I’m excited for my annual 10-day trip to Las Vegas for these big security conferences. Andy and I have a lot of cool events, including the chance for you to WIN A FREE VIP DINNER, so read on:
1. Mandiant is sponsoring a FREE book signing on Wed & Thurs July 25 & 26 from 1-2PM at Black Hat, this will take place in the Trevi Room, Caesars Palace (adjacent to the exhibit hall, Octavius Ballroom). First come, First served, so get there early because they’ll go fast and we’re limited.
2. WIN A FREE VIP DINNER at Bobby Flay’s Mesa Grill with Andy and I on Wednesday night by being on of the first 5 people in line at the book signing on Wednesday July 25. Get there early, because this is going to be a fun time at a great restaurant. (Note: if you aren’t one of the first 5 you’ll still get a free book until they run out).
3. Andy is releasing FakeNet 1.0 at the Black Hat Tool Arsenal from 11:45am-12:45pm on Wed and Thurs July 25 & 26. Stop by and check out the tool.
4. No Starch Press is holding a Defcon book signing for us on Friday July 27 at 4pm at the Rio. This will be at the No Starch Press booth, so bring your book or buy a discounted one at the NSP booth at the signing.
5. Mandiant is holding their always fun party at the Shadow Bar starting at 7pm on Tuesday 7/24 at the Shadow Bar in Caesar’s Palace. Make sure you register to attend . I’ll be hanging out at this party, so join me for a free drink.
6. I’ll be teaching a sold out 4-day Malware Analysis class at Black Hat on Saturday through Tuesday (7/21-7/24)
We look forward to seeing you in Vegas!
Good news, Buster Sandbox Analyzer (BSA) has just added support for FakeNet. For those of you not familiar, BSA is a tool that can be used to automatically analyze the behavior of processes and the changes made to system and then evaluate if they are malicious. This fully automates all of the basic dynamic analysis you typically perform. Full details and a download of BSA can be found here. BSA works with Sandboxie. Sandboxie is a program that runs programs in an isolated environment to prevent them from making permanent changes to your system. Sandboxie was designed to allow secure web browsing, but its sandbox aspect makes it useful for malware analysis. For example, you can use it to capture filesystem and registry accesses of the program you are sandboxing. Buster Sandbox Analyzer (BSA) interfaces with Sandboxie to provide automated analysis and reporting.
I will be signing books at SOURCE Boston. Mandiant has kindly agreed to sponsor the event. The first 20 people to stop by the Mandiant table on Tuesday, April 17th from 4:00 to 4:30pm will receive a FREE copy of Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. If you don’t make it on Tuesday, don’t worry! I’ll do it all over again on Wednesday, April 18th from 5:30 to 6:30pm.
Already own a copy? Stop by and say hello. I would love to hear your feedback and I would be glad to answer any questions you may have.
This was a fun and fast (<150 pages) read. It was a good book for me to read on vacation because you can read it a chapter at a time. Each chapter is an independent story taking you through the journey of finding a single software vulnerability. The author, Tobias Klein, is someone whom I was already familiar with by his website and we even reference his tool ScoopyNG in Chapter 17 of PMA.
For someone new to and interested in finding vulns, reading this will help you identify your gaps really quickly and also tell you if you are going to enjoy this type of work. If you aren’t very excited by the content, then trust me, you don’t want to be an exploit developer. You really need a background in programming and vulnerabilities to comprehend everything in this book. The appendix doesn’t cover enough for a beginner. Having a couple pages on defining a buffer overflow or type conversion error is enough to refresh someone who has done this before, but not enough to teach someone new to the material. The good thing is that if you want to be good at malware analysis you need the same solid C background that you will need to read this book. Long story short – learn C if you want to reverse or bug hunt!
Use discount code REVERSEIT to get 40% off our book Practical Malware Analysis. One week only! You get immediate access to the PDF. Free ebook with a print book purchase from No Starch Press.
I recently encountered an interesting malware sample. Examining its network activity, I noticed that it was beaconing out to translate.google.com. It doesn’t really make sense that malware would need to translate a webpage, so I took a closer look at what was going on. It turns out that the malware was using Google translate (and other translation websites) to proxy access to their malicious websites. Using the translation pages allows the malware to communicate with command and control servers without ever connecting to them. Analysis of the traffic would only show connections to Google Translate servers. These websites may contain commands or configuration that the malware downloads.
As part of the release of our book Practical Malware Analysis, we wanted to start a blog to connect with our readers and share security tips from our experiences analyzing malicious software. Topics of conversation will be malware analysis tips and tricks, analysis of interesting techniques from innovative malware, and responding to reader’s questions about our book. We’ll also use this as a platform for releasing malware tools and scripts, both related to our book and separate from our book. We welcome feedback and questions from readers of our book and blog; feel free to contact us with the feedback link on the navigation bar.