Practical Malware Analysis - A Book Review and Curmudgeonly Rant on the State of Reverse EngineeringSubmitted by dannyquist on Mon, 2012-02-27 12:33. Malware
Recently I was asked to review a pre-publication copy of Mike Sikorski and Andrew Honig’s book “Practical Malware Analysis” by Nostarch Press. I gave it an enthusiastic review, and I strongly believe this will become the defacto text for learning malware analysis in the future. This is a review of that book, and a short rant on reverse engineering.
Before getting into Practical Malware Analysis, I hope you will indulge me in a rant about other books on the reverse engineering topic: They are not pretty. If you’ve taken one of my classes I recommend a few books for learning reversing, but climbing the steep mountain of pre-requisite material before you can attempt to be somewhat proficient is daunting. Specifically the books I recommended were based off of each individual author’s own personal style of reverse engineering with the tools that were available at the time. The field has gotten much more accessible thanks to the awesome tools that are out there from companies like Hex-Rays and Zynamics.
Practical Malware Analysis does a good job of tying together the methods of modern malware analysis. While most of the previous texts have done a good job of presenting the state of the art at their time, PMA overviews many of the tools that are in use in the modern day. Part 1 starts off with the basic static techniques, how to set up a virtual environment, and dynamic analysis. These initial steps are the basis for any good reversing environment. What is nice is that these topics aren’t dwelled on for an entire book.
Part 2 goes over the relationships of the Intel architecture, IDA Pro, modern compilers, and the Windows operating system to reverse engineering. Having an understanding of this as it applies to the reversing process is extremely important. Outside implementing a compiler, learning the fundamentals of the architecture is the most important skill a reverser can have for understanding the field. The difference between an adequate reverser and a great reverser lies in the understanding of how the system interactions work.
The rest of the book is focused on the advanced topics of dynamic analysis. Part 5 deals with all the ways that malware authors can make your life miserable, from anti-disassembly to packers. Part 6, “Special Topics,” talks about shellcode analysis, C++ specifics, and the ever-looming threat of 64-bit malware. I suspect that there will be a second edition once 64-bit malware comes in vogue.
Overall the book is excellent for those that are new to this field. Experts love to curmudgeonly talk about how nothing is new anymore, everything sucks, and pine for the good old days of reverse engineering with some wire-wrap, a lead pencil, a 9-volt Duracell, and a single LED. If you consider yourself one of these people, reading this book is going to feel a lot like wearing someone else’s underwear. If, on the other hand, you read it and put aside your natural skepticism of all things new, you might learn something.
I really do like this book.
Edit 3/4/2012: I have no financial interest in the book. The only thing I received was a reviewers copy. This was not sponsored or paid for in any way by the authors or publishers.
Edit 2/13/2013: There has been a translation to Serbo-Croation of this review by Joanna Milutinovich
i"m looking for a sample of the rogue known as navashield. i would prefer to have it in a .zip file for security reasons but, any other method would be just fine. I'm pretty sure someone has posted a download link on the forum at some point or other
can somone please make koobface available ?
I need it to run on my sandbox..
Source code for Fragus Crimepack - a recent variant of the crimepack sold for $800 USD... The archive has everything you need to build it!
RAR Password: "infected" (without quotes)
Just need a sample of this one : TR/Crypt.XPACK.Gen2
I downloaded Rustock family rootkit and attempted to infect the system with that malware. Except it seem to crash before it could infect my environment. Ran it under the debugger, kept a breakpoint in the entry point and attempted walking through execution but I still crash at a certain point. Before I investigate that thought I would check if I am making any obvious mistake (I am new to looking at Malware downloaded from here).
I work for a research organization, and I'm looking into the ability to use machine learning techniques to learn safe vs malicious PDF documents. In order to do this, I need massive quantities of both. I've been able to find 32 malicious PDFs on this website, and was able to crawl the web for 1600 likely safe PDF documents. Does anyone known of some good sources for such things? Thank you.
I'm looking for archives of malware, preferably 50mb to 2gb in size.
I am trying to record botnet network data in a controlled for my thesis research. I really should have all of the main types of botnet (IRC,HTTP, P2P) I haven't been able to find a P2P one.
Does anyone have the source for any P2P botnets? Any documentation for setup/operation would be helpful too.
Also I wouldn't mind having any other botnet source that you have for a more thorough sample.
Last week i had a speech at the CAST forum about hunting malware with volatility 2.0. On 40 slides i will introduce the main features of this powerful forensic framework. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits.