and security holes, but the coverage of trojans, RATs (Remote Access/Administration Trojans/Tools), and browser attacks seems to contradict that position. (In fact, the more detailed description of "malicious mobile code," and the MMC acronym that Grimes creates, seems to be amply covered under the more commonly used term malware.)

Chapter one provides a very brief outline of some malware related concepts. Most of the chapter concentrates on the virus writing community, although only in a superficial way. Grimes obviously feels sympathetic towards virus writers, and presents their own stories without criticism or analysis. Some details of the MS-DOS operating system, as well as basic virus technologies, are given in chapter two. The programming particulars, and a bit of virus source code, are likely to be of more help to budding virus writers than to the defending sysadmins. There are copious errors in the information listed about specific viruses. Sometimes the material is careless, such as the assertion that Michelangelo formats hard drives (the original version overwrites sections of the disk, and only the disk booted from on the trigger date). In other places the wording is slipshod, such as the implication that a seldom seen screen artifact of the Jerusalem virus is somehow responsible for file deletion. (Oddly, while Grimes does not appear to have done serious research he has obviously read my stuff at some point: one of the examples is taken almost word for word from my writings. Other passages originating in my work are recognizable, although not quite as blatant.) The recovery advice is also suspect: he reiterates the rather dangerous suggestions to format the disk or use FDISK /MBR.

Some very useful information about Windows, particularly the 9x, NT, and higher versions, is presented in chapter three. The material does not often deal with malware as such, and, in a number of cases, details are either too particular or not specific enough. A few "native" Windows viruses are described in chapter four, along with some useful general security and recovery tips. Unfortunately, the virus detection and recovery tips are derivative, vague, and not always comprehensive. Chapter five has explanations of the VBA (Visual Basic for Applications) macro system in Microsoft Office applications, and lists some common macro viruses.

Chapter six lumps trojans, worms, backdoors, and DDoS (Distributed Denial of Service) packages together in a somewhat confusing manner. One useful inclusion in the material is a list of RAT utilized port numbers. The invention of real-time conferencing, or instant messaging, appears to be credited to AOL, in chapter seven, although various forms existed long before AOL's existence. All forms of chat or messaging seem to be lumped together in the chapter, although it concentrates on the technology and examples from IRC (Internet Relay Chat).

Chapter eight contains a reasonable overview of Web browser technologies, although Grimes makes the usual mistakes, such as confusing Secure HyperText Transfer Protocol (S-HTTP) with the https protocol specifier actually used by Secure Sockets Layer (SSL). A number of old program bugs and exploits are described in chapter nine. Most relate to browsers, although some depend on HTML enabled mail clients. The preventive measures listed, however, deal strictly with the settings on recent versions of Microsoft's Internet Explorer, and do not mention other browsers at all. Since Java applet bugs and exploits have been confined to implementation errors, it is difficult to understand why chapter ten was included in the book. Again, some older exploits are described, and there is a bit of confusion in the text between the applet sandbox model and the full Java security model. Chapter eleven examines the possibility of the malicious misuses of the ActiveX system, but first it spends a lot of time and space presenting the one security aspect of ActiveX: digital signatures. By doing so, Grimes is giving Microsoft way more than the benefit of the doubt. The text does, eventually, get around to pointing out some of the flaws in the Authenticode system, but the structure of the chapter works to downplay the dangers.

In chapter twelve, the Microsoft chauvinism that has been evident in prior sections ramps up to full throttle. Grimes states that it isn't just Outlook that can be exploited for email viruses, any mail client could be so abused. (He later has to tacitly admit that almost no other email client has been so utilized, and none to the same extent.) There is even a paean of praise to Windows Script Host, the application that made the Love Bug possible. The material on virus hoaxes, in chapter thirteen, is a bit of a mix, but does have a good list of signs to watch for. Defence consists mainly of a generic security planning process and a reasonable, though brief, outline of the types of antiviral software, in chapter fourteen. Chapter fifteen finishes off with the usual look to the future.

Overall, the content is wide-ranging, but not complete. There is coverage of a broader range of topics than was the case with other recent books, such as Dunham (cf. BKBVRTPR.RVW) and Schmauder (cf. BKVRSPRF.RVW). However, depth of research and understanding of the problem is not in evidence. The material is very questionable in view of the number of errors Grimes makes in his retailing of details of specific viruses.

While some support and background content is included, the book is written in a very field independent style: at the end of the chapter you are simply supposed to do what Grimes tells you to, and believe what he says.

There is virus code in the book. Not extensively, perhaps, but it is there. Grimes justifies its presence by saying that it is not code for an entire virus, and that he has made changes to disable it in any case. Unfortunately, it is real code, for some important sections of viruses, and the missing and changed bits aren't all that hard to spot. While it would not allow wannabe vxers to compile a complete virus right off the page, it would help any semi-competent code dweeb write a more functional virus. And, all protestations notwithstanding, it doesn't provide any help to the user or network manager.

Aside from problems with the content, Grimes' organization and writing is careless and difficult to understand. The chapters address individual topics, and have a standard structure, but the structure is only a template. Within each topic the flow of sections and even paragraphs does not always course logically. The illustrations and figures are not very informative.

This is not a good book on viruses or malware. The breadth of coverage and detailed content on macro and email virus technology does save it from being really awful: up to the summer of 2001 no other book has dealt with those topics in sufficient depth. And the MS-centrism does have one very positive advantage. If you absolutely must use Microsoft software and applications, the prevention sections of the various chapters do contain a lot of detail that will be useful in reducing the risk that you face.

