Monday, December 13, 2010

Book Review: Malware Analyst's Cookbook

Michael Hale Ligh was kind enough to provide me with a review copy of a book he recently co-authored along with Steven Adair, Blake Hartstein, and Matthew Richard, titled Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code. The book was an excellent read, and is an extremely valuable resource for any analyst in this industry.

First off, I am not a malware reverse engineer. Yes, I do have some experience working with malware, but not to the level that reverse engineers (RE) such as the authors tend to operate. I work with some really smart folks who do malware reverse engineering all the time, and they're very, very good at it. As such, during IR or digital forensics analysis, I tend to exchange information with the RE folks, providing what I've found and then taking what they find, and performing iterative analysis. I've found over time that this approach provides a much more in-depth analysis than the sum of it's parts.

That being said, weighing in at a hefty 18 chapters, the Cookbook covers a wide range of topics specific to reverse engineering and analyzing malware, from anonymizing your research activities to honeypots to malware classification and automated analysis and beyond. Throughout the book, the authors present "recipes" for using various tools (many of which are open-source) to solve specific problems. For example, chapter 3 includes several recipes involving YARA, an open-source, Python-based tool for identifying and classifying malware. Many other popular tools are also used, including ssdeep, Didier's PDF tools, and even RegRipper. Chapter 15 goes discusses effectively using Volatility for memory analysis. Many of the examples provided in the book are based on the real-world experiences of the authors, lending considerable credence and value to the demonstrated skills and information imparted.

Chapter 10 is near and dear to my heart, not only due to the discussion of ADSs, but also due the fact that the authors wrote their own RegRipper plugins! That's right! These guys found some things of value with RegRipper and wrote their own plugins. It brings a tear to my eye to think that my little tool is all grow'd up!

Some of the truly powerful aspects of the book include clear, thorough explanations of the presented topics, as well as easy-to-follow examples that allow the reader to follow along and learn by doing (I tend to learn more by doing than reading). Whether you're an aspiring reverse engineer, incident responder, or forensic analyst, this book will be an extremely valuable resource to you. For example, some of the explanations of how systems get infected with malware (JavaScripts, infectable document formats, HTML injection, etc.), as well as artifacts to indicate a malware infection, will prove extremely valuable to IR/DF folks. Heck, even if you're a somewhat-seasoned malware reverse engineer, it's likely that this Cookbook will show you some things that you haven't seen before, or show you some ways of looking at malware that you haven't thought of before.

Much of what's in the Cookbook goes beyond commercially available applications and clearly demonstrates the use of Python- (or Perl-) based open source tools that accomplish specific objectives. The cookbook even goes so far as to explain and demonstrate how different malware-related activities are performed, as well as how they can be detected.

I have to say that reading through the Cookbook gave me a new appreciation for what malware reverse engineers do. I also walk away from the book with a better understanding, not only of how to look for malware during IR/DF activities, but also how to better provide information and data to our reverse engineer once I've found it. I also walk away from it knowing that I'll be back. With more study and practice, I'm sure I can do some modicum of malware analysis beyond what I already do, and while I know that I'll never be at the level of the authors, I thank them for a truly exemplary and valuable resource. If I didn't already have it, this Cookbook would be on my Christmas the very top!


David Sharpe said...

I think this book is a rare value. As I already outlined at, I believe this book gives you much of the content of the former $3500 Verisign iDefense Advanced Malware class. Having taken the similarly priced but inferior MANDIANT Advanced Malware Analysis class at Black Hat 2010, I feel this book is by far a better value at less than $40 USD on currently. This book plus Chris Eagle's "The IDA Pro Book" give you the bulk of what you would get in those two $7000 USD training courses and much more.

H. Carvey said...


Great comments, thanks!

Ken Pryor said...

I'm still in the middle of this book, having had to temporarily put it down for a bit to make time for something else. Anyway, I am so impressed with the book, not just with the information it contains, but also very much in the way it's presented.

I'm not a reverse engineer by any means, but enjoy learning about malware. I'm not proficient in any programming language, so some of the book is a tad over my head. That being said, the book is written in such a user-friendly style, you can't help but enjoy and learn from it. I think they really nailed it with the idea to put things in "recipes" to walk you through the material. I've been working on setting up a home lab to try many of the things I've read about already.