Earlier this year, no starch press, sent SophosLabs an unrequested copy of the book Practical Malware Analysis: The hands-On Guide to Dissecting Malicious Software with a letter saying "If you do enjoy the book, I hope that you will consider posting a review ...". Well I enjoyed the book and so here is the review :)
Both authors, Michael Sikorsji and Andrew Honig, have impressive resumes (NSA, MIT and DoD) and list of reviewers looks impressive including: Sal Solfo (Columbia University) and Ilfak Guilfanov (IDA).
The book is well written and, like an academic textbook, each chapter ends with a series of questions and lab exercises. What is more, unlike text books, the teacher's answer copy is in the Appendix - it accounts for nearly *half* the book.
The book consists of 6 parts plus the Appendices:
- Part 1: Basic Analysis
- Part 2: Advanced Static Analysis
- Part 3: Advanced Dynamic Analysis
- Part 4: Malware Functionality
- Part 5: Anti-reverse-engineering
- Part 6: Special Topics
- Appendix A: Important Windows Functionality
- Appendix B: Tools for malware analysis
- Appendix C: Solutions to Labs
The book is a great primer on malware analysis, but there are more topics it could have covered (non-Windows and ARM analysis). Also, some of the topics that are covered could benefit from a bit more detail. As an example of this, Chapter 2: Malware Analysis in a Virtual Machine focuses on VMWare. It's certainly well written and edited, but it didn't touch VirtualBox or discuss how to use virtual machines to automate analysis. Which is a shame.
With the rise of eReaders and tablets, this could be one of the last books of this type. Monolithic book likes these means that you need to buy the next edition of the book to get any updates. Electronic books allow for small and incremental updates to the content at little or no cost to the user and to the publishers.
Once you have read Practical Malware Analysis, you will be able to top up your knowledge quite easily using the powers of the internet.
Would I buy this book if I saw it sitting in a shop window? Probably not. But go back 15 years when I was just starting out in the field, this would have been a goldmine of information.
So, if you're starting out in malware analysis (like our SophosLabs' intern Julian), or if you are are coming to analysis from another discipline, I'd recommend having a nose.