Malware: Fighting Malicious Code

"Malware: Fighting Malicious Code", Ed Skoudis, 2004, 0-13-101405-6


Chapter one introduces, but also mixes up, all kinds of malware, attack tools, and attacks. It does eventually provide a table of types of malware, but the definitions are not very clear or explicit. Chapter two has wide ranging, but careless, information about viruses. The strictly Cohenesque definition eliminates boot sector infectors from consideration, which is rather ironic given the prominence that they are given in the chapter. There is a confused outline of infection mechanisms. Many of the assertions made are based on questionable analysis: Strange Brew is stated to be potentially dangerous because of platform independence, but there is no mention of the fact that it fails as an applet, which is the most mobile form of Java code. Random thoughts on worms are in chapter three, with defence measures seemingly a vague afterthought. Malicious mobile code is limited to active content for Web pages in chapter four. Chapter five confuses maintenance hooks and rootkits, but mostly describes remote access trojans. Trojans, or trojan horse programs, are the broadest class of malicious software, so it is not surprising that chapter six is an unfocused grab bag: what is odd is that there is so much content that is a repeat of earlier material. Chapter seven deals with "user-mode" rootkits, providing lengthy examples which are nonetheless vague on concepts. "Kernel-mode" rootkits, in chapter eight, goes into excruciating operating system internals detail about how such software can be inserted into the system. Both chapters concentrate heavily on UNIX, with only limited mention of Windows, and both are primarily concerned about how to attack, with little attention paid to defence. ("Harden systems and apply patches.") Chapter nine theorizes about BIOS (Basic Input/Output System) and microcode malware, managing to confuse not only the two concepts with each other, but also with standard rootkits. A number of fictional attacks are outlined in chapter ten, although the "mistakes" pointed out do suggest some protective measures that might be of use. Chapter eleven lists hardware and software for building a setup to analyze malware. The book concludes with some opining in chapter twelve.

The text is much more verbose than it really needs to be, and sensational rather than precise. There is a lot of specific detail in some areas, particularly for those interested in UNIX system internals, but the material on malware itself tends to be careless, and the author is obviously much keener on attacking than defending. This work does not offer much help to those who want to fight malicious code.

Managing Computer Viruses

"Managing Computer Viruses", Eric Louw/Neil Duffy, 1992, 0-19-853974-6


Chapter one is a vague outline of the problem of computer viruses, interspersed with other, semi-related issues. There is a broad background and history, in chapter two, but the authors do not appear to have fully understood their own research, confusing, for example, the Xerox PARC worm with the game of core wars. There are basic frameworks presented from the works of other researchers, but these are given in a muddled structure. Chapter three spends a lot of time drawing analogies between computer and biological viruses, while simultaneously warning that you shouldn't do this. Protection against viruses, in chapter four, presents a generic security plan with a few details related to malware. An opinion survey of sorts is tendered in chapter five. Policy formation, in chapter six, is another section lifted from a general security text. Chapter seven is a precis of the book.

Yes, the book is outdated, but it didn't have much to say in the first place.

Naissance d'un virus

"Naissance d'un virus", Ludwig translated by Condat


I have previously reviewed Ludwig's original book (cf BKLUDWIG.RVW) and, basically, everything applies to this as well. I have only two brief comments to make on the translation.

I am rather surprised that a publishing house with the stature of Addison-Wesley took this on. I note that the promotional material which came with the book states that the original was banned for export from the United States. Even allowing for marketing hyperbole, they must have known that it would give rise to some kind of difficulties. As, indeed, it did: a recent court challenge has attempted to ban distribution of the book. I haven't yet heard the outcome. (I also note that the book is supposed to help you choose antiviral software: didn't they even read it first?)

The second addresses the issue of the educational value of the book. As previously noted, the text sections leave a great deal to be desired in terms of pedagogy. The viral code, however, is intact, and unchanged. All the comments are still in English.

(I am very amused to note that the French translation of "computer virus" - What? No, of course not. Don't be naive. - is CPA, standing for either "codes sources autopropageables" or "codes parasites autopropageables". This side of the pond CPA means a different sort of parasite.)

Inside the Norton Antivirus

"Inside the Norton Antivirus", Norton/Nielsen, 1992, 0-13-473463-7


Peter Norton has written a virus book! To most, this would be unsurprising. Longtime virus researchers, however, take gleeful delight in this tacit admission that his diatribes against the "urban legend" of computer viral programs were mistaken. Unfortunately, there isn't much more joy in this book.

This, like the "Michelangelo Special Edition" of the Norton AntiVirus, is an obvious attempt to make hay from the Michelangelo scare of 1992. Guess what virus gets mentioned twice in the first thirteen pages alone! (Ironically, sixteen pages later, the book takes the media to task for all the hype.) And, unfortunately, it shows the same concern for accuracy and protection that the MSENAV did. The introductory chapter brings in a fair amount of interesting material from a breadth of sources - but little depth of analysis. The reference of "Seventh Son" in one virus must, according to the book, refer to a novel by Orson Scott Card - ignoring the fact that the seventh son of the seventh son has been a reference in western myth, legend and superstition for more than a thousand years. The generally disregarded theory that the Jerusalem virus was politically motivated is presented as established fact.

As far as protection goes, the list of viral myths is surprisingly good. Chapter three, "Strategies for Safe Computing," exhorts you to keep the system clean and off the floor. Useful advice, no doubt, but the most they have to say about viral programs is that it would be best if you didn't get infected. Thanks heaps, guys.

The bulk of the book is, of course, a reprise of the Norton 2.0 documentation. Not many surprises or tips here.

PC Viruses: Detection, Analysis and Cure

"PC Viruses: Detection, Analysis and Cure", Solomon, 1991


Alan Solomon's "Dr. Solomon's Anti-Virus Toolkit" holds a justifiable place in the first rank of antiviral software and protection. While not as well known as some other products which commit more money to marketing than to development, his software is recognized by anyone who really knows the field. There is, between Alan Solomon and Fridrik Skulason, a friendly rivalry as to whose program most accurately detects more viri and disinfects them. (The fact of the "friendly" alone is a refreshing change in the virus research world.)

