- This topic has 24 replies, 8 voices, and was last updated 8 years, 10 months ago by
Triban.
-
AuthorPosts
-
-
February 6, 2012 at 5:42 pm #7327
Triban
ParticipantThis book has popped up on a few posts around here, looks like Mandiant is doing a Fresh Prints webinar featuring info about the book from the authors as well as a 40% off code to purchase it and a free chapter for review. They will also be featuring a new free tool called FakeNet, which I assume is a sort of Sandboxing environment.
https://cc.readytalk.com/cc/s/showReg?udc=cdpyhqsbocld
In case you want to sign up, I signed up but it is going on during RSA so not sure how that will go.
-
March 7, 2012 at 5:22 pm #45768
Triban
ParticipantSo quick review of the book so far… I like it. It is very informative and it is pretty easy to follow. I am not that far into it but it does a good job covering some of the preliminary stuff. The book did not come with the DVD but if you were listening to the Webinar, they did make the labs available on their site:
http://www.practicalmalwareanalysis.com/labs
Also on the Webinar, they went over using their new tool FakeNet. You can load it on a standard XP install and run it similar to WebGoat. It will load a dummy site as well as respond to DNS requests and even serve up requests for files if the malware is looking for such things. The DNS works similarly to FakeDNS or ApateDNS.
To view the archived webinar and the FakeNet demo you can go to:
http://www.mandiant.com/presentations/fresh_prints_of_mal-ware_practical_malware_analysis/Enjoy!
-
March 7, 2012 at 8:01 pm #45769
YuckTheFankees
ParticipantDo you have to know programming pretty well to understand most of the topics covered in this book?
-
March 7, 2012 at 11:18 pm #45770
Triban
ParticipantKnowing a bit about programming can always help you but it is not a requirement. If you know programming concepts, it should be enough. You do get a primer on Assembly. The deeper you go into the analysis, the more assembly you will need to sort through, then if you get to a higher level of reverse engineering, you are doing much more disassembly than before.
-
March 8, 2012 at 12:40 am #45771
Anonymous
ParticipantCool so would you say this book is good for someone who has never done any malware analysis ?
-
March 8, 2012 at 2:11 am #45772
YuckTheFankees
ParticipantI just bought the book. It will be here on Saturday ;D
-
March 8, 2012 at 2:13 am #45773
Eleven
Participant@Jamie.R wrote:
Cool so would you say this book is good for someone who has never done any malware analysis ?
I’ve been reading about malware analysis for a while, but this is the first time I’m actually putting it to use. The book starts off easy and gets more technical. I’m on chapter 17 and have done a few labs and so far it is easy to understand, except for chapter 15 on anti-disassembly. That was tough for me.
I’d say it’s a good book to start off with, but it can’t teach you everything about malware analysis. You will probably need to supplement it with google searchers, questions of forums, and by reading other malware books.
The previous reading I’ve done on assembly has definitely helped me understand this book.
-
March 8, 2012 at 2:46 am #45774
YuckTheFankees
ParticipantIf you need help learning assembly, security tube has some good assembly primer videos.
-
March 8, 2012 at 6:08 pm #45775
Triban
ParticipantIt worked out for me since I had some HBGary Responder Pro training 2 weeks ago before RSA. So I was already through an Assembly primer. Malware analysis comes in a few levels. Your analysis for Incident Response will cover the first 2 levels, the What’s and where’s of the analysis. Here is the suspicious file, here is what happened after the file appeared and where it might be hanging out. Then there is the deeper dive, what mutexes it left behind, what system processes were involved and what other files did it drop. Then full on reverse engineering to write stronger signatures for IPS and AV. First two levels are the fastest to process in order to respond quickly. The rest require much more time and effort but are the long term fixes to prevent future outbreaks and even do some forensics on the malicious items to determine where they may have originated from and who might have created them.
-
March 18, 2012 at 9:31 pm #45776
YuckTheFankees
ParticipantTo become a great malware analyst, do I need to know how to read assembly language or actually know how to program in assembly language. Kind of the same question for C++ as well ?
-
March 19, 2012 at 1:34 pm #45777
Triban
ParticipantI would say to become that level 4 reverse engineer, you would need to have a very strong understanding of Assembly. But I wouldn’t make it your focus. You can get a lot from malicious software when you toss it into a sandbox for behavioral analysis. If the malware has VM awareness, you will then need to perform a deeper analysis using more advanced tools that will certainly involve looking at the assembly. I am currently finishing off System security section of eCPPT (reason why I haven’t gone deeper into the book). And the last 3 modules of that section have involved assembly. The reason being is that you take advantage of the calls in the windows DLLs (kernel32.dll) to initiate your shellcodes. So tossing a file into a disassembler and looking for certain process calls or data moves is key to writing a decent piece of shellcode. Its also how you determine where an exploit might be possible. In the reverse, it is how you can determine what a decent piece of malware is doing to the system if it is exploiting an unknown windows flaw or taking advantage of a process that Office is calling. Pretty much all those “Remote Code Execution” flaws we see in the Microsoft Security updates.
Once I get through eCPPT, I will probably try to keep fresh on the assembly and go through the primers. The more you work with it the better you can get. I’m certainly not going to try and write an OS but being able to tear down malware to the assembly level will be handy skill when I am researching from my forest retreat staring out over the mountains 😀 ok that is wishful thinking about the mountains and such.
I think the more coding you know when dealing with malware, the better reverse engineer you can become. If that is your goal. It is a great skill to have and probably rewarding if you are in that tier 3 or 4 level of reverse engineering.
-
March 19, 2012 at 2:06 pm #45778
hayabusa
Participant@3xban wrote:
I’m certainly not going to try and write an OS but being able to tear down malware to the assembly level will be handy skill when I am researching from my forest retreat staring out over the mountains 😀 ok that is wishful thinking about the mountains and such.
++1 8)
-
March 19, 2012 at 3:55 pm #45779
sil
Participant@YuckTheFankees wrote:
To become a great malware analyst, do I need to know how to read assembly language or actually know how to program in assembly language. Kind of the same question for C++ as well ?
It all boils down to what you want to do at the end of the day. Understanding Assembly helps and you WILL NEED to understand enough for performing static analysis however, the reality is… Unless you’re doing it at the hobbyist level, most of the times you wouldn’t need to go that far and I will explain why…
When malware infects an environment, the goal is often containment, eradication and analysis. For the most part, containment and eradication come first followed by analysis. In many arenas, you won’t need to go that far in depth into analyzing from a reversed perspective. When you DO need to go this route, it is usually because something was specifically targeting you. Reversing on this scale is EXTREMELY time consuming.
Large companies and many in the gov/mil space use tools like Norman Sandbox, FireEye, etc., this drastically reduces the amount of time an analyst will spend on these things. You need to remember, time is ALWAYS money at the end of the day. So unless you can beat a machine, you’re up poop’s creek trying to race some of these sandboxes.
Most of the things I do when reversing come from a hybrid analysis perspective. Meaning I am performing both static and dynamic analysis’ and comparing the differences. Its rare that I will go as far as dumping something in IDA pro as it is not going to yield me anything I couldn’t obtain otherwise. I am not making an AV/AntiMalware signature, so little is to be gained from reversing where I can simply throw a memory dump into strings and find the same data.
So, to answer your question… You should learn Assembly for the sake of understanding as much as you can since it obviously helps however, you DO NOT NEED to learn Assembly from a programmers perspective to be a good malware analyst most times. (NOTE THE WORD MOST TIMES) It all boils down to your environment.
-
March 19, 2012 at 8:04 pm #45780
Eleven
Participant@YuckTheFankees wrote:
To become a great malware analyst, do I need to know how to read assembly language or actually know how to program in assembly language. Kind of the same question for C++ as well ?
I’m sure to be great you would have to understand assembly. When you’re analyzing malware the assembly is already there so you don’t really have to know how to write assembly, just read it. However, to be great in malware analysis, or security in general, you would have to know how to program in a high level languages like C++, Python, etc.
-
March 20, 2012 at 1:44 pm #45781
YuckTheFankees
ParticipantThank you to everyone who replied and gave their input.
I’m going to take the next month or so to learn the main concepts of ASM and C++, just to make sure I get the most out of this book.
