Malware Analyst's Cookbook and DVD

Name: Malware Analyst's Cookbook and DVD
Brand: John Wiley & Sons Inc
Price: 767 SEK
Availability: InStock

Tools and Techniques for Fighting Malicious Code

AvMichael Ligh,Steven Adair

John Wiley & Sons Inc

2010

767 kr

Beställningsvara. Skickas inom 5-8 vardagar. Fri frakt över 249 kr.

Beskrivning

A computer forensics "how-to" for fighting malicious code and analyzing incidents With our ever-increasing reliance on computers comes an ever-growing risk of malware. Security professionals will find plenty of solutions in this book to the problems posed by viruses, Trojan horses, worms, spyware, rootkits, adware, and other invasive software. Written by well-known malware experts, this guide reveals solutions to numerous problems and includes a DVD of custom programs and tools that illustrate the concepts, enhancing your skills. Security professionals face a constant battle against malicious software; this practical manual will improve your analytical capabilities and provide dozens of valuable and innovative solutionsCovers classifying malware, packing and unpacking, dynamic malware analysis, decoding and decrypting, rootkit detection, memory forensics, open source malware research, and much moreIncludes generous amounts of source code in C, Python, and Perl to extend your favorite tools or build new ones, and custom programs on the DVD to demonstrate the solutionsMalware Analyst's Cookbook is indispensible to IT security administrators, incident responders, forensic analysts, and malware researchers.

Produktinformation

Märke:John Wiley & Sons Inc
Utgivningsdatum:2010-10-27
Höjd:188 x 234 x 46 mm
Vikt:1 066 g
Språk:Engelska
Antal sidor:752
Förlag:John Wiley & Sons Inc
EAN:9780470613030

Utforska kategorier

IT-säkerhet inom Data och IT

Mer om författaren

Michael Hale Ligh is a malicious code analyst at Verisign iDefense and Chief of Special Projects at MNIN Security. Steven Adair is a member of the Shadowserver Foundation and frequently analyzes malware and tracks botnets. He also investigates cyber attacks of all kinds with an emphasis on those linked to cyber espionage.Blake Hartstein is the author of multiple security tools and a Rapid Response Engineer at Verisign iDefense, where he responds to malware incidents.Matthew Richard has authored numerous security tools and also ran a managed security service for banks and credit unions.

Innehållsförteckning

Introduction xvOn The Book’s DVD xxiii1 Anonymizing Your Activities 1Recipe 1-1: Anonymous Web Browsing with Tor 3Recipe 1-2: Wrapping Wget and Network Clients with Torsocks 5Recipe 1-3: Multi-platform Tor-enabled Downloader in Python 7Recipe 1-4: Forwarding Traffic through Open Proxies 12Recipe 1-5: Using SSH Tunnels to Proxy Connections 16Recipe 1-6: Privacy-enhanced Web browsing with Privoxy 18Recipe 1-7: Anonymous Surfing with Anonymouse.org 20Recipe 1-8: Internet Access through Cellular Networks 21Recipe 1-9: Using VPNs with Anonymizer Universal 232 Honeypots 27Recipe 2-1: Collecting Malware Samples with Nepenthes 29Recipe 2-2: Real-Time Attack Monitoring with IRC Logging 32Recipe 2-3: Accepting Nepenthes Submissions over HTTP with Python 34Recipe 2-4: Collecting Malware Samples with Dionaea 37Recipe 2-5: Accepting Dionaea Submissions over HTTP with Python 40Recipe 2-6: Real-time Event Notification and Binary Sharing with XMPP 41Recipe 2-7: Analyzing and Replaying Attacks Logged by Dionea 43Recipe 2-8: Passive Identification of Remote Systems with p0f 44Recipe 2-9: Graphing Dionaea Attack Patterns with SQLite and Gnuplot 463 Malware Classification 51Recipe 3-1: Examining Existing ClamAV Signatures 52Recipe 3-2: Creating a Custom ClamAV Database 54Recipe 3-3: Converting ClamAV Signatures to YARA 59Recipe 3-4: Identifying Packers with YARA and PEiD 61Recipe 3-5: Detecting Malware Capabilities with YARA 63Recipe 3-6: File Type Identification and Hashing in Python 68Recipe 3-7: Writing a Multiple-AV Scanner in Python 70Recipe 3-8: Detecting Malicious PE Files in Python 75Recipe 3-9: Finding Similar Malware with ssdeep 79Recipe 3-10: Detecting Self-modifying Code with ssdeep 82Recipe 3-11: Comparing Binaries with IDA and BinDiff 834 Sandboxes and Multi-AV Scanners 89Recipe 4-1: Scanning Files with VirusTotal 90Recipe 4-2: Scanning Files with Jotti 92Recipe 4-3: Scanning Files with NoVirusThanks 93Recipe 4-4: Database-Enabled Multi-AV Uploader in Python 96Recipe 4-5: Analyzing Malware with ThreatExpert 100Recipe 4-6: Analyzing Malware with CWSandbox 102Recipe 4-7: Analyzing Malware with Anubis 104Recipe 4-8: Writing AutoIT Scripts for Joebox 105Recipe 4-9: Defeating Path-dependent Malware with Joebox 107Recipe 4-10: Defeating Process-dependent DLLs with Joebox 109Recipe 4-11: Setting an Active HTTP Proxy with Joebox 111Recipe 4-12: Scanning for Artifacts with Sandbox Results 1125 Researching Domains and IP Addresses 119Recipe 5-1: Researching Domains with WHOIS 120Recipe 5-2: Resolving DNS Hostnames 125Recipe 5-3: Obtaining IP WHOIS Records 129Recipe 5-4: Querying Passive DNS with BFK 132Recipe 5-5: Checking DNS Records with Robtex 133Recipe 5-6: Performing a Reverse IP Search with DomainTools 134Recipe 5-7: Initiating Zone Transfers with dig 135Recipe 5-8: Brute-forcing Subdomains with dnsmap 137Recipe 5-9: Mapping IP Addresses to ASNs via Shadowserver 138Recipe 5-10: Checking IP Reputation with RBLs 140Recipe 5-11: Detecting Fast Flux with Passive DNS and TTLs 143Recipe 5-12: Tracking Fast Flux Domains 146Recipe 5-13: Static Maps with Maxmind, matplotlib, and pygeoip 148Recipe 5-14: Interactive Maps with Google Charts API 1526 Documents, Shellcode, and URLs 155Recipe 6-1: Analyzing JavaScript with Spidermonkey 156Recipe 6-2: Automatically Decoding JavaScript with Jsunpack 159Recipe 6-3: Optimizing Jsunpack-n Decodings for Speed and Completeness 162Recipe 6-4: Triggering exploits by Emulating Browser DOM Elements 163Recipe 6-5: Extracting JavaScript from PDF Files with pdfpy 168Recipe 6-6: Triggering Exploits by Faking PDF Software Versions 172Recipe 6-7: Leveraging Didier Stevens’s PDF Tools 175Recipe 6-8: Determining which Vulnerabilities