In 2013, Paul Rascagnères (aka “@r00tbsd“) wrote a book titled “Malware: Identification, analyse et éradication“. Paul being a friend but especially a renowned security researcher in the field of malware analysis and incident investigations, I bought the first edition of his book which was a very good introduction to malware. This domain is changing so quickly that new technologies and techniques have been used by the malware writers as well as researchers that a second edition must be published. I received a copy from Paul’s editor and read it carefully of course. Here is my short review.
This second edition has the same format, same layout , five chapters but 30 extra pages.
The most important for my international readers: As the title shows, the book is written in French and, as far as I know, there is no English translation foreseen. For people who have difficulties to read books in English, this is a great opportunity to learn a lot of useful details about malware. Often French translations of technical books are really approximative. In this case, Paul wrote the book in his mother tongue. The way chapters are organized, the reader gets a good overview of the malware landscape up to techniques to detect them and, maybe the most important, how to protect against them.
The first chapter describes the different families of malware. This new edition covers now the ransomware (unknown in 2013!), new techniques of communications with C&C (“Command & Control“). Other new techniques covered: file less malware or techniques to bypass the UAC.
The second chapter covers the analysis of malicious files: PDF, Adobe Flash, Java, Microsoft Office, Powershell, PE (Windows executable). Here again, new tools are described like Viper. Again in 2013, some ways to spread malicious code were not common like VBA macro in Microsoft Office documents.
The third chapter, focusing on reverse engineering, was maybe the one which did not change a lot. The x86 assembler part is the same but there is now a paragraph about x64 malware and, again, new tools like Radare2.
The next chapter was dedicated to obfuscation techniques. This is for sure the domain where most changes occurred: more and more malware implement techniques to detect if they are being executed in a sandbox (like Cuckoo) or attached to a debugger (anti-VM or anti-reverse engineering).
Finally, the last chapter covers tools and techniques to detect and eradicate malware. Tools are reviewed like YARA or ssdeep. IOC’s are covered with the framework OpenIOC. [Note to Paul: when a chapter about MISP?]
Paul’s book presents a good mix of generic information and technical tips written in a clear language. It proposes a good introduction for people who have to deal with malware in their day to day job: system and network administrators but also CISO’s or consultants.
The ISBN reference is 978-2-4090-0190-1 (link).