Malware Analysis Resources

Existing best practices and tools

This page inventories best practices, tools and documents which the Malware Analysis SIG identified and finds useful in its work. If you are aware of other helpful resources, please do submit them to ma-sig@first.org for consideration.

Best Practices

• Guide to Malware Incident Prevention and Handling for Desktop and Laptops (NIST)
• Reducing Risks associated with Destructive Malware (FS-ISAC)
• Lenny Zeltser - 5 Steps to Building a Malware Analysis Toolkit using Free Tools
• Patterns of a Cooperative Malware Analysis Workflow
  By Daniel Plohmann, Sebastian Eschweiler, Elmar Gerhards-Padilla

Analysis and detection techniques

• David Bianco - Hunting for Malware Critical Process Impersonation
• AMA: Static Code Analysis of Web Page for the Detection of Malicious Scripts
• Random Forest for Malware Classification
• Wavelet decomposition of software entropy reveals symptoms of malicious code

Malware Analysis Books

• Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
  By Michael Sikorski, Andrew Honig
  ISBN: 978-1593272906
• Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
  By Michael Ligh, Steven Adair, Blake Hartstein, Matthew Richard
  ISBN: 978-0470613030
• Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation
  By Bruce Dang, Alexandre Gazet, Elias Bachaalany, Sebastien Josse
  ISBN: 978-1118787311
• The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux and Mac Memory
  By Michael Hale Ligh, Andrew Case
  ISBN: 978-1118787311
• The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler
  By Chris Eagle
  ISBN: 978-1593272890
• Reversing: Secrets of Reverse Engineering
  By Eldad Eilam
  ISBN: 978-0764574818
• Windows Internals 6, Part 1 and 2
  By Mark Russinovich, David Solomon, Alex Ionescu
  ISBN: 978-0735648739
  ISBN: 978-0735665873
• Crimeware: Understanding New Attacks and Defenses
  By Markus Jakobsson and Zulfikar Ramzan
  ISBN-10: 0321501950
  ISBN-13: 978-0321501950
• The Art of Computer Virus Research and Defense
  By Péter
  ISBN-10: 0321304543
  ISBN-13: 978-0321304544
• The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System 2nd Edition
  By Bill Blunden
  ISBN-10: 144962636X
  ISBN-13: 978-1449626365
• Rootkits: Subverting the Windows Kernel Paperback
  By Greg Hoglund and James Butler
  ISBN-10: 0321294319
  ISBN-13: 978-0321294319
• Reverse Engineering Code with IDA Pro
  By Justin Ferguson and Dan Kaminsky
  ISBN-10: 159749237X
  ISBN-13: 978-1597492379
• Rootkits, Spyware/Adware, Keyloggers and Backdoors: Detection and Neutralization
  By Oleg Zaytsev
  ISBN-10: 1931769591
  ISBN-13: 978-1931769594
• Professional Rootkits
  By Ric Vieler
  ISBN-10: 0470101547
  ISBN-13: 978-0470101544

Trainings and exercises

• VOpenSecurityTraining
• Reverse Engineering for Beginners
• ENISA Common framework for analysis
  • Building artefact handling and analysis environment
  • Processing and storing artefacts
  • Artefact analysis fundamentals
  • Advanced artefact handling
  • Introduction to advanced artefact analysis
  • Dynamic analysis of artefacts
  • Static analysis of artefacts

Tools

• Cuckoo Sandbox is a popular open-source sandbox to automate dynamic analysis.
• Limon is a sandbox for analyzing Linux malware.
• IDA Pro: an Interactive Disassembler and Debugger to support static analysis.
• A set of malware analysis tools:
  • procdot visualizes procmon and PCAP logfiles in a single graph
  • Minibis is a behavioral analysis automation framework
  • Densityscout aims to identify packed executables based on Bytehist
• Viper is a binary analysis and management framework, which can help organize samples of malware.
• Radare is a disassembly framework supporting many different architectures.
• The Microsoft SysInternals Suite helps assess the state and changes of a Windows system.
• The BFK passive DNS Logger allows execution of passive DNS queries on malicious domains.
• VirusTotal is a massive repository of malware, which allows investigations into samples, domains, detection rates and -names, etc. VirusTotal Intelligence is a commercial product which provides deeper levels of access to this information.
• Deepviz - Powerful online sandbox.
• Reverse.it - Powerful online sandbox based on VxStream. The free version has already a good level of customization, and it includes basic android static analysis.
• Aleph: an Open-Source Malware Analysis System.

• Malware Analysis SIG
  • Malware Analysis Framework
  • Malware Analysis Tools