I say this to put in context the impression one gets, from the beginning of the book, that the author is very confident of his own capabilities. Alan Solomon is not very humble, but then, he doesn't have an awful lot to be humble about.

This is not to say that there are no flaws in the work. "Dr. Solomon's Anti-Virus Toolkit", despite the "medicine show" sounding name, is a product which is aimed at the technically literate user, and makes little concession to the novice. So, too, in "PC Viruses" the material moves briskly, and the non-technical or even intermediate reader will likely need to read and re-read sections in order to make the necessary connections. Also, while knowledgeable researchers will be pleased with the overall quality of the factual material, certain opinions are stated with a force that makes them seem like gospel truth.

By and large, those opinions have a weight of justification behind them. The book has a very realistic view of the virus situation. It is neither alarmist, nor dismissive of the problem. Suggested actions take into account not only the technicalities of the issue, but also human nature and corporate climates as well.

Chapter one is an introduction - to an overview of the field, and also to the author. His statement that he is most familiar with his own software will raise an alert, in the discriminating reader, to watch for bias, although it is not a very formal warning. Still, it is very nice to see at least an acknowledgement of a vested interest, as opposed to so many authors who try to maintain a facade of impartiality while lauding their own product and savaging their competitors'.

As mentioned, however, the text maintains a very fast "pace", and a reader who is new to the field may have some difficulty extracting the concepts from the text. (Very interesting text it is, too.) Moreover, the content is not very disciplined. Chapter one is an introduction, and presents an overview of the virus situation, but viral programs are not defined until chapter two.

The second chapter does describe what a virus is, and isn't, quite well. It suffers, though, from the same abandon as does the first. After having talked of bugs, trojans and worms, there is only one paragraph devoted to a definition of a virus before the book is off into the esoterica of stealth, memory residence, interrupts, and self-encryption. Chapter two goes on to discuss the detection and identification of viral programs. While we have been warned that the author will be referring to his own software, the references to it are quite casual, as if these tools were a part of DOS. The chapter concludes with an excellent section on various malfunctions which are not viral in nature but generate "false alarms".

Chapter three is a brief summary of viral operation as far as infection is concerned. The digressions of chapters one and two about payloads and detection avoidance are completely absent here. This makes chapter three much better organized. The material is accurate, but readers should be warned of a somewhat iconoclastic terminology.

Chapter four is the virus description list, that makes the "Dr. Solomon's Anti-Virus Toolkit" a good buy even if you don't use the program. Even this 1991 list is excellent. Some of the more recently important viri are not mentioned, but the most common programs are still the older ones, and most of what you need to know is here. (If you want an update, then buy the program - if only for the documentation.) A couple of problems: the list is not in alphabetical, or any other, discernable, order. Also, the listings, while highly accurate, are not entirely free of errors, or at least potential misinterpretations. Solomon repeats the oft-quoted line about Stoned displaying its message "every eighth infective boot-up". Stoned shows the message based upon a calculation which has one chance in eight of triggering. It is quite easy to boot more than eight times in succession without the message being displayed. As well, the message only displays when booting from a floppy disk. (This is, perhaps, what is meant by "infective boot-up".)

Chapters five and six discuss procedures for dealing with viral infections and some policies for reducing the level of risk of infection and increasing the chance of detection. Chapter five, on recovery, is quite good, although short; chapter six, on protection, may be a bit too short.

The book is quite short altogether. There are only 288 pages in total; less than seventy of these cover viral definitions, overview, history, cure and prevention. Most of the rest is made up of the virus listings.

There is a lot to recommend this work. It is much more accurate than most. It is practical. The virus list is a very valuable resource, and even if this book is not your primary reference on protection, it should have a place as a reference for specific infectors. Although the book is dated by time, the material is covered in a manner which avoids, as far as possible, those aspects which go out of date quickly.

On the negative side, the book, as the title indicates, is concerned strictly with MS-DOS. There is little or no "theoretical" background. The list of references to other material or sources is very short, and not necessarily of the best quality. Finally, there is the technical nature of the content, very demanding either of background or attention from the reader. In addition, there is, if not disorganized, precisely, at least the meandering nature of the text, which puts non-technical readers at an even greater disadvantage.

Still, in comparison to many of the works on the market, this is a refreshingly accurate change.

The PC Virus Control Handbook

"The PC Virus Control Handbook", Jacobson, 1990, 0-87930-194-5


As well as being dated, this is a very uneven book. Significant portions are concerned primarily with promoting certain products; others seem to have been added quickly in order to round out the text. Still, it does have some good points, even today.

Chapter one is a purported overview of virus technology. Starting with a definition that includes only file infecting viral programs, it then launches into a very lengthy, and very technical, discussion of the boot process, boot sector and partition boot record. There are indications that the material for this second edition wasn't edited very carefully when it was updated from the first. An example is the promise to define four types of viral programs - followed by outlines of *five* types. Chapter two is basically a listing of viral programs, but the identification checklists, based upon symptom, may be helpful. Again, there are indications that International Security Technologies (IST) was primarily concerned with file infectors and added the boot sector material as an afterthought. (Having denigrated virus naming conventions in favour of the IST numbering scheme earlier in the book, the boot sector virus IDs seem to be listed in a remarkably "alphabetical" order.)

Chapter three is probably the best part of the book. This is a step-by-step guide for investigating and disinfecting a suspected virus infection. It relies very heavily on the Virus-Pro and McAfee programs, but, if you can understand the generic types of these specific programs, the guide is very detailed and useful. It is, however, amusing to note that the book makes much of "stealth" viral technology, but fails to use the "self-cleaning" feature of such programs.

Chapter four is a sample policy and procedures document. Unfortunately, without additional discussion and background, readers may not be able to make the necessary modifications to fit their own situation. A closing bibliography is sadly out of date (and heavily biased).

