Friday, April 6, 2012

Practical Malware Analysis - A Review

Off and on over the last few weeks I've been reading Michael Sikorski & Andrew Honig's latest book "Practical Malware Analysis".

As you'd expect given the title, the book covers the art of malware reverse engineering and analysis from a malware investigators perspective - providing extensive coverage of the techniques that need to be mastered by folks that intend to make a career of such technical work. The tome of some 766 pages can be thought of more as a text book (complete with practical labs) rather than a reference book that many other similarly themed practical malware analysis books take.

A question I have when reading books such as this is "who's going to benefit from the book?". My first impression is that this book, while covering the spectrum of analysis techniques for an increasingly diverse array of threats, is probably most applicable to those folks just starting out in their IT security careers and are still exploring what they want to grow up. I think this book would be an ideal text for a 200-level computer science course at college or university - and the included labs would sufficiently reinforce the learned material. It's likely that folks who have some working familiarity with the malware threat and have tinkered with incident response or basic malware forensics could use the book as a concise reference for malware analysis, but would end up quickly moving on to more specialized/focused books that target specific classes of threat (e.g. rootkits, packers, etc.).

Having employed and managed many malware analysts in the past for organizations such as X-Force, IBM and Damballa, my expectation is that the corpus of knowledge contained within Practical Malware Analysis would represent the first year of their career - as in by mastering the content contained in this book, the reader would likely be equivalent to a junior analyst that had learned the basic "on the job" stuff at a typical anti-virus company (identify relevant features of the malware under study and develop signatures and clean-up scripts). Anyone beyond that level will need more specific books and material.

I like the fact that there's broad spectrum of material covered in the book and that there's labs to reinforce the concepts. That said, I'd have preferred that the authors dove a little deeper in to some of the automated techniques for handling armored malware at the sacrifice of the helicopter chapters on shellcode analysis and IDA Pro.

No comments:

Post a Comment