Book Review: Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software, by Michael Sikorski and Andrew Honig
By Stephen Northcutt
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
by Michael Sikorski and Andrew Honig
I have been carrying this book around for three weeks and I have only made it to page 604 which is deep in the appendices, but I wanted to jot down some thoughts. The book tries to be self contained in that as little prior knowledge as possible is assumed. They begin by talking about static (not actually executing) and dynamic analysis followed by a malware taxonomy. By page 10 the authors show you something very useful - how to run MD5 on a Windows system. We also learn about packing which is very important in the analysis of malware, and we get introduced to PEiD, which unfortunately has been discontinued; version 0.95 is the last, but it still works fine. Next is PEview to look at the PE sections. All of that is Chapter One; my point is that anyone with a Windows system and interest can use these tools and learn a lot about what goes on in a Windows system.
The next topic is virtual systems which is hugely important since you don't want to experiment with malware on your work laptop, no good can come of that. Chapter 3 requires the reader to be slightly technical, but it is all great stuff; process monitor and process explorer, and looking at strings and dependencies. I do not see how anyone who has hands-on responsibility for security of Windows systems can rationalize not being familiar with these tools.
Chapter 4 is where they start the deep dive, registers and opcodes, the fundamentals of disassembly and, of course, we can't get anywhere without IDA Pro, so that comes right up. I can't remember a time this was not the tool of choice and found one web page that suggests it was released in 1997; that is a long time at the top. Speaking of tools that have been around for a while, I was surprised that OllyDbg is still a major debugger, good on you Mr. Yuschuk. After this, the book starts to move past my technical depth. I did learn some things, I just could not follow everything, but here are a few facts I am glad I learned:
- Most malware uses Berkeley style sockets, just like Unix
- I really enjoyed the explanation on how to look at the Poison Ivy trojan with OllyDbg
- The explanation on how to use Netcat to create a reverse shell
- How to use Pwdump and Pass-The-Hash
- The whole concept of anti-debugging, and especially using code checksums to identify a debugger is being used
Don't miss Appendix B: they have taken many of the tools discussed in the text and put them in one place with a handy paragraph explanation for each one.