You are previewing Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code.
O'Reilly logo
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

Book Description

A computer forensics "how-to" for fighting malicious code and analyzing incidents

With our ever-increasing reliance on computers comes an ever-growing risk of malware. Security professionals will find plenty of solutions in this book to the problems posed by viruses, Trojan horses, worms, spyware, rootkits, adware, and other invasive software. Written by well-known malware experts, this guide reveals solutions to numerous problems and includes a DVD of custom programs and tools that illustrate the concepts, enhancing your skills.

  • Security professionals face a constant battle against malicious software; this practical manual will improve your analytical capabilities and provide dozens of valuable and innovative solutions

  • Covers classifying malware, packing and unpacking, dynamic malware analysis, decoding and decrypting, rootkit detection, memory forensics, open source malware research, and much more

  • Includes generous amounts of source code in C, Python, and Perl to extend your favorite tools or build new ones, and custom programs on the DVD to demonstrate the solutions

Malware Analyst's Cookbook is indispensible to IT security administrators, incident responders, forensic analysts, and malware researchers.

Table of Contents

  1. Copyright
  2. Credits
  3. About the Authors
  4. Acknowledgments
  5. Introduction
    1. Who Should Read This Book
    2. How This Book Is Organized
    3. Setting Up Your Environment
    4. Conventions
  6. On The Book's DVD
  7. 1. Anonymizing Your Activities
    1. 1.1. The Onion Router (Tor)
    2. 1.2. Malware Research with Tor
    3. 1.3. Tor Pitfalls
      1. 1.3.1. Speed
      2. 1.3.2. Untrustworthy Tor Operators
      3. 1.3.3. Tor Block Lists
    4. 1.4. Proxy Servers and Protocols
      1. 1.4.1. HTTP
      2. 1.4.2. SOCKS4
      3. 1.4.3. SOCKS5
    5. 1.5. Web-Based Anonymizers
    6. 1.6. Alternate Ways to Stay Anonymous
    7. 1.7. Cellular Internet Connections
    8. 1.8. Virtual Private Networks
    9. 1.9. Being Unique and Not Getting Busted
  8. 2. Honeypots
    1. 2.1. Nepenthes Honeypots
    2. 2.2. Working with Dionaea Honeypots
  9. 3. Malware Classification
    1. 3.1. Classification with ClamAV
    2. 3.2. Classification with YARA
    3. 3.3. Putting It All Together
  10. 4. Sandboxes and Multi-AV Scanners
    1. 4.1. Public Antivirus Scanners
    2. 4.2. Multi-Antivirus Scanner Comparison
    3. 4.3. Public Sandbox Analysis
  11. 5. Researching Domains and IP Addresses
    1. 5.1. Researching Suspicious Domains
      1. 5.1.1. WHOIS on Linux and Mac OS X
      2. 5.1.2. Cygwin on Windows
      3. 5.1.3. WHOIS with Sysinternals on Windows
      4. 5.1.4. Additional Tools for Windows
      5. 5.1.5. Web Tools
      6. 5.1.6. The Host Command (Unix only)
      7. 5.1.7. The Dig Command (Unix only)
      8. 5.1.8. The nslookup command
      9. 5.1.9. The Ping Command
      10. 5.1.10. Web-Based Tools
    2. 5.2. Researching IP Addresses
    3. 5.3. Researching with Passive DNS and Other Tools
      1. 5.3.1. Querying ASNs with Shadowserver
      2. 5.3.2. Querying ASNs with Netcat
      3. 5.3.3. The Anti-Abuse Project
    4. 5.4. Fast Flux Domains
      1. 5.4.1. Detecting Fast Flux with TTLs
      2. 5.4.2. Using Passive DNS for Detecting Fast Flux
    5. 5.5. Geo-Mapping IP Addresses
  12. 6. Documents, Shellcode, and URLs
    1. 6.1. Analyzing JavaScript
    2. 6.2. Analyzing PDF Documents
    3. 6.3. Analyzing Malicious Office Documents
    4. 6.4. Analyzing Network Traffic
  13. 7. Malware Labs
    1. 7.1. Networking
    2. 7.2. Physical Targets
  14. 8. Automation
    1. 8.1. The Analysis Cycle
    2. 8.2. Automation with Python
    3. 8.3. Adding Analysis Modules
    4. 8.4. Miscellaneous Systems
  15. 9. Dynamic Analysis
    1. 9.1. API Monitoring/Hooking
    2. 9.2. Data Preservation
  16. 10. Malware Forensics
    1. 10.1. The Sleuth Kit (TSK)
    2. 10.2. Forensic/Incident Response Grab Bag
    3. 10.3. Registry Analysis
  17. 11. Debugging Malware
    1. 11.1. Working with Debuggers
    2. 11.2. Immunity Debugger's Python API
    3. 11.3. WinAppDbg Python Debugger
  18. 12. De-obfuscation
    1. 12.1. Decoding Common Algorithms
    2. 12.2. Decryption
    3. 12.3. Unpacking Malware
    4. 12.4. Unpacking Resources
    5. 12.5. Debugger Scripting
  19. 13. Working with DLLs
  20. 14. Kernel Debugging
    1. 14.1. Remote Kernel Debugging
    2. 14.2. Local Kernel Debugging
    3. 14.3. Software Requirements
  21. 15. Memory Forensics with Volatility
    1. 15.1. Memory Acquisition
    2. 15.2. Preparing a Volatility Install
      1. 15.2.1. Visualizations with psscan
  22. 16. Memory Forensics: Code Injection and Extraction
    1. 16.1. Investigating DLLs
      1. 16.1.1. Code Injection and the VAD
      2. 16.1.2. Adding YARA to malfind
    2. 16.2. Reconstructing Binaries
  23. 17. Memory Forensics: Rootkits
  24. 18. Memory Forensics: Network and Registry
    1. 18.1. Registry Analysis