A computer forensics "how-to" for fighting malicious code and
analyzing incidents
With our ever-increasing reliance on computers comes an
ever-growing risk of malware. Security professionals will find
plenty of solutions in this book to the problems posed by viruses,
Trojan horses, worms, spyware, rootkits, adware, and other invasive
software. Written by well-known malware experts, this guide reveals
solutions to numerous problems and includes a DVD of custom
programs and tools that illustrate the concepts, enhancing your
skills.
* Security professionals face a constant battle against malicious
software; this practical manual will improve your analytical
capabilities and provide dozens of valuable and innovative
solutions
* Covers classifying malware, packing and unpacking, dynamic
malware analysis, decoding and decrypting, rootkit detection,
memory forensics, open source malware research, and much more
* Includes generous amounts of source code in C, Python, and Perl
to extend your favorite tools or build new ones, and custom
programs on the DVD to demonstrate the solutions
Malware Analyst's Cookbook is indispensible to IT
security administrators, incident responders, forensic analysts,
and malware researchers.
Autorentext
Michael Hale Ligh is a malicious code analyst at Verisign
iDefense and Chief of Special Projects at MNIN Security.
Steven Adair is a member of the Shadowserver Foundation
and frequently analyzes malware and tracks botnets. He also
investigates cyber attacks of all kinds with an emphasis on those
linked to cyber espionage.
Blake Hartstein is the author of multiple security tools
and a Rapid Response Engineer at Verisign iDefense, where he
responds to malware incidents.
Matthew Richard has authored numerous security tools and
also ran a managed security service for banks and credit
unions.
Zusammenfassung
A computer forensics "how-to" for fighting malicious code and analyzing incidents
With our ever-increasing reliance on computers comes an ever-growing risk of malware. Security professionals will find plenty of solutions in this book to the problems posed by viruses, Trojan horses, worms, spyware, rootkits, adware, and other invasive software. Written by well-known malware experts, this guide reveals solutions to numerous problems and includes a DVD of custom programs and tools that illustrate the concepts, enhancing your skills.
- Security professionals face a constant battle against malicious software; this practical manual will improve your analytical capabilities and provide dozens of valuable and innovative solutions
- Covers classifying malware, packing and unpacking, dynamic malware analysis, decoding and decrypting, rootkit detection, memory forensics, open source malware research, and much more
- Includes generous amounts of source code in C, Python, and Perl to extend your favorite tools or build new ones, and custom programs on the DVD to demonstrate the solutions
Malware Analyst's Cookbook is indispensible to IT security administrators, incident responders, forensic analysts, and malware researchers.
Inhalt
Introduction xv
On The Book's DVD xxiii
1 Anonymizing Your Activities 1
Recipe 1-1: Anonymous Web Browsing with Tor 3
Recipe 1-2: Wrapping Wget and Network Clients with Torsocks 5
Recipe 1-3: Multi-platform Tor-enabled Downloader in Python 7
Recipe 1-4: Forwarding Traffic through Open Proxies 12
Recipe 1-5: Using SSH Tunnels to Proxy Connections 16
Recipe 1-6: Privacy-enhanced Web browsing with Privoxy 18
Recipe 1-7: Anonymous Surfing with Anonymouse.org 20
Recipe 1-8: Internet Access through Cellular Networks 21
Recipe 1-9: Using VPNs with Anonymizer Universal 23
2 Honeypots 27
Recipe 2-1: Collecting Malware Samples with Nepenthes 29
Recipe 2-2: Real-Time Attack Monitoring with IRC Logging 32
Recipe 2-3: Accepting Nepenthes Submissions over HTTP with Python 34
Recipe 2-4: Collecting Malware Samples with Dionaea 37
Recipe 2-5: Accepting Dionaea Submissions over HTTP with Python 40
Recipe 2-6: Real-time Event Notification and Binary Sharing with XMPP 41
Recipe 2-7: Analyzing and Replaying Attacks Logged by Dionea 43
Recipe 2-8: Passive Identification of Remote Systems with p0f 44
Recipe 2-9: Graphing Dionaea Attack Patterns with SQLite and Gnuplot 46
3 Malware Classification 51
Recipe 3-1: Examining Existing ClamAV Signatures 52
Recipe 3-2: Creating a Custom ClamAV Database 54
Recipe 3-3: Converting ClamAV Signatures to YARA 59
Recipe 3-4: Identifying Packers with YARA and PEiD 61
Recipe 3-5: Detecting Malware Capabilities with YARA 63
Recipe 3-6: File Type Identification and Hashing in Python 68
Recipe 3-7: Writing a Multiple-AV Scanner in Python 70
Recipe 3-8: Detecting Malicious PE Files in Python 75
Recipe 3-9: Finding Similar Malware with ssdeep 79
Recipe 3-10: Detecting Self-modifying Code with ssdeep 82
Recipe 3-11: Comparing Binaries with IDA and BinDiff 83
4 Sandboxes and Multi-AV Scanners 89
Recipe 4-1: Scanning Files with VirusTotal 90
Recipe 4-2: Scanning Files with Jotti 92
Recipe 4-3: Scanning Files with NoVirusThanks 93
Recipe 4-4: Database-Enabled Multi-AV Uploader in Python 96
Recipe 4-5: Analyzing Malware with ThreatExpert 100
Recipe 4-6: Analyzing Malware with CWSandbox 102
Recipe 4-7: Analyzing Malware with Anubis 104
Recipe 4-8: Writing AutoIT Scripts for Joebox 105
Recipe 4-9: Defeating Path-dependent Malware with Joebox 107
Recipe 4-10: Defeating Process-dependent DLLs with Joebox 109
Recipe 4-11: Setting an Active HTTP Proxy with Joebox 111
Recipe 4-12: Scanning for Artifacts with Sandbox Results 112
5 Researching Domains and IP Addresses 119
Recipe 5-1: Researching Domains with WHOIS 120
Recipe 5-2: Resolving DNS Hostnames 125
Recipe 5-3: Obtaining IP WHOIS Records 129
Recipe 5-4: Querying Passive DNS with BFK 132
Recipe 5-5: Checking DNS Records with Robtex 133
Recipe 5-6: Performing a Reverse IP Search with DomainTools 134
Recipe 5-7: Initiating Zone Transfers with dig 135
Recipe 5-8: Brute-forcing Subdomains with dnsmap 137
Recipe 5-9: Mapping IP Addresses to ASNs via Shadowserver 138
Recipe 5-10: Checking IP Reputation with RBLs 140
Recipe 5-11: Detecting Fast Flux with Passive DNS and TTLs 143
Recipe 5-12: Tracking Fast Flux Domains 146
Recipe 5-13: Static Maps with Maxmind, matplotlib, and pygeoip 148
Recipe 5-14: Interactive Maps with Google Charts API 152
6 Documents, Shellcode, and URLs 155
Recipe 6-1: Analyzing JavaScript with Spidermonkey 156
Recipe 6-2: Automatically Decoding JavaScript with Jsunpack 159
Recipe 6-3: Optimizing Jsunpack-n Decodings for Speed and Completeness 162
Recipe 6-4: Triggering exploits by Emulating Browser DOM Elements 163
Recipe 6-5: Extracting JavaScript from PDF Files with ...