While the price may seem a bit high, for the sake of one chapter, the detailed disinfection procedure in chapter three may be worth it. Certainly, those with a major responsibility for corporate protection may wish to use it in building their own guides.

A Pathology of Computer Viruses

"A Pathology of Computer Viruses", Ferbrache, 1992, 0-387-19610-2


This book is a broadly based and technical compendium of research and information relevant to computer virus research on a number of platforms. For those seriously interested in the study of viral programs, this is an excellent introduction.

Chapter two is a linear chronology of viral and related research, events and activities from the 1960's up through 1990. Chapter three is an introduction to the major research and theory. Chapters four through eight cover technical items and functions of viral programs on PCs, Macs, mainframes (particularly UNIX) and networks.

A series of appendices give background information on the boot sequence, record and file structure, disk structure and other related technical details for PCs, Macs and UNIX. As well, there are contact lists and references for further research and information.

This book is not for the home user, or even for the IT manager for a small business. The material will require some dedicated study. However, the cross-platform references and the serious security perspectives on policy and procedures will be of considerable value to the larger corporation as well as the serious virus researcher.

Rx PC: The Anti-Virus Handbook

"Rx PC: The Anti-Virus Handbook", Janet Endrijonas, 1993, 0-8306-4202-1


Endrijonas is a writer and reporter, so I had relatively low expectations for the book. In fact, though, the contributions of Ross Greenberg and Aryeh Goretsky as advisors must have had considerable influence, since there are a number of reasons to prefer this book over the virus books by non-specialists.

Although there is enough bad information to make the book unreliable, there is also a good deal of good information. In addition, the author looked at more than one or two antiviral programs when reviewing. (The reviews themselves are, unfortunately, little more than reproductions of the documentation. The discussion of ViruCide, which immediately follows that of VirusScan, does not note that both programs are functionally identical, being based on the scanning engine and database of McAfee Associates.) It is also interesting to note that the disk included with the book contains, as well as the ubiquitous Scan, the superlative Integrity Master program. (For some reason the author is coy about this, mentioning it only in an appendix.)

Ultimately, this book is dated and contains too many errors and contradictions to recommend as a sole virus text. For its time and type, however, it was a very good effort.

Survivor's Guide to Computer Viruses

"Survivor's Guide to Computer Viruses", 1993, 0-9522114-0-8


A book by the staff of the Virus Bulletin would seem to hold the high ground in many ways. Not only do they have the corporate resources of both Sophos and the Virus Bulletin behind them, but they also have the publishing expertise, files, stories, writers and, not least, technical expertise of those who have written for, and been associated with, either VB or the annual conferences. Coming, as it does, while I am, myself, in negotiation with a publisher for my own book, I looked forward to this with both enthusiasm and trepidation.

I think I will finish my book after all.

Overall, the book is a reasonable introduction to the topic ... of PC viruses. Aside from some review materials of OS/2 programs (which identify DOS virals) there is no attempt to look at other operating systems. Even in this limited context, the book is still somewhat restricted.

Chapter one is a history. More accurately, it is a vaguely chronological series of short anecdotes about various viral, and related, happenings. There is much of interest here, but also a most disturbing lack of accuracy. Names are misspelled, events are presented out of order, and some very important occurrences are glossed over while other, relatively trivial, happenings are presented at length. There are annoying technical errors. The book insists on calling Stoned "New Zealand", waits until 1990 to discuss it, and states that it was "the first virus to infect the DOS Boot Sector of the hard drive." A UK-centric, as opposed to US-centric, view of the situation is interesting, but shows the same parochialism. (Those who say that this sounds strange coming from an American will be boiled alive in maple syrup.)

Chapter two is an overview of viral operations, risk factors and protective measures. Thankfully, it is more technically accurate than the first. However, it is still very iconoclastic. Most researchers would speak of two distinct types of viral programs, boot sector and file infecting. (This distinction is technically somewhat arbitrary, but important in terms of the user's perception of a "blank" disk as being safe.) The book insists on five. The additional three result from the breakdown of file infectors into parasitic, companion, and system or FAT virals (which the "Survivor's Guide" calls "link"); the fifth is multi-partite, which is simply a combination infector which will attack either book sectors or files. There are also postulates of such things as an "unscannable" virus, which is interesting in view of the repeated references to Mark Washburn who tried, and failed, to produce such a thing. The risk factors and protective measures are the same we have seen before, with warnings against bulletin boards, and recommendations for diskless workstations.

Chapter three, although short, is a solid and reasonably thorough introduction to antiviral procedures. Certain sections could use more details; for example, the use of a "quarantine" PC is recommended but there is no discussion of the problems such a setup can cause; but all of the major points are at least opened for discussion. The heavy emphasis on the use of the FORMAT command for recovery is somewhat questionable, but other options are raised as well.

Dr. Keith Jackson's general advice on evaluating products and reviews, which starts chapter four, is very much to the point and raises issues too often ignored. Too bad the book does not follow its own advice more closely. There follow two "ratings" articles, one for DOS and one for OS/2, plus a quick overview of some NLM products.

The choice of viral programs in the chapter on "dissections" is rather odd. The simplistic and relatively rare Batman virus is included, but there is no entry for the ubiquitous Jerusalem which is not only widespread, but also the "template" used for a number of variants and mutations. It is also interesting to see that original headlines have been kept. Joshi is subtitled "Spreading Like a Forest Fire" even though the original reports of its infectiousness are now known to have been mostly hype.

