MNIN Security

Malware Cookbook DVD Tools Online

mhl — Wed, 30 Mar 2011 15:37:34 +0000

For all the folks who bought DVD-less Kindle versions of the cookbook, all the folks who received a DVD with their paper copy but want updates to the tools, and even for folks who just want to experiment with the tools without buying the book, please feel free to download with an SVN client here:

http://code.google.com/p/malwarecookbook/

In order by Chapter, here’s a quick description of what’s on the DVD. It also includes malware.py, the set of Volatility plugins for the upcoming 1.4 release, a bunch of sample memory dumps from malware infected systems, and full color images for screen shots in the book.

* torwget.py: Multi-platform TOR-enabled URL
* wwwhoney.tgz: CGI scripts to accept submissions from nepenthes and dionaea honeypots
* clamav_to_yara.py: Convert ClamAV antivirus signatures to YARA rules
* peid_to_yara.py: Convert PEiD packer signatures to YARA rules
* av_multiscan.py: Script to implement your own antivirus multi-scanner
* pescanner.py: Detect malicious PE file attributes
* ssdeep_procs.py: Detect self-mutating code on live Windows systems using ssdeep
* avsubmit.py: Command-line interface to VirusTotal, ThreatExpert, Jotti, and NoVirusThanks
* dbmgr.py: Malware artifacts database manager
* artifactscanner.py: Application to scan live Windows systems for artifacts (files, Registry keys, mutexes) left by malware
* mapper.py: Create static PNG images of IP addresses plotted on a map using GeoIP
* googlegeoip.py: Create dynamic/interactive geographical maps of IP addresses using Google charts
* sc_distorm.py: Script to produce disassemblies (via DiStorm) of shellcode and optionally apply an XOR mask
* vmauto.py: Python class for automating malware execution in VirtualBox and VMware guests
* mybox.py: Sample automation script for VirtualBox based on vmauto.py
* myvmware.py: Sample automation script for VMware based on vmauto.py
* analysis.py: Python class for building sandboxes with support for analyzing network traffic, packet captures, and memory
* RegFsNotify.exe: Tool to detect changes to the Registry and file system in real time (from user mode without API hooks)
* HandleDiff.exe: Tool to detect changes to the handle tables of all processes on a system (useful to analyze the side-effects of code injecting malware)
* Preservation.zip: Kernel driver for monitoring notification routines, preventing processes from terminating, preventing files from being deleted, and preventing other drivers from loading
* cmd.exe: Custom command shell (cmd.exe) for logging malware activity and backdoor activity
* tsk-xview.exe: Cross-view based rootkit detection tool based on The Sleuth Kit API and Microsoft’s Offline Registry API
* HTMLInjection Detector.exe: Detect HTML injection attacks on banking and financial websites
* routes.pl: RegRipper plug-in for printing a computer’s routing table
* pendingdelete.pl: RegRipper plug-in for printing files that are pending deletion
* disallowrun.pl: RegRipper plug-in for printing processes that malware prevents from running
* shellexecutehooks.pl: RegRipper plug-in for printing ShellExecute hooks (a method of DLL injection)
* dumpcerts.pl: Parse::Win32Registry module to extract and examine cryptography certificates stored in Registry hives
* somethingelse.pl: Parse::Win32Registry module for finding hidden binary data in the Registry
* scloader.exe: Executable wrapper for launching shell code in a debugger
* scd.py: Immunity Debugger PyCommand for finding shellcode in arbitrary binary files
* findhooks.py: Immunity Debugger PyCommand for finding Inline-style user mode API hooks
* pymon.py: WinAppDbg plug-in for monitoring API calls, alerting on suspicious flags/parameters and producing an HTML report
* xortools.py: Python library for encoding/decoding XOR, including brute force methods and automated YARA signature generation
* trickimprec.py: Immunity Debugger PyCommand for assistance when rebuilding import tables with Import REconstructor
* kraken.py: Immunity Debugger PyCommand for cracking Kraken’s Domain Generation Algorithm (DGA)
* sbstrings.py: Immunity Debugger PyCommand for decrypting Silent Banker strings
* rundll32ex.exe: Extended version of rundll32.exe that allows you to run DLLs in other processes, call exported functions, and pass parameters
* install_svc.bat: Batch script for installing a service DLL (for dynamic analysis of the DLL)
* install_svc.py: Python script for installing a service DLL and supplying optional arguments to the service
* dll2exe.py: Python script for converting a DLL into a standalone executable
* DriverEntryFinder: Kernel driver to find the correct address in kernel memory to set breakpoints for catching new drivers as they load
* windbg_to_ida.py: Python script to convert WinDbg output into data that can be imported into IDA
* WinDbgNotify.txt: WinDbg script for identifying malicious notification routines

Reviews, News, and Errata

mhl — Sat, 20 Nov 2010 20:55:31 +0000

Reviews

We’ve very excited about the 5-star reviews on Amazon, which you can read about here. Thank you to the readers who took the time to let others know their thoughts. There are a few other reviews available as well:

