Chatroom Rules

[Fistandantilus 1]

Malware Analyst’s Cookbook is a collection of solutions and tutorials designed to
enhance the skill set and analytical capabilities of anyone who works with, or
against, malware. Whether you’re performing a forensic investigation, responding to an
incident, or reverse-engineering malware for fun or as a profession, this book teaches you
creative ways to accomplish your goals. The material for this book was designed with several
objectives in mind. The first is that we wanted to convey our many years of experience
in dealing with malicious code in a manner friendly enough for non-technical readers to
understand, but complex enough so that technical readers won’t fall asleep. That being
said, malware analysis requires a well-balanced combination of many different skills. We
expect that our readers have at least a general familiarity with the following topics:
• Networking and TCP/IP
• Operating system internals (Windows and Unix)
• Computer security
• Forensics and incident response
• Programming (C, C++, Python, and Perl)
• Reverse-engineering
• Vulnerability research
• Malware basics
Our second objective is to teach you how various tools work, rather than just how to use
the tools. If you understand what goes on when you click a button (or type a command)
as opposed to just knowing which button to click, you’ll be better equipped to perform an
analysis on the tool’s output instead of just collecting the output. We realize that not everyone
can or wants to program, so we’ve included over 50 tools on the DVD that accompanies
the book; and we discuss hundreds of others throughout the text. One thing we tried to
avoid is providing links to every tool under the sun. We limit our discussions to tools that
we’re familiar with, and—as much as possible—tools that are freely available.
Lastly, this book is not a comprehensive guide to all tasks you should perform during
examination of a malware sample or during a forensic investigation. We tried to include
solutions to problems that are common enough to be most beneficial to you, but rare enough
to not be covered in other books or websites. Furthermore, although malware can target
many platforms such as Windows, Linux, Mac OS X, mobile devices, and hardware/firmware
components, our book focuses primarily on analyzing Windows malware.

Who Should Read This Book
If you want to learn about malware, you should read this book. We expect our readers to
be forensic investigators, incident responders, system administrators, security engineers,
penetration testers, malware analysts (of course), vulnerability researchers, and anyone
looking to be more involved in security. If you find yourself in any of the following situations,
then you are within our target audience:
You’re a member of your organization’s incident handling, incident • response, or
forensics team and want to learn some new tools and techniques for dealing with
malware.
• You work as a systems, security, or network administrator and want to understand
how you can protect end users more effectively.
• You’re a member of your country’s Computer Emergency Response Team (CERT)
and need to identify and investigate malware intrusions.
• You work at an antivirus or research company and need practical examples of analyzing
and reporting on modern malware.
• You’re an aspiring student hoping to learn techniques that colleges and universities
just don’t teach.
• You work in the IT field and have recently become bored, so you’re looking for a
new specialty to compliment your technical knowledge.

 