It is difficult to say whether the remaining materials are chapters or appendices. There is a decent article on virus toolkits by Tim Twaits, a set of rather limited statistics of numbers of reported viri from 1991 to mid-1993, a list of vendors (with no indication of product), a rather limited listing of "further information," and a glossary. There is also a "Who's Who." It is amusing to note the introductory quote of Oscar Wilde's, "There is only one thing in the world worse than being talked about, and that is not being talked about," given those who are not being talked about. There is no David Chess, no Edwin Cleton, no Paul Ferguson, no Lance Hoffman, no John Norstrad, no Padgett Peterson, no Gene Spafford, no Wolfgang Stiller, no Franz Veldman, no Ken van Wyk (for crying out loud!) ... and probably no future for me if I carry on long enough to indicate that I might think I have a complete list.

The Virus Bulletin logo appears prominently on the front and back covers. Not only there, but on copies of the magazine itself on the cover illustrations of offices full of happy, smiling people and presumably virus free computers. Some of the people look remarkably like, say, Richard Ford and Jan Hruska. Nothing succeeds like excess, eh? Still, the attempts to use the book to sell the Virus Bulletin seem reasonably contained to the "ends" of the work.

Viewed objectively against other virus works, this does provide the corporate manager with valuable background information and resources. It is, all the same, somewhat disappointing.

A Short Course on Computer Viruses

"A Short Course on Computer Viruses", Cohen, 1994, 0-471-00768-4


This book is fun. I mean, it starts out with the statement, "I would like to start with a formal definition," followed by about a paragraph's worth of symbolic logic, followed by, "So, much for that!" I assume that the surface joke is accessible to all: for those who know of the troubles Dr. Cohen has had over the years with those who insist on an informal translation of his work, it is doubly funny. From that beginning right through to Appendix A (a joke) the light tone is maintained throughout, and it makes for a thoroughly enjoyable read.

Besides being fun, though, the book is solid material. Possibly one could raise quibbles over certain terms or minor details, but almost nothing of substance. The only halfway controversial point in the book is Dr. Cohen's continued crusade on behalf of "benevolent" viral programs. While I agree that the concept is worth further study, Dr. Cohen has not yet applied the rigour of his earlier work to proofs that such programming can be guaranteed safe or that benevolent viral programs are the best way to accomplish the examples used.

The material in the book will be accessible to any intelligent reader, regardless of the level of computer knowledge. The most benefit, however, will be to those planning data security or antiviral policies and procedures. They will find here a thoughtful, provoking and insightful analysis.

Securing the Network from Malicious Code

"Securing the Network from Malicious Code", Douglas Schweitzer, 2002, 0-7645-4958-8


While there is some basic information about viruses and trojans in this work, it isn't clear, good, particularly helpful, or easy to extract from the surrounding verbiage. What content is related to networks has very little to do with securing or protecting them from malware.

Part one looks at threat analysis. Chapter one lists various types of problems that might possibly arise from the presence of malware. Generic statements about virus writers, with little judgment or backing, are made in chapter two. Programs related to malware are described in chapter three, although the examples and explanation are limited. Chapter four is a poorly structured and disorganized list of viruses, rife with artificial distinctions. (Two of the classifications are said to be "UNIX viruses" and "Linux viruses"). There are some examples, but with poor analysis and interpretation.

Part two talks about defence. "Fundamentals Needed for Digital Security," as chapter five is entitled, contains a random assortment of semi-technical topics which does not have enough detail or definition to be of much use in establishing protection. Haphazard net topics are reviewed in chapter six. Chapter seven lists various network applications, threats (such as stalking) that are not related to malware, and a list of ports used by trojans - but the directions on how to determine whether those ports are in use on your machine do not appear until the following chapter, along with some generic advice on policies and awareness training. Firewalls, antivirus software, and backups are outlined in chapter nine, but with terse and poor explanations. Server and application vulnerabilities are briefly discussed in chapter ten.

Part three is supposed to look ahead. Chapter eleven has an unfocussed and sensationalist commentary on cyberterrorism. A grab bag of security topics is in chapter twelve.

The text has numerous errors, but they are neither excessively abundant (in comparison to some of the other horrible examples extent) nor especially egregious. Saying that this work is "less bad" than the worst, though, is hardly a recommendation. The book is indifferent and slipshod (many of the entries in the glossary are very careless) and does not contribute to the body of malware literature.

Using McAfee Associates Software for Safe Computing

"Using McAfee Associates Software for Safe Computing", Jacobsen, 1990


There are many books which are aimed at helping you use specific commercial programs. Usually, however, such books are either targeted at "dummies" or purpose to reveal secret or undocumented features. The title here seems to suggest both a generic goal, safe computing, and a specific means. Those "in the know" of course, realize that safety here is being limited to protection against viral programs.

Certain other works have been associated with the company named here, and have resulted in rather unfortunate products. In the Foreword and Preface we see the game "rah, rah" chauvinism. It is, therefore, a rather pleasant surprise to find that chapter one, in defining viral programs, doesn't do a bad job. A computer virus is said to execute with other programs, but that explanation is immediately extended with a lucid and factual account of the boot sequence on MS-DOS computers. It even distinguishes between the boot sector and the master boot record (although Jacobson loses points for referring to the MBR as the partition table.)

The rigorous will find errors in the first chapter. Program infection is shown strictly in terms of an appending virus. Although FAT or system viri (referred to as "cluster-point") are described, companion viri are not. The statement is made that "viruses may include a Trojan Horse": the definition is that of a trojan, the examples are clearly logic bombs.

Chapter two is entitled "Planning a Virus Control Program". This would seem to be concerned with establishing the level of risk for a company and producing policy and procedures for virus protection. Unfortunately, the detail included here is very sparse. Some extremely broad guidelines are given, but the reader is literally left with more questions than answers after reading this chapter. Eventually a companion volume by the same author is mentioned as dealing with the details.

At the beginning of chapter two one is told that chapter three, "Virus Prevention Techniques" gives the answers for protecting a single computer. Rule one: write protect everything. Rule two: Buy SCAN. Rule three: buy more SCAN. Rule four: have extra copies of SCAN around (be sure to buy extra licences.)