* Netsec Redditors discuss and share comments about the book

* Harlan Carvey explains how to install pescanner.py on Windows

* Book Review: Malware Analyst’s Cookbook by Harlan Carvey

* A view on the Malware Analysis Cookbook by wishi

* Lenny Zeltser’s How to Get Started With Malware Analysis

* Review by Richard Austin at ieee-security.org

* Blog post by David Sharpe from Sharpe Security

* Book of the Month Nov 2010 on SecurityXploded.com

* Book Review by Dustin Schultz on TheXploit Security Blog

* RCE Endeavors calls MACB “very thorough and up-to-date”

* SpiderLabs calls MACB “a great book”

Analysis using Tools in MACB:

* Lenny Zeltser’s REMnux includes pescanner.py and xortools.py

* Undead Security uses pescanner.py to analyze Windows executables

* Malware Analysis with ClamAV and YARA @ Infosec Institute by Mourad Ben Lakhoua. This article was heavily based on Chapter 3 of MACB – thanks for the reference Mourad!

* Debugging Fundamentals for Exploit Development @ Infosec Institute by Steven Bradshaw. There’s no reference in this one, but you can tell the introduction was based on Chapter 11 of MACB.

News

If you purchased a Kindle version of the book from Amazon and didn’t receive the companion DVD, send us an email: malwarecookbook at gmail dot com. Neither Wiley nor Amazon have a way to distribute CDs or DVDs with electronic books.

Stefan from Joebox Security has updated the online version of Joebox reports (version 2.6.0) with static PE file analysis, inspired by the PEScanner module in Chapter 3 of Malware Analyst’s Cookbook. You can see a sample report here.

We received notification from the publisher that the book will be soon be translated into Korean.

Warnings

We’ve heard reports of people stealing DVDs from books off of bookstore shelves. Before you buy, make sure the DVD is in tact.

Also, there are a ton of warez sites advertising electronic copies of the book. They started making those claims 6 months before we even finished writing it. I do not even have a PDF copy of the book, do you really believe that someone else has one and is going to give it to you for free? Update: OK, I’m wrong, someone has successfully created a ripped PDF copy of the book and distributed it on multiple warez sites. However, it doesn’t include the DVD and most of the images are unreadable.

As an example, there have been some tweets lately pointing to rapidsharedownloads.com. When you click, you’ll see the listing below:

Looks pretty exciting, huh? When you choose an item to download, you’ll be presented with a popup window that looks like a prompt for downloading an executable.

Clicking open or save brings you to the page where you enter personal information, choose to pay $36.95 one-time fee or that one time fee plus 0.33/month and $4.95 extra. Considering the book is only $37.79 brand new on Amazon, why would you buy it from rapidsharedownloads.com? Oh, don’t forget, they don’t actually have a copy to sell.

Errata

We will update the following table with fixes as they are discovered. If you see any spelling mistakes, code mistakes, or disagree with any statements, feel free to let us know so we can disperse that information to other readers.

Page	Description
43	The text “Analyzing and Replaying Attacks Logged by Dionea” should read “…by Dionaea”
57	The text “0000000C jmp 0xc” should be “0000000C jmp $+0xc” – thanks to Matthieu Suiche for pointing this out.
64	The capabilities.yara file on the DVD has a typo. In particular, the condition for the encoding rule should be “(all of ($zlib)) or (all of ($ssl))” Note: this is only incorrect on the DVD file, it is correct in the book’s text.
119	The text “The domains and IP addresses that malware uses can you tell you a lot” should read “The domains and IP addresses that malware uses can tell you a lot”
194	The text “OfficeMalScaner” should read “OfficeMalScanner”
304-305	Step 1 should state “Download, install, and build Detours” instead of just “Download and install Detours.” If you don’t build Detours, then the detours.lib won’t be available when you reach Step 4. For instructions on how to build Detours, see the documentation that comes with Detours.
306-307	The 2nd parameter to DetourAttach and DetourDetach should be HookDeleteFileA instead of DeleteFileA. Note: the corresponding source file on the DVD contains the correct parameters – we must have made an error when copy/pasting the code into the book.
442	In table 12-2 the header should read “(X ^ Y) ^ Y” and not “(X ^ Y) ^ X”
451	The two instances of “decoded = base64.b64encode” should read “decoded = base64.b64decode”
483	“areguments” should be “arguments”
529	Matthieu Suiche sent us an optimized version of the WinDbg command that doesn’t rely on hard-coded offsets (thus you can use it on any platform). Here is the command: !list “-t nt!_EPROCESS.ActiveProcessLinks.Flink -e -x \”dt nt!_EPROCESS ImageFileName\”(poi(nt!PsActiveProcessHead)-@@c++(#FIELD_OFFSET(nt!_EPROCESS,ActiveProcessLinks)))”

Happy reading, everyone!

Malware Analysis Books

mhl — Tue, 26 Oct 2010 01:27:42 +0000

Sunbelt Software posted a blog today about books related to malware analysis, which reminded me that I also wanted to do something similar. Unfortunately, due to competition issues, some publishers don’t allow authors to cite other publishers’ books. Thus, although I really wanted to cite some of my favorite books in Malware Analyst’s Cookbook, we weren’t permitted to do so. Instead, I’ll list them here. The following is a list of resources that I find to be either required or extremely useful for malware analysis.

Assembly Language for Intel-Based Computers by Kip R. Irvine. A good reference book for learning about the CPU, registers, and assembly language.
The IDA Pro Book by Chris Eagle. A guide to using IDA Pro and learning how to perform static analysis.
Gray Hat Python by Justin Seitz. Learn how to use Python for various debugging, hooking, and fuzzing tasks.
Secrets of Reverse Engineering by Eldad Eilam. A nice summary of many reversing techniques and tools.
Malware: Fighting Malicious Code by Ed Skoudis and Lenny Zeltser. Learn what malware is, where it comes from, what it does, and how to get rid of it (includes Windows and Unix).
The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System by Bill Blunden. Contains in-depth descriptions of user- and kernel-mode rootkits, including a ton of code examples in C (the book is nearly 900 pages).
Rootkits: Subverting the Windows Kernel by Greg Hoglund and Jamie Butler. A book that focuses on Windows rootkits – essential reading for both sides of the fence (offensive and defensive).
Windows Forensic Analysis DVD Toolkit 2nd Edition by Harlan Carvey. Generous amounts of practical forensics knowledge, custom tools written by Harlan, and lots of hands-on examples – required for anyone who needs to protect or investigate computer intrusions.
Advanced Windows Debugging by Mario Hewardt and Daniel Pravat. Learn to use the Microsoft debuggers to hunt down the sources of resource leaks, memory corruption, and security issues (not about malware, but obviously you can use the knowledge to debug malware).
Practical Crypography by Niels Ferguson and Bruce Schneier. A good summary of encryption algorithms that anyone in the security field should check out.
Forensic Discovery by Dan Farmer and Wietse Venema. This is one of the first forensic books I ever read. Its a bit old now, but some of the concepts will never be outdated. I’d still recommend it in the year 2030.
Malware Forensics: Investigating and Analyzing Malicious Code by Cameron H. Malin, Eoghan Casey, and James M. Aquilina. A tool-centric, very enjoyable read for anyone interested in malware.
The Shellcoder’s Handbook by Jack Koziol et. al and The Shellcoder’s Handbook 2nd Edition by Chris Anley et. al. Great books for learning to read and write shell code, analyze vulnerabilities exploited by malware, or just gain an overall better understanding of assembly language to use with static analysis.
File System Forensic Analysis by Brian Carrier. An invaluable book for learning how to investigate file systems with The Sleuth Kit and Autopsy. I personally used it to learn how to hunt malware based on MFT data, NTFS streams, and things of that nature, but it includes info on many other file systems.
The Art of Computer Virus Research and Defense by Peter Szor. A great mix of technical and non-technical knowledge about malware works and how you can detect it.
Windows NT/2000 Native API Reference by Gary Nebbett. This book is like MSDN for the API functions that Microsoft didn’t document. It comes in handy when programming tools that need to use the Native API or when reversing malware that uses the Native API.
Windows Internals: Including Windows Server 2003 and Windows Vista, 5th Edition by Mark Russinovich, David A. Solomon, and Alex Ionescu. Lots of technical knowledge and is required for understanding how Windows works.
Real Digital Forensics: Computer Security and Incident Response by Keith J. Jones, Richard Bejtlich, and Curtis W. Rose. Learn how to investigate intrusions on Unix and Windows based machines through practical examples (the DVD contains evidence files).
Windows via C/C++ by Jeffrey M. Richter and Christophe Nasarre. I would compare this book to Windows Internals, but instead of just explaining how things work, it shows how to program using the Windows API. Of course, its not a replacement for Windows Internals, but you’ll come out ahead by reading them both.

Malware Analyst’s Cookbook

mhl — Tue, 17 Aug 2010 18:37:10 +0000

Malware Analyst’s Cookbook is written by Michael Ligh, Steven Adair, Blake Harstein, and Matt Richard. It is scheduled for release in September 2010. The nearly 200 recipes (you can think of them as 3-5 page blogs) aim to solve common problems that you’ll encounter while analyzing, reverse-engineering, and investigating malware. The DVD includes full size color images of all figures in the book, evidence files (memory samples, registry hives, etc.) and about 50 custom tools in C/C++, Python and Perl – many of which we’ll also publish on this website after some time. If you have questions, comments, bug fixes, or tool extensions, feel free to drop us a line at malwarecookbook at gmail dot com.

Here’s a list of the chapters you can expect to find in the book:

1.   Anonymizing Your Activities
2.   Honeypots
3. Malware Classification
4. Sandboxes and Multi-AV Scanners
5. Domains and IP Addresses
6. Malicious Documents and URLs
7. Malware Labs
8. Automation
9.   Dynamic Analysis
10. Malware Forensics
11. Debugging Malware
12. De-Obfuscation
13. Working with DLLs
14. Kernel Debugging
15. Memory Forensics with Volatility
16. Memory Forensics: Code Injection & Extraction
17. Memory Forensics: Rootkits
18. Memory Forensics: Network and Registry