In my latest book review, I took on the topic of malware analysis which is not often covered in security books or training centers. In 2018, Packt Publishing released “Learning Malware Analysis” by Monnappa KA. Monnappa works for Cisco Systems as an information security investigator focusing on threat intelligence and the investigation of advanced cyber-attacks, he is also a member of the Black Hat review board.
I found “Learning Malware Analysis” to be very informative, easy to read as well as follow, moreover I found the examples in the book easy to replicate which was priceless. Many times in the examples associated with books, the labs never quit work out as stated and you are left trying to figure out that went wrong. When Monnappa introduced a concept, he would define it and follow it up with an example or analogy to help the reader obtain a stronger comprehension. If fact, throughout the whole book, he would end a paragraph, concept or idea with the term “for example” or “for instance”. This was something I appreciated very much as some of the concepts can be uncharted territory even for the seasoned security practitioner.
Monnappa went through great length as he explained why it was important to use a testing environment, how to create a testing the environment, how to obtain the necessary tools and lastly how to obtain the malware to analyze. Another important aspect I would like to share is the diversity in the techniques he presented for analysis. Monnappa discussed a technique using Linux command line, followed by using a software tool then he also showed how to replicate an analysis using python code in multiple operating environments. This can be very valuable to the reader depending on their skill level, experience and comfort level on different platforms. In my opinion, to be successful in malware analysis, I would recommend being proficient in the Linux operating system as well as having some programming knowledge as the later chapters drew from it and proved to be more challenging. As Monnappa stated, “To gain a deeper understanding of a malware’s inner workings and to understand the critical aspects of a malicious binary, code analysis needs to be performed.”
This book is definitely geared towards those in the incident response, cybersecurity investigation, malware analysis, forensic practitioner sector, but as an academic, this text can also serve well in academia as a lab resource to compliment lectures in the program. I also see this text as an excellent recourse for security practitioners looking to take a new direction in their career to learn or enhance their malware analysis skills.
The text consists of 11 chapters, the first 3 chapter provided an abundance of fundamental information and examples to get the reader started, while the remaining chapter are draws from a basic understanding of programming and took the topic into greater depths. Below is a breakdown of each chapter.
Chapter 1 – Introduction to Malware Analysis: In this chapter, Monnappa introduced the readers to the concept of malware analysis as he discussed the different types that exist. He then discussed the various types of malware analysis such as static and dynamic, followed by a comprehensive set of instructions to setting up an isolated malware analysis lab environment.
Chapter 2 – Static Analysis: In this chapter, Monnappa explained and demonstrated the tools and techniques necessary to extract information from malicious binary. In doing so the reader would be able to compare and classify malware samples as well as learn how to determine various aspects of the binary without executing it.
Chapter 3 – Dynamic Analysis: in this chapter, he showed the reader the tools and techniques needed to determine the behavior of the malware and its interaction with the system.
Chapter 4 – Assembly Language and Disassembly Primer: in this chapter, the author went into the basics of computer programing, the assembly language and basic computer architecture. These would be the necessary skills required to perform code analysis in the later chapters.
Chapter 5 – Disassembly Using IDA: In this chapter, Monnappa covered the features of IDA Pro Disassembler, and examined how to use IDA Pro to perform static code analysis (Disassembly).
Chapter 6 – Debugging Malicious Binaries: In this chapter, Monnappa explained the technique of debugging a binary using x64dbg and IDA Pro debugger. He also demonstrated how to use a debugger to control the execution of a program and to manipulate a program’s behavior.
Chapter 7 – Malware Functionalities and Persistence: In this chapter, Monnappa described various functionalities of malware using reverse engineering. He also covered the various persistence methods used by the malicious programs.
Chapter 8 – Code Injection and Hooking: In this chapter, Monnappa discussed and demonstrated common code injection techniques used by the malicious programs to execute malicious code within the context of a legitimate process. He also described the hooking techniques used by the malware to redirect control to the malicious code to monitor, block, or filter an API’s output. The reader had the opportunity to analyze malicious programs that use code injection and hooking techniques.
Chapter 9 – Malware Obfuscation Techniques: In this chapter, the author discussed encoding, encryption, and packing techniques used by the malicious programs to conceal and hide information. The reader will learn different strategies to decode/decrypt the data and unpack the malicious binary.
Chapter 10 – Hunting Malware Using Memory Forensics: In this chapter, the author demonstrated techniques to detect malicious components using memory forensics. The reader will learn various Volatility plugins to detect and identify forensic artifacts in memory.
Chapter 11 – Detecting Advanced Malware Using Memory Forensics: In this chapter, Monnappa demonstrated the stealth techniques used by advanced malware to hide from forensic tools. You will have the opportunity to learn how to investigate and detect user mode and kernel mode rootkit components.
Monnappa’s approach to “Learning Malware Analysis” was comprehensive, useful and timely, especially with the increase of malware entering out operational environment. Organizations are in need of specialized practitioners who understand the threat and can analyze them to aid in the defense of critical assets.
This book does serve those interested in venturing to malware analysis but as stated, it is recommended, those venturing into the field have an understanding of computer architecture and computer programming concepts. In academia, this book can be useful in the information security and/or computer science programs.
Monnappa’s book makes a valuable contribution to the information security community by provided information security practitioners with the knowledge and capability to obtain the rare ability to conduct malware analysis. I personally enjoyed chapters 1 – 6, because of the information and examples were easy to comprehend and perform. While chapter 7 – 11 were more advanced and difficult, I never felt lost when following the examples and reading the text. I personally would recommend this book for those looking to enter the malware analysis field or even enhancing their current skills in this topic. From reading the text, I can deduce Monnappa is very proficient in the topic and he does an excellent job in conveying his knowledge to text.