Chapters four to seven are basically reworkings of the documentation for VSHIELD, SCAN, CLEAN and the network uses thereof. One immediately asks, of course, which version was used. One is not immediately answered: chapter eight indicates, and nine supports, the presumption that version 85 was used. In the mailing with my review copy I received a letter indicating that update files are produced. The files, USINGxxx.ZIP, where xxx is the version number, are stated to be available on the McAfee BBS and the McAfee forum on Compuserve. Apparently the updating is not constant: the "current" version of the McAfee products, as this was received, was 106, and had been for some time. According to the letter, the "current" version was USING102 and USING106 was due out shortly.

Chapters eight and nine tell you how to get technical support, first, and a copy of the program, second. The answers are to call the McAfee BBS, the McAfee Compuserve forum, or call McAfee Associates and buy it. An order form for the McAfee products is bound into the back of the book: it will surprise no one that the publisher of the book is a McAfee agent.

Chapter ten is entitled "The Ten Most Common Viruses". Those familiar with the sometimes unfortunate accuracy of the VSUM lists will recognize the entries. In a listing at the end of the chapter, BRAIN and Stoned are included in a list of "stealth" viri which can cause "catastrophic damage" or "cause all files to become infected during the scanning process".

Essentially, what you have here is printed (and dated) documentation for the McAfee programs. Since the functions of the programs change less frequently than the scan strings, most of the material is still relevant. Problems can be checked against the current McAfee documentation. As such, this may be a useful book, fairly reasonably priced considering the cost of the programs themselves. One shortcoming is that the network section still relies on the combination of stand-alone software: the NLM versions are not mentioned. In contrast to most "third party" books, though, there is little here that will either change the performance or ease the use, of the product under discussion.

Virus Detection and Elimination

"Virus Detection and Elimination", Rune Skardhamar, 1996, 0-12-647690-X


Plagiarism is the sincerest form of flattery, so I should, perhaps, be gratified to find that almost the first thing I saw was references to material that I have provided. (I might be forgiven for being less pleased to find sentences copied almost verbatim.) There are a number of common mistakes which Skardhamar does not make, and that's good. However ...

Although he credits some of my writings ("History of Viral Programs By Robert M. Slade Available on computer."), he hasn't read them carefully enough. He gets names, sequences and technical details wrong. (CMOS RAM is not "just normal RAM", the boot sector is not a file, Michelangelo does not "format" the disk, and it's Lehigh University and virus, not "Leigh".) Almost every page contains factual errors, some more important than others. He contradicts himself in many places, often within the same paragraph. (Perhaps the author would like to blame this last on his command of English: there are numerous grammatical errors, and a trick is a ruse, not a "rouge".)

My main objection, though, is that Skardhamar, under the "information wants to be free" banner, is distributing virus code. He states that people with the right kind of information make it a policy not to share their knowledge. (This might come as a surprise to Cohen, Denning, Ferbrache, Feudo, Highland, Hoffman, Kane, Solomon and the whole VIRUS-L FAQ team.) Of course he considers the "right kind of information" to be virus code, in spite of the fact (which he even tacitly acknowledges) that for most users such code would do more harm than good. His language, postures (and technical accuracy) are all strongly reminiscent of the vx (virus exchange) groups and publications.

(To be fair to both the author and Academic Press Professional, I suspect that the code provided would not assemble as it is. On the one hand, I'm glad he isn't spreading working code. On the other, it's too bad he's even trying to fool his vx buddies.)

A disk is included with some snippets of uncommented assembly code which is supposed to help you disinfect a virus. Few average users would have the resources to produce working code from it. Even fewer would have the time to work through it and make sure that the programs weren't malicious.

In sum, this work is badly written, technically inconsistent and, if it can be relied upon at all, more likely to contribute to virus production and spread than detection and elimination.

Virus Proof: The Ultimate Guide to Protecting Your PC

"Virus Proof: The Ultimate Guide to Protecting Your PC", Phil Schmauder, 2000, 0-7615-2747-8


On the very first page of this book we are told that viruses are written to steal or destroy "information that resides on your disk." (Viruses are written to reproduce.) The text then contradicts itself by saying that viruses may just print a message. Then we are told that you should never run programs downloaded from the Internet (downloading infected program files has always been a relatively trivial vector). Along the way we are told such vital information as that viruses must get into your computer's RAM in order to do damage (everything has to get into your computer's RAM in order to do anything) and that viruses are exchanged on disks or transferred files (that pretty much covers the field of data transport, wouldn't you say?)

Welcome to "Virus Proof," a collection of mistaken, valid, useless, and repetitive information. Sharp-eyed readers will have noted the inclusion of "valid" in that list. Unfortunately, you will have to be much more acute to pick out the true facts from the volume under discussion. As the old saying goes, if you can tell good advice from bad advice, you don't need any advice.

Some of the errors in the book simply show that the author has not done his homework. (There is no evidence to suggest that the Michelangelo virus was written to "commemorate" the birth of Michelangelo the artist. The researcher who first reported the existence of the virus learned that the target date of March 6 was Michelangelo's birthday, and so used that name as a convenient label.) Some of the errors in the book are more seriously misleading. (The Michelangelo virus did not "occur" on March 6, 1992. It was, fortunately, discovered long before, possibly existed before March of 1991, and still results in regular computer erasures every March 6th to this date.)

The author does keep telling the reader not to use any data file, or run any program, until it has been scanned for viruses. That is good advice, as far as it goes. Unfortunately, it isn't very useful advice, and the constant repetition of that single injunction is likely going to dull the reader to the necessary finer points.