a PDF File Exploits 178Recipe 6-9: Disassembling Shellcode with DiStorm 185Recipe 6-10: Emulating Shellcode with Libemu 190Recipe 6-11: Analyzing Microsoft Office Files with OfficeMalScanner 193Recipe 6-12: Debugging Office Shellcode with DisView and MalHost-setup 200Recipe 6-13: Extracting HTTP Files from Packet Captures with Jsunpack 204Recipe 6-14: Graphing URL Relationships with Jsunpack 2067 Malware Labs 211Recipe 7-1: Routing TCP/IP Connections in Your Lab 215Recipe 7-2: Capturing and Analyzing Network Traffic 217Recipe 7-3: Simulating the Internet with INetSim 221Recipe 7-4: Manipulating HTTP/HTTPS with Burp Suite 225Recipe 7-5: Using Joe Stewart’s Truman 228Recipe 7-6: Preserving Physical Systems with Deep Freeze 229Recipe 7-7: Cloning and Imaging Disks with FOG 232Recipe 7-8: Automating FOG Tasks with the MySQL Database 2368 Automation 239Recipe 8-1: Automated Malware Analysis with VirtualBox 242Recipe 8-2: Working with VirtualBox Disk and Memory Images 248Recipe 8-3: Automated Malware Analysis with VMware 250Recipe 8-4: Capturing Packets with TShark via Python 254Recipe 8-5: Collecting Network Logs with INetSim via Python 256Recipe 8-6: Analyzing Memory Dumps with Volatility 258Recipe 8-7: Putting all the Sandbox Pieces Together 260Recipe 8-8: Automated Analysis with ZeroWine and QEMU 271Recipe 8-9: Automated Analysis with Sandboxie and Buster 2769 Dynamic Analysis 283Recipe 9-1: Logging API calls with Process Monitor 286Recipe 9-2: Change Detection with Regshot 288Recipe 9-3: Receiving File System Change Notifications 290Recipe 9-4: Receiving Registry Change Notifications 294Recipe 9-5: Handle Table Diffing 295Recipe 9-6: Exploring Code Injection with HandleDiff 300Recipe 9-7: Watching BankpatchC Disable Windows File Protection 301Recipe 9-8: Building an API Monitor with Microsoft Detours 304Recipe 9-9: Following Child Processes with Your API Monitor 311Recipe 9-10: Capturing Process, Thread, and Image Load Events 314Recipe 9-11: Preventing Processes from Terminating 321Recipe 9-12: Preventing Malware from Deleting Files 324Recipe 9-13: Preventing Drivers from Loading 325Recipe 9-14: Using the Data Preservation Module 327Recipe 9-15: Creating a Custom Command Shell with ReactOS 33010 Malware Forensics 337Recipe 10-1: Discovering Alternate Data Streams with TSK 337Recipe 10-2: Detecting Hidden Files and Directories with TSK 341Recipe 10-3: Finding Hidden Registry Data with Microsoft’s Offline API 349Recipe 10-4: Bypassing Poison Ivy’s Locked Files 355Recipe 10-5: Bypassing Conficker’s File System ACL Restrictions 359Recipe 10-6: Scanning for Rootkits with GMER 363Recipe 10-7: Detecting HTML Injection by Inspecting IE’s DOM 367Recipe 10-8: Registry Forensics with RegRipper Plug-ins 377Recipe 10-9: Detecting Rogue-Installed PKI Certificates 384Recipe 10-10: Examining Malware that Leaks Data into the Registry 38811 Debugging Malware 395Recipe 11-1: Opening and Attaching to Processes 396Recipe 11-2: Configuring a JIT Debugger for Shellcode Analysis 398Recipe 11-3: Getting Familiar with the Debugger GUI 400Recipe 11-4: Exploring Process Memory and Resources 407Recipe 11-5: Controlling Program Execution 410Recipe 11-6: Setting and Catching Breakpoints 412Recipe 11-7: Using Conditional Log Breakpoints 415Recipe 11-8: Debugging with Python Scripts and PyCommands 418Recipe 11-9: Detecting Shellcode in Binary Files 421Recipe 11-10: Investigating Silentbanker’s API Hooks 426Recipe 11-11: Manipulating Process Memory with WinAppDbg Tools 431Recipe 11-12: Designing a Python API Monitor with WinAppDbg 43312 De-Obfuscation 441Recipe 12-1: Reversing XOR Algorithms in Python 441Recipe 12-2: Detecting XOR Encoded Data with yaratize 446Recipe 12-3: Decoding Base64 