Contents

Foreword

Acknowledgments

Introduction

     Part   I     Malware Blueprint

---

 Chapter 1   Malware Analysis 101

Malware Analysis

Malware Analysis and Reverse Engineering

Types of Malware Analysis

Purpose of Malware Analysis

Limitations of Malware Analysis

The Malware Analysis Process

The Effective Malware Analyst

Familiarization with Malware

Familiarization with Analysis Tools

Patience

Recap

Chapter 2     Malware Taxonomy

Malware Classes

Infectors

Network Worms

Trojan Horse

Backdoors

Remote-Access Trojan

Information Stealers

Ransomware

Scareware

Fakeware

Greyware

Recap

Chapter 3     Malware Deployment

Malware Infection Vectors

Speed

Stealth

Coverage

Shelf Life

Types of Malware Infection Vectors

Physical Media

E-mails

Instant Messaging and Chat

Social Networking

URL Links

File Shares

Software Vulnerabilities

Potential Infection Vectors

Recap

Chapter 4     Protective Mechanisms

The Two States of Malware

Static Malware

Dynamic Malware

Protective Mechanisms

Static Malware Protective Mechanisms

Dynamic Malware Protective Mechanisms

Recap

Chapter 5     Malware Dependencies

Dependency Types

Environment Dependencies

Program Dependencies

Timing Dependencies

Event Dependencies

User Dependencies

File Dependencies

Recap

    Part II      Malware Research Lab

---

Chapter 6     Malware Collection

Your Own Backyard

Scan for Malicious Files

Look for Active Rootkits

Inspect Startup Programs

Inspect Running Processes

Extract Suspicious Files

Free Sources

Contagio

KernelMode.info

MalShare.com

Malware.lu

Malware Blacklist

Malwarebytes Forum

Malekal’s Forum

Open Malware

Tuts4You

VirusShare.com

VX Heaven

Malware Trackers

Research Mailing Lists

Sample Exchange

Commercial Sources

Honeypots

Dionaea

Recap

Tools

Chapter 7     Static Analysis Lab

The Static Analysis Lab

Host File Inspection Tools

Mitigate Possible Infection

Mitigate Becoming a Malware Staging Point

Anonymous Communication

Setting Up the Lab

Choose the Hardware

Install the Operating System

Harden the Lab

Anonymize the Lab

Isolate the Lab

The Virtualized Static Analysis Lab

Backing Up and Restoring

Recap

Tools

Chapter 8     Dynamic Analysis Lab

Setting Up the Lab

Choose the Hardware

Install the Operating System

Make the Lab Malware Friendly

Anonymize the Lab

Isolate the Lab

Restoring to a Clean State

Virtualized Environment Clean State Restoration

Bare-Metal Environment Clean State Restoration

Backing Up and Restoring

The Golden Image

Host OS

Other Systems Supporting the Lab

Recap

Tools

   Part III      Malware Inspection

---

Chapter 9     The Portable Executable File

The Windows Portable Executable File

The PE File Format

Relative Virtual Address

PE Import Functions

PE Export Functions

64-Bit PE File Format

Recap

Tools

Chapter 10     The Proper Way to Handle Files

  File’s Analysis Life Cycle

     Transfer

     Analysis

     Storage

  Recap

  Tools

Chapter 11      Inspecting Static Malware

  Static Analysis Techniques

       ID Assignment

       File Type Identification

       Antivirus Detection

       Protective Mechanisms Identification

       PE Structure Verification

       Strings Analysis

  Recap

  Tools

Chapter 12    Inspecting Dynamic Malware

  Virtual vs. Bare Metal

  Dynamic Analysis

    Analyzing Host Behavior

    Analyzing Network Behavior

  Dynamic Analysis Limitations

  Recap

  Tools

Chapter 13   Tools of the Trade

  Malware Analysis Use Cases

  Malware Analyst Toolbox

  Tools of the Trade

    Sysinternals Suite

    Yara

    Cygwin

    Debuggers

    Disassemblers

    Memory Dumpers

    PE Viewers

    PE Reconstructors

    Malcode Analyst Pack

    Rootkit Tools

    Network Capturing Tools

    Automated Sandboxes

    Free Online Automated Sandbox Services

Recap

Tools

   Part IV     Appendixes

---

Appendix A  Tools List

Appendix B  List of Laboratories

Appendix C  Volatility Framework Basic Plug-ins

Index