The directive to scan everything isn't the only thing that gets repeated in the book. The first chapter manages to tell us once per page that computer programs are lists of instructions. Now, that statement is true: programs are sets of commands. But that bald assertion provides the normal computer user with no insight that could help with virus protection. One would think that the space dedicated to this piece of trivia could more helpfully be employed in presenting an accurate definition of viruses, or a list of the ways that you are more likely to get a virus these days.

In only four pages, chapter two presents serious misinformation. A boot sector does not show up on a list of files on a disk. Boot sector infectors can infect non-bootable, and even "blank" disks. Trojan horse (or just "trojan") programs do not reproduce. A file infecting virus is not referred to as a "Trojan Horse virus." The definition given for a worm (if you are making a distinction the term "worm virus" makes no sense) clearly contradicts the declaration that a worm could also be a file infector. Most macro languages are not capable of supporting a successful virus: to date, only those written for Microsoft applications have presented any danger.

And so it goes. Virus writers don't need your password, and system security breakers (who dearly love the confusion of the term "hacker") don't bother with viruses. Being the first on your block to upgrade to new versions of programs can have drastic security risks itself. If you are not supposed to run anything you download from the Web, why are you supposed to upgrade your software over the Internet? Since viruses are appearing at the rate of hundreds per month, keeping up with the few that make it into [large AV corporation]'s press releases is unlikely to be very useful. Mailing lists and newsgroups are recommended without any analysis. Most recent email viruses and worms harvest addresses for regular correspondents, so the direction to avoid email attachments from someone you don't know is almost worthless. Firewalls have nothing to do with viruses. If a virus infects a system file, knowing what programs are running on your computer is useless. Many loopholes have been found in the security of ActiveX controls: restricting operation to signed controls provides very little protection. Backups will help you recover if hit, but provide no inherent virus protection. Knowing how to break into systems will not protect you from viruses, nor will seven pages of C source code for a variant of the Crack program. (For those script kiddies eager to learn how to break into systems, save your money. It doesn't tell you that, either.) Phone phreaking isn't that easy, trying the stuff in the book can get you arrested, and it has nothing to do with viruses. (And John Draper's own account, given on the site illustrated, contradicts the story in the book.) Chernobyl is a variant of CIH, and not the other way around. Backing up the Registry provides no inherent virus protection. Anonymizers for email and Web browsing have nothing to do with viruses. Cookies have nothing to do with viruses. (Many of the points made about cookies are incorrect as well.) Happy99 used Usenet news, as well as email. Spam has almost nothing to do with viruses (and most of the recommended actions are not only useless, but will annoy people who have better things to do). The material on virus hoaxes is limited, physically hard to read (small print), and has no real analysis. Chat has nothing to do with viruses. Denial of service attacks have little to do with viruses, chapter sixteen has nothing to do with viruses, and neither do six pages of SYNattack source code. Privacy has nothing to do with viruses (and chapter seventeen has little to do with privacy). Email encryption has nothing to do with viruses. The Melissa virus was not polymorphic. Polymorphic viruses do not change their payloads. Virus "families" result from virus writers taking a given virus and making very minor changes to it. Digital signatures have little to do with viruses, and chapter nineteen does not discuss key management at all. JavaScript is not a "cut down" version of Java, and does not have Java's security model. E-commerce does not have anything to do with viruses. Y2K does not have anything to do with viruses. And, fortunately, the code presented in chapter twenty five is nowhere near sufficient to create a working virus. (It is enough is create serious problems for the person who tries to use it.)

Now, of course, a number of the items mentioned do have something to do with general security. Unfortunately, the level of detail given in the book is far from sufficient to protect the user against these threats. Indeed, the threats themselves are not described particularly well, and I could go through a very similar exercise in pointing out the weaknesses in the general security material.

Given the total size of the book it really isn't a work on viruses. It throws together a random assortment of information (and misinformation) about a variety of security related topics. Nothing is covered in depth, and nothing is covered completely accurately. Approximately half of the book is occupied with screenshots of miscellaneous Web sites, not always to do with the topic under discussion (and a number of which are repeated at random through the work) so this detracts even more from the material that could have been provided.

A pamphlet on viruses surrounded by some opining on security issues buried within a lot of careless research.

Viruses Revealed: Understanding and Counter Malicious Software

"Viruses Revealed: Understanding and Counter Malicious Software", Robert M. Slade/David Harley/Urs Gattiker, 2001, 0-07-213090-3


The International Institute for Fashion and Other Really Nasty Things today announced the winner of the 2001 Award for the World's Ugliest Book Cover. "Normally, we wouldn't announce a winner until next spring some time," said Frederick Krueger, the Institute's president, "but with the release of `Viruses Revealed,' there really isn't room for any competition."

Spokespeople for Osborne/McGraw-Hill would not speak for attribution, but one did admit that they were pleased with the award. "We said we were going for `bold' and `eye-catching,' but our real target was to produce that sick-to-your-stomach flu feeling, to give people a real virus queasiness. It's nice to know we succeeded."

Security specialists were equally quick to comment on the contents of the work. "What a thick book!" said David Chess.

"Da- I mean, darn it, where are the taxonomies?" said Winn Schwartau, author of "Internet and Computer Ethics for Kids." He also promised to give us his real reaction "as soon as I get rid of the best of these rugrats."

"I think more time should go by between Slade's books." - Larry Bridwell

"How come my work didn't get mentioned?" - sarah gordon

"read it" - A. Padgett Peterson

"Should be `reviled'." - PGN

"A mythic work! No, sorry, that should be `mythical'." - Jeff Crume

"Why are these guys misusing my name?" - Gene Spafford

"Makes a great doorstop." - Tom Sheldon

"Oooh, a foreword from spaf!" - David Chess (no relation)

"Fills an unneeded gap." - Fred Cohen

Computers Under Attack: intruders, worms and viruses

"Computers Under Attack: intruders, worms and viruses", Peter J. Denning, ed., ACM Press, 1990, 0-201-53067-8


This book is a very readable, enjoyable and valuable resource for anyone interested in "the computer world".

