To become a great malware analyst, do I need to know how to read assembly language or actually know how to program in assembly language. Kind of the same question for C++ as well ?

Cool so would you say this book is good for someone who has never done any malware analysis ?

At the risk of being laughed off these boards...if you're a true beginner, some of the Head First books are pretty good. I've used a couple of them and have been generally satisfied. They cover the very basics, in some cases introducing the reader to variables, loops, conditional statements, etc. Plus they give you more or less real world exercises to do. Again, not for the experienced programmer but pretty good for the beginner.

Looks good but sadly seem to be USA only offer you guys get all the good stuff

What kind of knowledge would you need to have to fully understand most subjects in the book?

Breezed through the Primer and First chapter. The Primer provides a basic introduction, but not sure about the message its trying to provide with the following:
"Knowing the type of malware helps speed up the analysis, then lists down the types of malware and immediately follows it with caveat stating that one should not get too caught up with classifying the type of malware."


The first chapter talks about basic static analysis, with strings and reading the PE header.

Need to continue reading the book.

Do you seriously think that whitehat security researchers are leading the curve here? There may be pockets of genius that generate additional risk due to teaching blackhats techniques they did not know about, but by and large we are playing catchup. The bad guys have enormous resources to deploy here, far more than we can hope to match. Just because we don't know about that cool new antiforensic technique does not mean that it is not being utilized already. It just means we are blind to its usage. It's not like the bad guys share all their tips and tricks in some secret club. They are monetizing these attacks and just like any corporate IP, it's often a trade secret. Sometimes you see them bundled in exploit packs and sold to other criminal groups, but the really juicy stuff is kept closely guarded from what I've seen. What you are suggesting is highly dangerous and would be a huge step backwards in the progress we have been fighting for years with regards to information sharing.

I will agree that providing fixes along with what is broken provides significant value, but raising awareness that something is broken may help someone else devise a solution on the back of the breaker's research or help organizations avoid unnecessarily insecure implementations of the flawed technology in upcoming projects. If I don't know something is possible (like anti-forensics) I will make flawed assumptions about what is happening on my network. What if I did not know about the latest cool antiforensic technique and I made a rapid judgement based on faulty information that cost some poor shlub his job, or sent him to jail? I just might be able to compensate for these failures if I have enough information to understand how the attack is carried out or at least be able to educate management so we don't jump to conclusions. Maybe that malware evasion technique could be detected in other ways not previously thought of, maybe I could write a Snort signature to detect it. But if as a security researcher I don't know about the evasion technique, how would I even know where to start my research or even understand it was necessary? Burying your head in the sand does not further our collective knowledge. Understanding of real world techniques does. This whole thread comes off like a huge troll. I am truly astounded, do we really need to have this discussion in 2012?

</rant>

Why are you under the impression that there are no ethics in security research? From my perspective, it seems like most people try to adhere to responsible disclosure procedures. Maybe you're not hearing about those because they're not major news (i.e. quietly being credited in a patch report). Irresponsible disclosure seems like a surefire way to burn bridges in the industry, and most professionals are looking to further their career, not sink it. Some people may only be after notoriety, but I do not think they are the majority.

I think it's foolish to assume that no one else knows of a vulnerability. Like Ziggy said, if a vulnerability exists, it's a vulnerability regardless of how many people know about it. I know people that discover dozens by just letting fuzzers run in the background. If there are hundreds or thousands of others doing that as well, more than one person will stumble upon the same vulnerability sooner or later.

Maybe you only identify it as a DoS vulnerability while someone else has nearly completed a stable exploit for it. Is it ethical to withhold information until a vulnerability is being widely exploited? What if the vulnerability is being exploited in targeted attacks and isn't shown as "active in the wild?"

If the vendor can't/won't patch it in a timely manner, it's still beneficial to notify AV, IPS, and similar vendors that can compensate by beefing up other security controls. Likewise, administrators may be able to take steps to protect themselves as well (i.e. disabling a non-essential service that has a critical remotely-exploitable vulnerability).

I'd rather know about it before the bad guys find out so that I can defend proactively.

If there weren't "whitehat" researchers out there doing research and publicly disclosing it, we would only be able to reactively defend our networks. You get into the same type of rat race that AV vendors are in with signature based detection. You can't detect until you have a sample. When you collect a sample, you're already owned and you will continue to be owned up until the point when the AV vendor gets a signature out.

Also, how do you determine what other people know and don't know? When a researcher states that he/she doesn't think that their discovered vulnerability isn't being exploited in the wild, that's conjecture on their part. It also doesn't take into account whether or not some "blackhat" researcher isn't on the verge of making the same discovery.

If you are a security researcher and you keep your research to yourself, no one knows about the attack or how to detect it. In releasing information about the attack you are creating awareness of the attack which in turn creates awareness of how to detect/prevent the attack.

I'm sure there are a number of times when a "whitehat" researcher provided valuable, previously unknown attack information to "blackhats." But I think more often than not, the "whitehat" is providing the general public information about attacks that are already going on.

Regarding your definition of a vulnerability being a known weakness, I would argue with that. You are vulnerable whether you know about it or not.