Malware Analyst's Cookbook

[blackburgpchelp]

I just got this book in from Amazon:
Malware Analyst's Cookbook and DVD and I have to say it is fantastic so far. The DVD alone is worth the price of the book, with many custom analyst tools. The book is meant for forensic analysis of malware rather than specifically for removal. But it covers setting up a malware lab with honeypot and analysis techniques to classify and see the actions of specific malware.

I've also been studying this book: Rootkits: Subverting the Windows Kernel which I know has been mentioned on this forum before. I also highly recommend it.

If we're going to stay at the top of our game in malware removal, we have to learn how malware works. It is constantly evolving, and written by some of the best coders out there. We can't rely on scanners to do the work for us, nor can we rest on our laurels in our tried and true techniques of manual removal.

Would love to know if other folks have been using these books or any others to stay on top of malware?

-Rance

[joydivision]

Nearly bought the second book as it is only £20 but as it was published in 2005 is not out of date?

[blackburgpchelp]

It is and was even when it was released. The methods it covers are so fundamental and basic that they should be studied all the same, in my opinion. Even though new techniques have developed, the fundamentals are important to understand. And without these fundamentals under our belts, it is harder to follow the blogs, and websites that we can use to keep us up to date on the cutting edge malware.

How many of us can say we really understand how a rootkit works or what one is? I know there are some on here that do and can, but I bet they are the minority. That's not meant to be a troll or flame-inducing comment, but an honest assessment into our normal techniques as computer techs.

-Rance

[joydivision]

I don't have anything like enough understanding hence me wanting to study this in a lot more detail. It is a skill I can hopefully take with me beyond the desktop operating system.

[Martyn]

Thanks it looks a good book.

[joydivision]

The malware cookbook is only £26 inc delivery and I can claim tax of that too Will order it tonight.

[MobileTechie]

So in terms of helping a tech in malware removal, what sort of things does it teach that we don't already do - i.e. checking common reg and file locations and using reporting tools like autoruns, OTL, HJT and the common scanning tools?

[blackburgpchelp]

Mostly I'd say it teaches how the tools work and not just how to use them. You'll see a lot of how malware, rootkits especially, hide. Particularly how they can hide their registry and file entries using alternate data streams. Programs like GMER and such check for this kind of thing.

The Malware cookbook will show you how many of the viruses accomplish what they accomplish. I've already learned a few new techniques for manual removal that I had no clue of before.

Mostly I think its an issue of knowing why we're running a particular scan rather than just because it's a standard procedure. Or what we might miss in a purely manual removal. Most of all, how can you tell that the system is 100% absolutely clean?

I find myself realizing how ignorant I am about how some of the tools I use work or just how sneaky some rootkits/malware really are.

[othersteve]

This is my favorite subject related to computer repair. I have read quite a lot on the topic and am very familiar with tools such as OTL, ComboFix, etc. I have also built some of my own manual diagnosis tools to help me do some stuff I wouldn't normally be able to do remotely.

However this looks like a great reference--I may give it a shot next!

[blackburgpchelp]

Nice Steve,

I'd love to hear about some of the stuff you've done. I think that's my point here, long and rambling as its been. I'd love to hear about things other people have done to learn more about virus removal from a technical standpoint.

I'm working on getting my own honeypot and lab set up and can't wait to start catching some live ones from the wild.

-Rance