PDA

View Full Version : Malware Analyst's Cookbook


blackburgpchelp
11-11-2010, 04:03 PM
I just got this book in from Amazon:
Malware Analyst's Cookbook and DVD (http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033/ref=sr_1_1?ie=UTF8&s=books&qid=1289494502&sr=8-1) and I have to say it is fantastic so far. The DVD alone is worth the price of the book, with many custom analyst tools. The book is meant for forensic analysis of malware rather than specifically for removal. But it covers setting up a malware lab with honeypot and analysis techniques to classify and see the actions of specific malware.

I've also been studying this book: Rootkits: Subverting the Windows Kernel (http://www.amazon.com/Rootkits-Subverting-Windows-Kernel-ebook/dp/B000OZ0N76/ref=sr_1_3?s=books&ie=UTF8&qid=1289494737&sr=1-3) which I know has been mentioned on this forum before. I also highly recommend it.

If we're going to stay at the top of our game in malware removal, we have to learn how malware works. It is constantly evolving, and written by some of the best coders out there. We can't rely on scanners to do the work for us, nor can we rest on our laurels in our tried and true techniques of manual removal.

Would love to know if other folks have been using these books or any others to stay on top of malware?

-Rance

joydivision
11-11-2010, 06:30 PM
Nearly bought the second book as it is only 20 but as it was published in 2005 is not out of date?

blackburgpchelp
11-11-2010, 06:39 PM
It is and was even when it was released. The methods it covers are so fundamental and basic that they should be studied all the same, in my opinion. Even though new techniques have developed, the fundamentals are important to understand. And without these fundamentals under our belts, it is harder to follow the blogs, and websites that we can use to keep us up to date on the cutting edge malware.

How many of us can say we really understand how a rootkit works or what one is? I know there are some on here that do and can, but I bet they are the minority. That's not meant to be a troll or flame-inducing comment, but an honest assessment into our normal techniques as computer techs.

-Rance

joydivision
11-11-2010, 06:46 PM
I don't have anything like enough understanding hence me wanting to study this in a lot more detail. It is a skill I can hopefully take with me beyond the desktop operating system.

Martyn
11-11-2010, 06:49 PM
Thanks it looks a good book.

joydivision
11-11-2010, 06:59 PM
The malware cookbook is only 26 inc delivery and I can claim tax of that too :o Will order it tonight.

MobileTechie
11-12-2010, 07:27 AM
So in terms of helping a tech in malware removal, what sort of things does it teach that we don't already do - i.e. checking common reg and file locations and using reporting tools like autoruns, OTL, HJT and the common scanning tools?

blackburgpchelp
11-12-2010, 01:56 PM
Mostly I'd say it teaches how the tools work and not just how to use them. You'll see a lot of how malware, rootkits especially, hide. Particularly how they can hide their registry and file entries using alternate data streams. Programs like GMER and such check for this kind of thing.

The Malware cookbook will show you how many of the viruses accomplish what they accomplish. I've already learned a few new techniques for manual removal that I had no clue of before.

Mostly I think its an issue of knowing why we're running a particular scan rather than just because it's a standard procedure. Or what we might miss in a purely manual removal. Most of all, how can you tell that the system is 100% absolutely clean?

I find myself realizing how ignorant I am about how some of the tools I use work or just how sneaky some rootkits/malware really are.

othersteve
11-12-2010, 07:18 PM
This is my favorite subject related to computer repair. I have read quite a lot on the topic and am very familiar with tools such as OTL, ComboFix, etc. I have also built some of my own manual diagnosis tools to help me do some stuff I wouldn't normally be able to do remotely.

However this looks like a great reference--I may give it a shot next!

blackburgpchelp
11-12-2010, 07:59 PM
Nice Steve,

I'd love to hear about some of the stuff you've done. I think that's my point here, long and rambling as its been. I'd love to hear about things other people have done to learn more about virus removal from a technical standpoint.

I'm working on getting my own honeypot and lab set up and can't wait to start catching some live ones from the wild.

-Rance

ZenTree
11-13-2010, 07:41 AM
What are you thinking of using for the honeypot, any specific software?
There was a bit of software I looked at ages ago, I think it was called honeybot, that looked as though it had potential but then the internet distracted me with something else and I never went back :rolleyes:

blackburgpchelp
11-13-2010, 05:12 PM
The book covers using both Nepenthes and Dionaea, so I'll probably play around with both of those. Once I get my feet wet, I'll probably try some others.

ZenTree
11-13-2010, 07:18 PM
Thanks, I'll give them a look. That is until the internet distracts me again :D

MobileTechie
11-29-2010, 08:58 PM
I got this book but I'm not sure how much use it will be to me. It seems to aimed at the professional Malware Analyst that you might find working at a corporation or consultancy - the sort of person who needs to categorise malwares and track their geographical usage etc rather than a tech who mostly just wants to know how to spot and remove them.

It's pretty technical and has a lot of scripts and apps to write, mostly using Python but also in C and C++. It assumes a fairly high level of technical understanding.

It's interesting and I'm sure very good for its target audience. I'm just not sure I'm in that group.