Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
by Michael Sikorski and Andrew Honig
No Starch Press 2012.
ISBN 978-1-59327-290-6 . Amazon.com USD 35.97; Table of Contents: http://nostarch.com/malware#toc
Reviewed by Richard Austin May 27, 2012
Malware analysis was once pretty much the exclusive province of malware authors and anti-malware vendors but, as the authors point out (p. xxviii), in the days of "advanced persistent threats" and other forms of targeted digital malice, it is becoming critical to be able to answer tough analytical questions. What exactly did the malware do, how can it be detected in the future, how can the scope of the infection be determined and how can one be really sure that the it has been removed?
The authors' articulate, well-designed presentation goes a long way toward making the practice of malware analysis a standard part of the technical security professionals' repertoire. The book has several unique features that enhance its value for self-study:
Do note that the book is Windows-focused (Windows is still the largest malware target though other platforms are rising fast) and that it is a very technical book. Managerially-focused professionals will find anything past the first few chapters very tough sledding. This is also not a book you casually read on a rainy Sunday afternoon; working through at least some of the labs that follow each chapter is required to garner the maximum benefit from the book.
The authors organize their presentation into three parts dealing with analysis (basic analysis, advanced static analysis and advanced dynamic analysis), a fourth part dealing with malware functionality (what malware actually has to do in order to carry out its mission), a particularly fascinating fifth part that covers how malware authors harden their creations to resist detection and analysis, and a final part that deals with those interesting topics (such as shellcode analysis and 64-bit malware) that don't really fit in the earlier sections.
The presentation is focused on practical application rather than theory, and it is peppered with timely warnings regarding paralysis-of-analysis and knowing when to say your analysis is sufficiently complete. Though all the chapters have their virtues, chapter 14, "Malware-Focused Network Signatures", is of particular note for its application of the results of malware analysis to detecting the malware (or artifacts of its operation) in network traffic using Snort.
A wide variety of tools are introduced (some Open Source, some free and some commercial) and their use illustrated (and practiced in the labs). Appendix B provides a consolidated list and the reader will want to spend the hour or so downloading them before adventuring much past the second chapter. While some might criticize the publisher for not providing the tools on DVD with the book, actually visiting the sites to get the tools is a good exercise and exposes the reader to additional documentation and other tools that might be useful. Do be aware that some anti-malware programs will take grave exception to some of these tools; it would be wise to exclude your download directory from their purview.
As you probably suspect by now, readers will be exposed to a lot of assembler code. The authors provide an excellent introductory chapter on x86 disassembly and another chapter on recognizing source constructs in the disassembled code. When code snippets appear in the text (and they frequently do), the authors provide clear explanations rather than such matters being left as "an exercise for the student". If you find yourself (like me) needing some additional background, Intel's instruction set documentation freely available at http://www.intel.com/content/dam/doc/manual/64-ia-32-architectures-software-developer-vol-1-2a-2b-3a-3b-manual.pdf.
In summary, this is an awesome book on a very topical subject written by knowledgeable authors who possess the rare gift of being able to communicate their knowledge through the written word. Before starting, set aside the time required to set up the virtual infrastructure, download the tools and work through the labs. Your investment of time and effort will pay great dividends the first time you're faced with explaining what a piece of malware did and why you're sure it was completely eradicated.