The phone rings, and the networking guys tell you that you’ve been hacked and that your customers’ sensitive information is being stolen from your network. You begin your investigation by checking your logs to identify the hosts involved. You scan the hosts with antivirus software to find the malicious program, and catch a lucky break when it detects a trojan horse named TROJ.snapAK. You delete the file in an attempt to clean things up, and you use network capture to create an intrusion detection system (IDS) signature to make sure no other machines are infected. Then you patch the hole that you think the attackers used to break in to ensure that it doesn’t happen again.
Then, several days later, the networking guys are back, telling you that sensitive data is being stolen from your network. It seems like the same attack, but you have no idea what to do. Clearly, your IDS signature failed, because more machines are infected, and your antivirus software isn’t providing enough protection to isolate the threat. Now upper management demands an explanation of what happened, and all you can tell them about the malware is that it was TROJ.snapAK. You don’t have the answers to the most important questions, and you’re looking kind of lame. How do you determine exactly what TROJ.snapAK does so you can eliminate the threat? How do you write a more effective network signature? How can you find out if any other machines are infected with this malware? How can you make sure you’ve deleted the entire malware package and not just one part of it? How can you answer management’s questions about what the malicious program does?
All you can do is tell your boss that you need to hire expensive outside consultants because you can’t protect your own network. That’s not really the best way to keep your job secure.
Ah, but fortunately, you were smart enough to pick up a copy of Practical Malware Analysis. The skills you’ll learn in this book will teach you how to answer those hard questions and show you how to protect your network from malware.
Malware analysis is big business, and attacks can cost a company dearly. When malware breaches your defenses, you need to act quickly to cure current infections and prevent future ones from occurring.
For those who want to stay ahead of the latest malware, Practical Malware Analysis will teach you the tools and techniques used by professional analysts. With this book as your guide, you'll be able to safely analyze, debug, and disassemble any malicious software that comes your way.
You'll learn how to:
Set up a safe virtual environment to analyze malware
Quickly extract network signatures and host-based indicators
Use key analysis tools like IDA Pro, OllyDbg, and WinDbg
Overcome malware tricks like obfuscation, anti-disassembly, anti-debugging, and anti-virtual machine techniques
Use your newfound knowledge of Windows internals for malware analysis
Develop a methodology for unpacking malware and get practical experience with five of the most popular packers
Analyze special cases of malware with shellcode, C++, and 64-bit code
Hands-on labs throughout the book challenge you to practice and synthesize your skills as you dissect real malware samples, and pages of detailed dissections offer an over-the-shoulder look at how the pros do it. You'll learn how to crack open malware to see how it really works, determine what damage it has done, thoroughly clean your network, and ensure that the malware never comes back.
Malware analysis is a cat-and-mouse game with rules that are constantly changing, so make sure you have the fundamentals. Whether you're tasked with securing one network or a thousand networks, or you're making a living as a malware analyst, you'll find what you need to succeed in Practical Malware Analysis.