with Special Alphabets 448Recipe 12-4: Isolating Encrypted Data in Packet Captures 452Recipe 12-5: Finding Crypto with SnD Reverser Tool, FindCrypt, and Kanal 454Recipe 12-6: Porting OpenSSL Symbols with Zynamics BinDiff 456Recipe 12-7: Decrypting Data in Python with PyCrypto 458Recipe 12-8: Finding OEP in Packed Malware 461Recipe 12-9: Dumping Process Memory with LordPE 465Recipe 12-10: Rebuilding Import Tables with ImpREC 467Recipe 12-11: Cracking Domain Generation Algorithms 476Recipe 12-12: Decoding Strings with x86emu and Python 48113 Working with DLLs 487Recipe 13-1: Enumerating DLL Exports 488Recipe 13-2: Executing DLLs with rundll32exe 491Recipe 13-3: Bypassing Host Process Restrictions 493Recipe 13-4: Calling DLL Exports Remotely with rundll32ex 495Recipe 13-5: Debugging DLLs with LOADDLLEXE 499Recipe 13-6: Catching Breakpoints on DLL Entry Points 501Recipe 13-7: Executing DLLs as a Windows Service 502Recipe 13-8: Converting DLLs to Standalone Executables 50714 Kernel Debugging 511Recipe 14-1: Local Debugging with LiveKd 513Recipe 14-2: Enabling the Kernel’s Debug Boot Switch 514Recipe 14-3: Debug a VMware Workstation Guest (on Windows) 517Recipe 14-4: Debug a Parallels Guest (on Mac OS X) 519Recipe 14-5: Introduction to WinDbg Commands And Controls 521Recipe 14-6: Exploring Processes and Process Contexts 528Recipe 14-7: Exploring Kernel Memory 534Recipe 14-8: Catching Breakpoints on Driver Load 540Recipe 14-9: Unpacking Drivers to OEP 548Recipe 14-10: Dumping and Rebuilding Drivers 555Recipe 14-11: Detecting Rootkits with WinDbg Scripts 561Recipe 14-12: Kernel Debugging with IDA Pro 56615 Memory Forensics with Volatility 571Recipe 15-1: Dumping Memory with MoonSols Windows Memory Toolkit 572Recipe 15-2: Remote, Read-only Memory Acquisition with F-Response 575Recipe 15-3: Accessing Virtual Machine Memory Files 576Recipe 15-4: Volatility in a Nutshell 578Recipe 15-5: Investigating processes in Memory Dumps 581Recipe 15-6: Detecting DKOM Attacks with psscan 588Recipe 15-7: Exploring csrssexe’s Alternate Process Listings 591Recipe 15-8: Recognizing Process Context Tricks 59316 Memory Forensics: Code Injection and Extraction 601Recipe 16-1: Hunting Suspicious Loaded DLLs 603Recipe 16-2: Detecting Unlinked DLLs with ldr_modules 605Recipe 16-3: Exploring Virtual Address Descriptors (VAD) 610Recipe 16-4: Translating Page Protections 614Recipe 16-5: Finding Artifacts in Process Memory 617Recipe 16-6: Identifying Injected Code with Malfind and YARA 619Recipe 16-7: Rebuilding Executable Images from Memory 627Recipe 16-8: Scanning for Imported Functions with impscan 629Recipe 16-9: Dumping Suspicious Kernel Modules 63317 Memory Forensics: Rootkits 637Recipe 17-1: Detecting IAT Hooks 637Recipe 17-2: Detecting EAT Hooks 639Recipe 17-3: Detecting Inline API Hooks 641Recipe 17-4: Detecting Interrupt Descriptor Table (IDT) Hooks 644Recipe 17-5: Detecting Driver IRP Hooks 646Recipe 17-6: Detecting SSDT Hooks 650Recipe 17-7: Automating Damn Near Everything with ssdt_ex 654Recipe 17-8: Finding Rootkits with Detached Kernel Threads 655Recipe 17-9: Identifying System-Wide Notification Routines 658Recipe 17-10: Locating Rogue Service Processes with svcscan 661Recipe 17-11: Scanning for Mutex Objects with mutantscan 66918 Memory Forensics: Network and Registry 673Recipe 18-1: Exploring Socket and Connection Objects 673Recipe 18-2: Analyzing Network Artifacts Left by Zeus 678Recipe 18-3: Detecting Attempts to Hide TCP/IP Activity 680Recipe 18-4: Detecting Raw Sockets and Promiscuous NICs 682Recipe 18-5: Analyzing Registry Artifacts with Memory Registry Tools 685Recipe 18-6: Sorting Keys by Last Written Timestamp 689Recipe 18-7: Using Volatility with RegRipper 692Index 695