Practical Malware Analysis: Book review

How do you keep your PC safe from malware? Install decent antivirus software, don't do anything careless when you browse the web and install software, and keep your security updates current. How do you keep a company full of PCs, servers and associated systems free from malware? You can't rely on anti-malware software, security updates and firewall rules — and you certainly can't rely on users being careful.

Whether users are careless, deliberately tricked by a hacker or just finding a way to get their job done, sooner or later malicious software is going to turn up on a PC or a server. A PC you can reimage, but protecting your systems against attack means understanding the way you're being attacked. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software may be the definitive book on the subject at the moment, at least for Windows. It's comprehensive, practical and extremely well written.

Unlike many advanced security books, Practical Malware Analysis doesn't assume that you already know a lot about the field and the relevant tools, or even about the basics of the way executable files are compiled on Windows. You can start at the beginning and quickly get up to speed on static analysis of the code in malware samples, setting up virtual machines where you can safely run dynamic analyses of what malware actually does when it's running. Key tools from sandboxes to Process Monitor and Process Explorer, to network tools like Wireshark and INetSim, to disassemblers like IDA Pro and debuggers like WinDbg and OllyDbg are gathered into a useful annotated appendix.

Disassembling malware in order to understand what it's doing requires you to understand how Windows applications and processes work — from code, memory and the heap down to assembler, x86 instructions and the stack, and up to APIs and COM by way of the file system, registry and network stack. This is an excellent introduction to the Windows internals that will give you a clear understanding of what's going on inside Windows and how to think about security issues and protections in the operating system.

There's a much shorter section on 64-bit processing in the advanced topics at the end of the book — there are few examples of 64-bit malware, and as this is a practical approach we can't complain. However, security improvements in the Windows 8 kernel and memory management are likely to drive malware authors to the 64-bit world once Windows XP becomes less common, and when that happens we hope there will be a second edition covering this. For the PCs and the infections you'll be facing today and for the next year, concentrating on x86 and Windows XP makes perfect sense.

Simply reading through examples and instructions doesn't guarantee that you've understood the explanation, or that you can put that understanding into practice. Consequently, every chapter has three accompanying labs with practical exercises, questions and tips. These are graded into an analysis everyone should be able to manage, one that will stretch you slightly, and a third level that you'll have to work hard at and consult the solutions for — unless you're already an expert.

You get access to simulated malware samples so you can practice your techniques without compromising your system. However, there are plenty of details about real-world threats like the Poison Ivy backdoor, as well as an extensive survey of malware behaviour from hash dumping to grab security credentials to crack later, to hijacking legitimate DLLs by modifying the KnownDLLs key in the registry, to intercepting system messages to applications.

Increasingly, malware is encrypted, packed or otherwise encoded. There's a chapter on analysing and decrypting protected malware, but that's not the only way to tackle it. Often, encrypted malware uses a command-and-control network to make an infected system part of a botnet, and you can detect encrypted traffic and take countermeasures without necessarily decrypting all of the malware.

Working with malware that's designed to report back to the attacker means you run the risk of warning them that you're analysing their code. The book's useful suggestions about how to avoid that lead into dealing with malware that's designed to be hard to disassemble or debug, or that behaves differently when it detects it's running in a VM.

In general, this book does exactly what it promises on the cover; it's crammed with detail and has an intensely practical approach, but it's well organised enough that you can keep it around as handy reference. The explanations and solutions to the lab exercises make up a third of the book, and they're the next best thing to going to a security conference like BlackHat or Defcon and taking a workshop with a malware analyst. Even if understanding malware is only a small part of your job, this is the book to give you a solid grounding in the issues and techniques.

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
By Michael Sikorski and Andrew Honig
No Starch Press
800 pages
ISBN: 978-1593272906
$59.95