How This Book Is Organized
This book is organized as a set of recipes that solve specific problems, present new tools, or
discuss how to detect and analyze malware in interesting ways. Some of the recipes are standalone,
meaning the problem, discussion, and solution are presented in the same recipe. Other
recipes flow together and describe a sequence of actions that you can use to solve a larger
problem. The book covers a large array of topics and becomes continually more advanced
and specialized as it goes on. Here is a preview of what you can find in each chapter:
• Chapter 1, Anonymizing Your Activities: Describes how you conduct online investigations
without exposing your own identity. You’ll use this knowledge to stay safe
when following along with exercises in the book and when conducting research
in the future.
• Chapter 2, Honeypots: Describes how you can use honeypots to collect the malware
being distributed by bots and worms. Using these techniques, you can grab
new variants of malware families from the wild, share them in real time with other researchers, analyze attack patterns, or build a workflow to automatically analyze
the samples.
• Chapter 3, Malware Classification: Shows you how to identify, classify, and organize
malware. You’ll learn how to detect malicious files using custom antivirus
signatures, determine the relationship between samples, and figure out exactly what
functionality attackers may have introduced into a new variant.
• Chapter 4, Sandboxes and Multi-AV Scanners: Describes how you can leverage
online virus scanners and public sandboxes. You’ll learn how to use scripts to control
the behavior of your sample in the target sandbox, how to submit samples on
command line with Python scripts, how to store results to a database, and how to
scan for malicious artifacts based on sandbox results.
• Chapter 5, Researching Domains and IP Addresses: Shows you how to identify and
correlate information regarding domains, hostnames, and IP addresses. You’ll learn
how to track fast flux domains, determine the alleged owner of a domain, locate
other systems owned by the same group of attackers, and create static or interactive
maps based on the geographical location of IP addresses.
• Chapter 6, Documents, Shellcode, and URLs: In this chapter, you’ll learn to analyze
JavaScript, PDFs, Office documents, and packet captures for signs of malicious
activity. We discuss how to extract shellcode from exploits and analyze it within a
debugger or in an emulated environment.
• Chapter 7, Malware Labs: Shows how to build a safe, flexible, and inexpensive lab
in which to execute and monitor malicious code. We discuss solutions involving
virtual or physical machines and using real or simulated Internet.
• Chapter 8, Automation: Describes how you can automate the execution of malware
in VMware or VirtualBox virtual machines. The chapter introduces several Python
scripts to create custom reports about the malware’s behavior, including network
traffic logs and artifacts created in physical memory.
• Chapter 9, Dynamic Analysis: One of the best ways to understand malware behavior
is to execute it and watch what it does. In this chapter, we cover how to build your
own API monitor, how to prevent certain evidence from being destroyed, how to log
file system and Registry activity in real time without using hooks, how to compare
changes to a process’s handle table, and how to log commands that attackers send
through backdoors.
• Chapter 10, Malware Forensics: Focuses on ways to detect rootkits and stealth
malware using forensic tools. We show you how to scan the file system and Registry
for hidden data, how to bypass locked file restrictions and remove stubborn malware,
how to detect HTML injection and how to investigate a new form of Registry
“slack” space.
• Chapter 11, Debugging Malware: Shows how you can use a debugger to analyze,
control, and manipulate a malware sample’s behaviors. You’ll learn how to script
debugging sessions with Python and how to create debugger plug-ins that monitor
API calls, output HTML behavior reports, and automatically highlight suspicious
activity.
• Chapter 12, De-obfuscation: Describes how you can decode, decrypt, and unpack
data that attackers intentionally try to hide from you. We walk you through the
process of reverse-engineering a malware sample that encrypts its network traffic
so you can recover stolen data. In this chapter, you also learn techniques to crack
domain generation algorithms.
• Chapter 13, Working with DLLs: Describes how to analyze malware distributed
as Dynamic Link Libraries (DLLs). You’ll learn how to enumerate and examine a
DLL’s exported functions, how to run the DLL in a process of your choice (and
bypass host process restrictions), how to execute DLLs as a Windows service, and
how to convert DLLs to standalone executables.
• Chapter 14, Kernel Debugging: Some of the most malicious malware operates only
in kernel mode. This chapter covers how to debug the kernel of a virtual machine
infected with malware to understand its low-level functionality. You learn how to
create scripts for WinDbg, unpack kernel drivers, and to leverage IDA Pro’s debugger
plug-ins.
• Chapter 15, Memory Forensics with Volatility: Shows how to acquire memory
samples from physical and virtual machines, how to install the Volatility advanced
memory forensics platform and associated plug-ins, and how to begin your analysis
by detecting process context tricks and DKOM attacks.
• Chapter 16, Memory Forensics: Code Injection and Extraction: Describes how you
can detect and extract code (unlinked DLLs, shellcode, and so on) hiding in process
memory. You’ll learn to rebuild binaries, including user mode programs and kernel
drivers, from memory samples and how to rebuild the import address tables (IAT)
of packed malware based on information in the memory dump.
• Chapter 17, Memory Forensics: Rootkits: Describes how to detect various forms
of rootkit activity, including the presence of IAT, EAT, Inline, driver IRP, IDT, and
SSDT hooks on a system. You’ll learn how to identify malware that hides in kernel
memory without a loaded driver, how to locate system-wide notification routines,
and how to detect attempts to hide running Windows services.
• Chapter 18, Network and Registry: Shows how to explore the artifacts created on
a system due to a malware sample’s network activity. You’ll learn to detect active
connections, listening sockets, and the use of raw sockets and promiscuous mode
network cards. This chapter also covers how to extract volatile Registry keys and
values from memory.malware_analysts_cookbook_and_dvd_tools_and_techniques_for_fighting_malicious_code.pdf
[hide]  Για το DVD στείλτε π.μ. όλα τα συστήματα το αναγνωρίζουν ως ιό λόγο διάφορων regex. Το βιβλίο το αγόρασα ο ίδιος από book bundle σε γνωστό σάιτ, και το DVD είναι απαραίτητο για τις ασκήσεις που εμπεριέχονται.  [/hide]

[L393nd 9]

Ευχαριστώ!!