Here is my book review of the Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code by Michael Hale Ligh, Steven Adair, Blake Hartstein, and Matthew Richard.
About the Book
The book is a huge compilation of short how-to articles called recipes on the “tools and techniques for fighting malicious code.” In addition, the book comes with a number of very useful custom written tools for automating or speeding up the process. The book is divided into several chapters which specialize on a specific topic. Some of the book’s topics include: Honeypots, Malware Classification, Malware Labs, Malware Forensics, Debugging Malware, Kernel Debugging, Memory Forensics (4 chapters of this)
Initial Impression
I had very high expectations for this book based on the fact that there aren’t many books out there on this subject and it’s something I’m particularly interested in. When I first received the book, I was pleasantly surprised at the literal size and the amount of content: this book is LOADED with information coming in at right close to 700 pages! A quick flip through the book told me that this book covers everything from very basic topics (e.g. using dig) to very advance topics (e.g. kernel debugging). I couldn’t wait to start the book!
The Audience/Skill Level
In the introductory part of the book, it has a small break down of “Who Should Read This Book.” Generally, I would sum it up as anyone and everyone that is interested in security would find this book interesting and entertaining. The book supports a wide range of skills levels from beginners to advanced. A basic knowledge of C/C++ and some Windows API’s is helpful but not required. Likewise, a basic knowledge of Python is not required but would help if you’d like to better understand the scripts that the book provides.
The Book
This isn’t your typical “take-a-seat-and-read” type book. Get your laptop, your desktop, and even some old machines and be prepared to dive right in.
The book focuses mainly on investigating Windows-based malware using tools mainly on Unix/Linux-based OS’es (Ubuntu, Mac OS X, etc) but there are some equivalent Windows based tools which the authors mention if available.
The recipe style of the book makes it very flexible to read and supports a wide range of audiences without confusing the newcomers and boring the advanced. Each recipe is self contained, well written, and easy to read. If you’re not interested in a specific recipe, you can never read it and you’ll have no problems following along in the rest of the book. Where applicable, a recipe provides links to additional information if you would like to take a deeper dive on the topic.
There are basically two approaches to reading this book.
- If you’re new to malware analysis, you can start from the beginning and progress to the end, skipping anything you already know or are not interested in, just like you would with any other book.
- The other approach would to be use the book as a shelf reference using the table of contents and index to search for what you’re trying to do. The progression of the book is from basic to advanced, so if you’re intermediate or advanced, you can easily skip to the later sections right from the beginning, although in my case I did find some new information, tips, and tools in the basic section that I wasn’t aware of so the basic sections may be worth a quick skim.
The included DVD does prove to be useful unlike other books, not just for following along and understanding a concept, but more importantly, it contains a number of custom Python scripts all geared towards improving and easing your malware analysis. You can easily add these scripts to your toolkits.
No book review would be complete without listing some of it’s downsides. Luckily for this book, there are very few downsides. The first downside is completely unrelated to the content and has to do with the actual book itself. The soft cover binding of the book is somewhat cheap and wears pretty quickly due to the size and weight of the book. A hardcover edition with a solid, strong binding would be a great enhancement. The other downside has to do with the content. While I think the authors make a great effort to minimize the specifics of a tool and focus more generally on the purpose of the tool, there are a few sections of the book which might get outdated quickly if a tool changes. However, I think this is the nature of the beast with technical books so it shouldn’t be something to worry about or prevent you from buying the book!
The Punchline
Whatever topic it is your looking for related to analyzing malware, with The Malware Analyst’s Cookbook: “There’s a recipe for that.”
Interested in analyzing the memory of a rootkit? There’s a recipe for that!
Interested in setting up a malware lab? There’s a recipe for that!
All in all, I would highly recommend this book to anyone interested in security as well as those who want to learn more about malware analysis. I’d also highly recommend this book to professionals in the security field - keep a copy of this book right next to your computer, I guarantee you’ll find it useful!