That said, I must admit that I am still not sure what the central theme of this book is. Denning has brought together a collection of very high quality essays from experts in various fields, and at one point refers to it as a "forum". That it is, and with a very distinguished panel of speakers, but it is difficult to pin down the topic of the forum. Not all of the fields are in data security, nor even closely related to it. (Some of the works, early in the book, relating to what we now generally term "the Internet", do contain background useful in understanding later works regarding "cracking" intrusions and worm programs.)

All, however, are interesting and sometimes seminal works. Some are classics, such as Ken Thompson's "Reflections on Trusting Trust" and Shoch and Hupp's "The Worm Programs". Others are less well known but just as good, such as the excellent computer virus primer by Spafford, Heaphy and Ferbrache.

(Please do not consider my confusion over the subject to be a criticism, either. I do want to recommend the book. I just find myself wondering to whom to recommend it. Also, in fairness, I must say that Peter Denning, who has had a chance to respond to the first draft of this review as usual, doesn't consider it a review. Which, I suppose, makes us even :-)

The book is divided into six sections. The first two deal with networks and network intrusions, the next two with worms and viral programs, and the last two with cultural, ethical and legal issues. While all of the topics have connections to data security, there are some significant "absences". (There is, for example, no discussion of the protection of data against "operational" damage, as in accidental deletions and failure to lock records under multiple access.)

In addition to shortages of certain fields of study within data security, the treatment of individual topics shows imbalances as well. The division on worm programs contains seven essays. Six of these deal with the Internet/Morris worm. The seventh is the unquestionably important Shoch and Hupp work, but it is odd that there is so much material on the Internet/Morris worm and nothing on, say, the CHRISTMA EXEC.

Sad to say, the essays are not all of equal calibre. This is only to be expected: not all technical experts have equal facility with langauge. However, in spite of the noted gaps, and the occasional "bumps" in the articles, most of the articles can be read by the "intelligent innocent" as well as the "power user". At the same time, there is much here that can be of use to the data security expert. At the very least, the book raises a number of ongoing issues that are, as yet, unresolved.

What, then, is the book? It is not a data security manual: the technical details are not sufficient to be of direct help to someone who is responsible for securing a system. At the same time, a number of the essays raise points which would undoubtedly lead the average system administrator to consider security loopholes which could otherwise go unnoticed.

Is it a textbook? While it would be a valuable resource for any data security course, the "missing" topics make it unsuitable as the sole reference for a course. The breadth of scope, and the quality of the compositions make it very appealing, as does the inclusion of the large social component.

While the book won't have the popular appeal of a "Cuckoo's Egg", it is nevertheless a "good read" even for the non-technical reader. The section on international networks is particularly appropriate as society is becoming more interested in both email and "cyberspace". The overview it gives on related issues would benefit a great many writers who seem to have a lot of "profile" but little understanding.

My initial reason for reviewing the book was primarily as a resource for those seeking an understanding of computer viral programs. As such, there are definite shortcomings in the coverage, although what is there is of very high quality. The additional topics, far from detracting from the viral field or clouding the issue, contribute to a fuller understanding of the place of viral programs in the scheme of computers and technology as a whole. Therefore, while it would be difficult to recommend this work as a "how to" for keeping a company (or home) safe from viral programs, it should be required reading for anyone seriously interested in studying the field.

One point is raised by the inclusion of the cultural, social and legal essays within the book. It was with a trepidation growing almost to a sense of despair that I read the last two sections. Here we see again the same hackneyed phrases, and the same unmodified positions that have been a part of every discussion of computer ethics for the last twenty years. (Or more.) This is by no means to be held against Denning: on the contrary, it is the fact that he has selected from the best in the business that is so disheartening. Do we really have no more options than are listed here? Can we really come to no better conclusions?

One illustration that is repeatedly used is that of credit reporting agencies. We feel that such entities must be watched. We note that the computer systems which they depend upon must be checked for anomalies, such as bad data or "key fields" which cross link bad data with good people. Still and all, we see them as a necessary evil. Breaking into such systems, however, is an invasion of privacy, and therefore wrong. Carried to its logical conclusion, this attitude states that "free" access to such semi-private information is wrong, but that it is "right" for companies to make money by "selling" such information.

Of course the situation is not quite that simple. (It never is, is it?) After all, a large corporation needs the goodwill of the public for its continued existence. The corporation, therefore, has more of a vested interest in safeguarding confidential information than any random individual with a PC and a modem. This belief in the "enlightened self interest" of corporations, however, would seem to more properly belong to an earlier age: one in which corporations didn't go bankrupt and banks didn't fall like dominos. After all, it used to be that companies kept employees on for forty years before giving them the gold watch. Now even the most stable might lay off forty thousand in one year.

A single thread runs through almost all sixteen articles, four statements and ten letters in the final two sections. It is a call, sometimes clarion, sometimes despairing, for "computer ethics". Not once is there proposed what such an animal might be. Even the NSF (National Science Foundation) and CPSR (Computer Professionals for Social Responsibility) statements only hint at some legalistic definitions, but never try to look at what a foundation for such "ethics" might be. With our society discarding moral bases as fast as possible, the most useful statement might be Dorothy Denning's, when, in conversation with Frank Drake, she states that, "The survival of humanity is going to demand a much greater level of caring for our fellow human beings ... than we have demonstrated so far."

Still even the disappointments of this final part of the book are important. "Computers Under Attack" is a realistic overview of the current state of thinking in information technology, and the problems facing society as a whole. Far from the "gee whiz" of the futurist, and equally distanced from the sometimes dangerous "CH3CK 1T 0UT, D00DZ!" of the cyberpunk, Denning's collection of essays is important not only for the concerned computer user, but also for anyone concerned with the future of our increasingly technically driven society.

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka