Malware Analyst's Cookbook and DVD Tools and Techniques for Fighting Malicious Code

Steven Adair is a member of the Shadowserver Foundation and frequently analyzes malware and tracks botnets. He also investigates cyber attacks of all kinds with an emphasis on those linked to cyber espionage.

Blake Hartstein is the author of multiple security tools and a Rapid Response Engineer at Verisign iDefense, where he responds to malware incidents.

Matthew Richard has authored numerous security tools and also ran a managed security service for banks and credit unions.

On The Book's DVD.

1 Anonymizing Your Activities.

Recipe 1-1: Anonymous Web Browsing with Tor.

Recipe 1-2: Wrapping Wget and Network Clients with Torsocks.

Recipe 1-3: Multi-platform Tor-enabled Downloader in Python.

Recipe 1-4: Forwarding Traffic through Open Proxies.

Recipe 1-5: Using SSH Tunnels to Proxy Connections.

Recipe 1-6: Privacy-enhanced Web browsing with Privoxy.

Recipe 1-7: Anonymous Surfing with Anonymouse.org.

Recipe 1-8: Internet Access through Cellular Networks.

Recipe 1-9: Using VPNs with Anonymizer Universal.

2 Honeypots.

Recipe 2-1: Collecting Malware Samples with Nepenthes.

Recipe 2-2: Real-Time Attack Monitoring with IRC Logging.

Recipe 2-3: Accepting Nepenthes Submissions over HTTP with Python.

Recipe 2-4: Collecting Malware Samples with Dionaea.

Recipe 2-5: Accepting Dionaea Submissions over HTTP with Python.

Recipe 2-6: Real-time Event Notification and Binary Sharing with XMPP.

Recipe 2-7: Analyzing and Replaying Attacks Logged by Dionea.

Recipe 2-8: Passive Identification of Remote Systems with p0f.

Recipe 2-9: Graphing Dionaea Attack Patterns with SQLite and Gnuplot.

3 Malware Classification.

Recipe 3-1: Examining Existing ClamAV Signatures.

Recipe 3-2: Creating a Custom ClamAV Database.

Recipe 3-3: Converting ClamAV Signatures to YARA.

Recipe 3-4: Identifying Packers with YARA and PEiD.

Recipe 3-5: Detecting Malware Capabilities with YARA.

Recipe 3-6: File Type Identification and Hashing in Python.

Recipe 3-7: Writing a Multiple-AV Scanner in Python.

Recipe 3-8: Detecting Malicious PE Files in Python.

Recipe 3-9: Finding Similar Malware with ssdeep.

Recipe 3-10: Detecting Self-modifying Code with ssdeep.

Recipe 3-11: Comparing Binaries with IDA and BinDiff.

4 Sandboxes and Multi-AV Scanners.

Recipe 4-1: Scanning Files with VirusTotal.

Recipe 4-2: Scanning Files with Jotti.

Recipe 4-3: Scanning Files with NoVirusThanks.

Recipe 4-4: Database-Enabled Multi-AV Uploader in Python.

Recipe 4-5: Analyzing Malware with ThreatExpert.

Recipe 4-6: Analyzing Malware with CWSandbox.

Recipe 4-7: Analyzing Malware with Anubis.

Recipe 4-8: Writing AutoIT Scripts for Joebox.

Recipe 4-9: Defeating Path-dependent Malware with Joebox.

Recipe 4-10: Defeating Process-dependent DLLs with Joebox.

Recipe 4-11: Setting an Active HTTP Proxy with Joebox.

Recipe 4-12: Scanning for Artifacts with Sandbox Results.

5 Researching Domains and IP Addresses.

Recipe 5-1: Researching Domains with WHOIS.

Recipe 5-2: Resolving DNS Hostnames.

Recipe 5-3: Obtaining IP WHOIS Records.

Recipe 5-4: Querying Passive DNS with BFK.

Recipe 5-5: Checking DNS Records with Robtex.

Recipe 5-6: Performing a Reverse IP Search with DomainTools.

Recipe 5-7: Initiating Zone Transfers with dig.

Recipe 5-8: Brute-forcing Subdomains with dnsmap.

Recipe 5-9: Mapping IP Addresses to ASNs via Shadowserver.

Recipe 5-10: Checking IP Reputation with RBLs.

Recipe 5-11: Detecting Fast Flux with Passive DNS and TTLs.

Recipe 5-12: Tracking Fast Flux Domains.

Recipe 5-13: Static Maps with Maxmind, matplotlib, and pygeoip.

Recipe 5-14: Interactive Maps with Google Charts API.

6 Documents, Shellcode, and URLs.

Recipe 6-1: Analyzing JavaScript with Spidermonkey.

Recipe 6-2: Automatically Decoding JavaScript with Jsunpack.

Recipe 6-3: Optimizing Jsunpack-n Decodings for Speed and Completeness.

Recipe 6-4: Triggering exploits by Emulating Browser DOM Elements.

Recipe 6-5: Extracting JavaScript from PDF Files with pdf.py.

Recipe 6-6: Triggering Exploits by Faking PDF Software Versions.

Recipe 6-7: Leveraging Didier Stevens's PDF Tools.

Recipe 6-8: Determining which Vulnerabilities a PDF File Exploits.

Recipe 6-9: Disassembling Shellcode with DiStorm.

Recipe 6-10: Emulating Shellcode with Libemu.

Recipe 6-11: Analyzing Microsoft Office Files with OfficeMalScanner.

Recipe 6-12: Debugging Office Shellcode with DisView and MalHost-setup.

Recipe 6-13: Extracting HTTP Files from Packet Captures with Jsunpack.

Recipe 6-14: Graphing URL Relationships with Jsunpack.

7 Malware Labs.

Recipe 7-1: Routing TCP/IP Connections in Your Lab.

Recipe 7-2: Capturing and Analyzing Network Traffic.

Recipe 7-3: Simulating the Internet with INetSim.

Recipe 7-4: Manipulating HTTP/HTTPS with Burp Suite.

Recipe 7-5: Using Joe Stewart's Truman.

Recipe 7-6: Preserving Physical Systems with Deep Freeze.

Recipe 7-7: Cloning and Imaging Disks with FOG.

Recipe 7-8: Automating FOG Tasks with the MySQL Database.

8 Automation.

Recipe 8-1: Automated Malware Analysis with VirtualBox.

Recipe 8-2: Working with VirtualBox Disk and Memory Images.

Recipe 8-3: Automated Malware Analysis with VMware.

Recipe 8-4: Capturing Packets with TShark via Python.

Recipe 8-5: Collecting Network Logs with INetSim via Python.

Recipe 8-6: Analyzing Memory Dumps with Volatility.

Recipe 8-7: Putting all the Sandbox Pieces Together.

Recipe 8-8: Automated Analysis with ZeroWine and QEMU.

Recipe 8-9: Automated Analysis with Sandboxie and Buster.

9 Dynamic Analysis.

Recipe 9-1: Logging API calls with Process Monitor.

Recipe 9-2: Change Detection with Regshot.

Recipe 9-3: Receiving File System Change Notifications.

Recipe 9-4: Receiving Registry Change Notifications.

Recipe 9-5: Handle Table Diffing.

Recipe 9-6: Exploring Code Injection with HandleDiff.

Recipe 9-7: Watching Bankpatch.C Disable Windows File Protection.

Recipe 9-8: Building an API Monitor with Microsoft Detours.

Recipe 9-9: Following Child Processes with Your API Monitor.

Recipe 9-10: Capturing Process, Thread, and Image Load Events.

Recipe 9-11: Preventing Processes from Terminating.

Recipe 9-12: Preventing Malware from Deleting Files.

Recipe 9-13: Preventing Drivers from Loading.

Recipe 9-14: Using the Data Preservation Module.

Recipe 9-15: Creating a Custom Command Shell with ReactOS.

10 Malware Forensics.

Recipe 10-1: Discovering Alternate Data Streams with TSK.

Recipe 10-2: Detecting Hidden Files and Directories with TSK.

Recipe 10-3: Finding Hidden Registry Data with Microsoft's Offline API.

Recipe 10-4: Bypassing Poison Ivy's Locked Files.

Recipe 10-5: Bypassing Conficker's File System ACL Restrictions.

Recipe 10-6: Scanning for Rootkits with GMER.

Recipe 10-7: Detecting HTML Injection by Inspecting IE's DOM.

Recipe 10-8: Registry Forensics with RegRipper Plug-ins.

Recipe 10-9: Detecting Rogue-Installed PKI Certificates.

Recipe 10-10: Examining Malware that Leaks Data into the Registry.

11 Debugging Malware.

Recipe 11-1: Opening and Attaching to Processes.

Recipe 11-2: Configuring a JIT Debugger for Shellcode Analysis.

Recipe 11-3: Getting Familiar with the Debugger GUI.

Recipe 11-4: Exploring Process Memory and Resources.

Recipe 11-5: Controlling Program Execution.

Recipe 11-6: Setting and Catching Breakpoints.

Recipe 11-7: Using Conditional Log Breakpoints.

Recipe 11-8: Debugging with Python Scripts and PyCommands.

Recipe 11-9: Detecting Shellcode in Binary Files.

Recipe 11-10: Investigating Silentbanker's API Hooks.

Recipe 11-11: Manipulating Process Memory with WinAppDbg Tools.

Recipe 11-12: Designing a Python API Monitor with WinAppDbg.

12 De-Obfuscation.

Recipe 12-1: Reversing XOR Algorithms in Python.

Recipe 12-2: Detecting XOR Encoded Data with yaratize.

Recipe 12-3: Decoding Base64 with Special Alphabets.

Recipe 12-4: Isolating Encrypted Data in Packet Captures.

Recipe 12-5: Finding Crypto with SnD Reverser Tool, FindCrypt, and Kanal.

Recipe 12-6: Porting OpenSSL Symbols with Zynamics BinDiff.

Recipe 12-7: Decrypting Data in Python with PyCrypto.

Recipe 12-8: Finding OEP in Packed Malware.

Recipe 12-9: Dumping Process Memory with LordPE.

Recipe 12-10: Rebuilding Import Tables with ImpREC.

Recipe 12-11: Cracking Domain Generation Algorithms.

Recipe 12-12: Decoding Strings with x86emu and Python.

13 Working with DLLs.

Recipe 13-1: Enumerating DLL Exports.

Recipe 13-2: Executing DLLs with rundll32.exe

Recipe 13-3: Bypassing Host Process Restrictions.

Recipe 13-4: Calling DLL Exports Remotely with rundll32ex.

Recipe 13-5: Debugging DLLs with LOADDLL.EXE.

Recipe 13-6: Catching Breakpoints on DLL Entry Points.

Recipe 13-7: Executing DLLs as a Windows Service.

Recipe 13-8: Converting DLLs to Standalone Executables.

14 Kernel Debugging.

Recipe 14-1: Local Debugging with LiveKd.

Recipe 14-2: Enabling the Kernel’s Debug Boot Switch.

Recipe 14-3: Debug a VMware Workstation Guest (on Windows).

Recipe 14-4: Debug a Parallels Guest (on Mac OS X).

Recipe 14-5: Introduction to WinDbg Commands And Controls.

Recipe 14-6: Exploring Processes and Process Contexts.

Recipe 14-7: Exploring Kernel Memory.

Recipe 14-8: Catching Breakpoints on Driver Load.

Recipe 14-9: Unpacking Drivers to OEP.

Recipe 14-10: Dumping and Rebuilding Drivers.

Recipe 14-11: Detecting Rootkits with WinDbg Scripts.

Recipe 14-12: Kernel Debugging with IDA Pro.

15 Memory Forensics with Volatility.

Recipe 15-1: Dumping Memory with MoonSols Windows Memory Toolkit.

Recipe 15-2: Remote, Read-only Memory Acquisition with F-Response.

Recipe 15-3: Accessing Virtual Machine Memory Files.

Recipe 15-4: Volatility in a Nutshell.

Recipe 15-5: Investigating processes in Memory Dumps.

Recipe 15-6: Detecting DKOM Attacks with psscan.

Recipe 15-7: Exploring csrss.exe’s Alternate Process Listings.

Recipe 15-8: Recognizing Process Context Tricks.

16 Memory Forensics: Code Injection and Extraction.

Recipe 16-1: Hunting Suspicious Loaded DLLs.

Recipe 16-2: Detecting Unlinked DLLs with ldr_modules.

Recipe 16-3: Exploring Virtual Address Descriptors (VAD).

Recipe 16-4: Translating Page Protections.

Recipe 16-5: Finding Artifacts in Process Memory.

Recipe 16-6: Identifying Injected Code with Malfind and YARA.

Recipe 16-7: Rebuilding Executable Images from Memory.

Recipe 16-8: Scanning for Imported Functions with impscan.

Recipe 16-9: Dumping Suspicious Kernel Modules.

17 Memory Forensics: Rootkits.

Recipe 17-1: Detecting IAT Hooks.

Recipe 17-2: Detecting EAT Hooks.

Recipe 17-3: Detecting Inline API Hooks.

Recipe 17-4: Detecting Interrupt Descriptor Table (IDT) Hooks.

Recipe 17-5: Detecting Driver IRP Hooks.

Recipe 17-6: Detecting SSDT Hooks.

Recipe 17-7: Automating Damn Near Everything with ssdt_ex.

Recipe 17-8: Finding Rootkits with Detached Kernel Threads.

Recipe 17-9: Identifying System-Wide Notification Routines.

Recipe 17-10: Locating Rogue Service Processes with svcscan.

Recipe 17-11: Scanning for Mutex Objects with mutantscan.

18 Memory Forensics: Network and Registry.

Recipe 18-1: Exploring Socket and Connection Objects.

Recipe 18-2: Analyzing Network Artifacts Left by Zeus.

Recipe 18-3: Detecting Attempts to Hide TCP/IP Activity.

Recipe 18-4: Detecting Raw Sockets and Promiscuous NICs.

Recipe 18-5: Analyzing Registry Artifacts with Memory Registry Tools.

Recipe 18-6: Sorting Keys by Last Written Timestamp.

Recipe 18-7: Using Volatility with RegRipper.

Index.

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.