Malware Analysts' Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
by Michael Hale Ligh, Steven Adair, Blake Hartstein and Matthew Richard

John Wiley & Sons 2011.
ISBN 978-0-470-61303-0. amazon.com USD37.79
Table of contents: http://media.wiley.com/product_data/excerpt/33/04706130/0470613033-1.pdf

Reviewed by  Richard Austin   November 10, 2010 

Battling malware has much in common with an arms race - defenders develop new defenses which forces adversaries to adapt and innovate to overcome those defenses, and the cycle repeats ad infinitum. Given this never-ending struggle and the wide prevalence of malware, malicious code analysis is becoming a more important component of the technical repertoire of information security professionals. For many years the classic starting point for aspiring malware analysts has been Peter Szor's The Art of Computer Virus Research and Defense (reviewed in the March, 2005 edition of Cipher by Bob Bruen) and the Malware Analyst's Cookbook provides a valuable update on the state of the art.

At 700+ pages (plus a DVD of tools), this book provides wide coverage of the tools and techniques used by the practicing malware analyst in a very hands-on fashion. The book is organized into 18 chapters made up of "recipes" that describe the purpose and use of a particular tool or technique. The recipes are clearly presented with illustrations and code snippets used to show the technique in action. The tools DVD uses the same chapter organization and clearly links its contents with the text (a pet peeve of mine is the companion CD/DVD which in nothing more than a blob of tools with no organization whatever). Many references are provided to aid in finding more details or additional information on a particular topic.

The focus is on Windows malware (not surprising since most malware targets that platform) but uses tools that run on Windows, Linux and even MacOS. Topic coverage is comprehensive and ranges from how to research malware anonymously using Tor or various proxies to the tried-and-true techniques for analyzing suspicious executables or DLL's to cutting-edge topics such as memory forensics.

The substantial value of the book is that it collects, in one place, accessible material on a plethora of useful tools whose documentation is scattered across a universe of project websites and archives. The recipes are much more than a regurgitation of "man" pages and show why a particular tool is useful and how it is applied in a particular situation. The authors gained many "credibility points" in the introduction when they identified and provided links to the compiler and driver kit required to modify their binary tools. By delving deep into the analysis of malware, the authors provide a master-course in how malware actually works and the devious techniques its creators use to subvert our systems to their purposes (confess, do you really know what an IAT-hook is?).

If there is a criticism of the book, and it is a mild one, it is that it is a cookbook. Reading it front-to-back will cause you to quickly become lost in contemplation of individual trees and while remaining blindo the forest. A quick skim with a detailed working-through of several interesting recipes will set the stage for when you later reach for this book in carrying out a particular task. If you are a technical professional with an interest in or responsibility for malware analysis, this book is a worthy companion to Szor's book and merits a place on your shelf. It will become a familiar reference in answering the question "I wonder how you ...".



Richard Austin MS, CISSP (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry holding positions ranging from software developer to security architect before becoming a semi-retired, part-time academic. He welcomes your thoughts and comments on this review at raustin2 at spsu dot edu.