I hope to take the GREM by the end of the year ;D
-
April 14, 2012 at 11:10 pm #45782
Eleven
ParticipantIf anyone has taken GREM and read The Malware Analyst’s Coobook and Practical Malware Analysis, how well would someone do on the exam just by reading those two books and practiced what they learned?
-
April 15, 2012 at 1:28 pm #45783
sil
ParticipantIts better to get the content from SANS since questions can be centered around what you saw/learned in the course not the Practical Malware Analysis book. There are quite a few tools covered in SANS that are not even mentioned in the Practical book. I have the practical book and while its ok, there are certain subjects that are covered in depth during the course (SANS) but only brushed up on in the Practical book.
-
April 15, 2012 at 4:44 pm #45784
Eleven
Participant@sil wrote:
Its better to get the content from SANS since questions can be centered around what you saw/learned in the course not the Practical Malware Analysis book. There are quite a few tools covered in SANS that are not even mentioned in the Practical book. I have the practical book and while its ok, there are certain subjects that are covered in depth during the course (SANS) but only brushed up on in the Practical book.
The Malware Analyst Cookbook covers some document analysis that is in GREM and Practical Malware Analysis doesn’t really cover. I’m sure SANS is better. However, I just can’t justify ~$4000 on SANS when those two books may not cover all the stuff GREM does, but they come close and do it for ~$70.
-
April 15, 2012 at 7:13 pm #45785
sil
ParticipantYou’re missing the point here. SANS’ exam is whatever they want it to be not what another book places inside of it. You asked a specific question and got a specific answer. I have both books, Malware Analyst Cookbook and Practical Malware Analysis, while there is SOME content SIMILAR to what is on the GREM exam, the questions on the GREM exam are SPECIFIC to what is in SANS’ content NOT the two other books. Can you pass it with just those two books? NO Does this mean you can’t learn from those books? NO You WILL learn from those books but it will NOT be enough to do the GREM exam especially when during GREM training they use CONCEPTS, applications and approaches that differ from what is covered in those two books.
-
April 15, 2012 at 8:31 pm #45786
Eleven
ParticipantYeah, I understand that. However, I’m pretty sure some people here have passed SANS exams (GPEN for example) without taking the SANS class or reading the SANS books… just by reading other books, online material and practicing. I know it would be easier by taking the class, and probably just by reading those two books you would fail, but I’m wondering how relevant those books are to SANS.
They may differ, but I think they would have a lot in common with GREM and so it may be worth it to do it the hard way without official books if it’s possible to save $4000.
-
April 16, 2012 at 1:39 pm #45787
dynamik
ParticipantI can’t speak for this exam specifically, but it’s definitely possible to pass SANS/GIAC exams without taking the corresponding course. You’ll get two practice exams with a challenge attempt. While the difficulty may be less than the actual exam, the practice exams are still very useful for identifying gaps in knowledge. You’ll undoubtedly be exposed to new tools, techniques, etc., and then you can go do some independent research. Also be sure to review the day-by-day breakdown on the course page and research all those items.
-
April 17, 2012 at 1:56 pm #45788
Triban
ParticipantI would consider the books a good place to start if you have an interest in Reverse Engineering malware but I would agree with the sil that passing a GIAC course only using those books may be a waste of your 850 bucks. The SANS classes are expensive, but the material covered is pretty good and does match up with the GIAC exam. Not to mention you get the course materials which can be used during the exam since they are Open Book. So get the sticky notes and crib sheets ready.
-
April 23, 2012 at 8:51 pm #45789
idr0p
ParticipantGood books for this cert
Malware: Fighting Malicious Code – Made by Course Writer Lenny Z. and Other Sans Instructor Ed S.Malware Analysts Cookbook
and this book and you will be all set.
-
April 30, 2012 at 2:59 pm #45790
sil
ParticipantThis is probably on par to being the best free material you can find on malware from a realistic perspective (meaning, what really occurs when analyzing malware).
http://fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html
-
April 30, 2012 at 3:13 pm #45791
Triban
Participantnice, thanks!
-
-
AuthorPosts
- You must be logged in to reply to this topic.