Book Summary – “Evasive Malware: Understanding Deceptive and Self-Defending Threats”
Since my new book “Evasive Malware: Understanding Deceptive and Self-Defending Threats” pre-order just launched, I wanted to write up a quick summary of the book, including what you’ll learn, the book’s target audience, and a breakdown of each section in the book. Let’s get started!
What is this book about?
“Evasive Malware: Understanding Deceptive and Self-Defending Threats” is a book about the fascinating and terrifying world of malicious software designed to avoid detection. The book is full of practical information, real-world examples, and cutting-edge techniques for discovering, reverse-engineering, and analyzing state-of-the-art malware, specifically malware that uses evasion techniques.
Beginning with foundational knowledge about malware analysis in the context of the Windows OS, you’ll learn about the evasive maneuvers that malware uses to determine whether its being analyzed and the tricks they employ to avoid detection. You’ll explore the ways malware circumvents security controls, such as network or endpoint defense bypasses, anti-forensics techniques, and malware that deploys data and code obfuscation. At the end of the book, you’ll learn some methods and tools to tune your own analysis lab and make it resistant to malware’s evasive techniques.
What will you learn?
- Modern malware threats and the ways they avoid detection
- Anti-analysis techniques used in malware
- How malware bypasses and circumvents security controls
- How malware uses victim targeting and profiling techniques
- How malware uses anti-forensics and file-less techniques
- How to perform malware analysis and reverse engineering on evasive programs
Who is this book for?
This book primarily targets readers who already have at least a basic understanding and skill-set in analyzing malware and reverse-engineering malicious code. This book is not a beginner course in malware analysis, and some prior knowledge in this topic is assumed. But have no fear – the first three chapters of this book consist of a crash-course in malware analysis and code analysis techniques.
Here are some of the practical applications of this book:
- Malware Analysts and Researchers – Learn how modern and advanced malware uses evasion techniques to circumvent your malware lab and analysis tools.
- Incident Responders and Forensicators – Learn how advanced malware uses techniques like anti-forensics to hide its artifacts on a host. Understanding these techniques will help improve incident response and forensics skills.
- Threat Intellgience Analysts– Learn how bespoke, targeted, and cybercrime malware uses evasion techniques to hide and blend into its target environment.
- Security Engineers / Security Architects – Learn how malware evades the host and network defenses that you design, engineer, and implement.
- Students and Hobbyists – Learn how modern, advanced malware operates. If you read and actually enjoy this book, then you now know that you should pursue a job in malware research 😉
This book consists of five sections (parts), each consisting of three or more chapters. Let’s take a brief look at each of these.
Part 1: The Fundamentals
Part 1 contains the foundational concepts you’ll need to know before digging into the rest of the book. The topics include the fundamentals of how the Windows operating system works, and the basics of malware analysis, covering sandbox and behavioral analysis to static and dynamic code analysis.
Chapters in Part 1:
- Chapter 1: Windows Foundational Concepts
- Chapter 2: A Crash Course in Malware Triage and Behavioral Analysis
- Chapter 3: A Crash Course in Static and Dynamic Code Analysis
What you’ll learn:
- What evasive malware is and why malware authors use evasion techniques in their malware.
- The fundamentals of Windows OS internals.
- A crash course in malware analysis and reverse engineering, covering the basics of malware sandbox analysis and behavioral analysis, and static and dynamic code analysis.
Part 2: Context-Awareness and Sandbox Evasion
Part 2 starts getting into the good stuff; How malware is able to detect sandboxes, virtual machines, and hypervisors, and circumvent and disrupt analysis.
Chapters in Part 2:
- Chapter 4: Enumerating Operating System Artifacts
- Chapter 5: User Environment and Interaction Detection
- Chapter 6: Enumerating Hardware and Network Configurations
- Chapter 7: Runtime Environment and Virtual Processor Anomalies
- Chapter 8: Evading Sandboxes and Disrupting Analysis
What you’ll learn:
- How malware detects hypervisors by inspecting operating system artifacts.
- How malware detects virtual machines by looking for runtime anomalies.
- How malware tries to detect a real end user in order to identify if it’s running in a sandbox.
- How malware actively circumvents analysis by exploiting weaknesses in sandboxes or directly interfering or tampering with the analyst’s tooling.
Part 3: Anti-Reversing
Part 3 covers the many techniques malware may use to prevent or impede reverse-engineering of its code, such as complicating code analysis, disrupting debuggers, and causing confusion and misdirection.
Chapters in Part 3:
- Chapter 9: Anti-disassembly
- Chapter 10: Anti-debugging
- Chapter 11: Covert Code Execution and Misdirection
What you’ll learn:
- How malware authors implement anti-disassembly techniques and how you can overcome them.
- How anti-debugging techniques work, and how to identify these techniques while analyzing malware.
- How malware utilizes covert code execution and misdirect techniques to confuse malware analysts and slow down the reversing process.
Part 4: Defense Evasion
Chapters in Part 4:
- Chapter 12: Process Injection, Manipulation, and Hooking
- Chapter 13: Evading Network and Endpoint Defenses
- Chapter 14: An Introduction to Rootkits
- Chapter 15: Fileless Malware and Anti-forensics
What you’ll learn:
- How malware implements modern process injection and manipulation techniques to circumvent defenses.
- How malware actively and passively circumvents and bypasses modern endpoint and network defenses like EDR/XDR.
- The basics of rootkits and how they evade defenses.
- How always uses living-off-the -and techniques to remain undetected and blend into the environment.
- Anti-forensics techniques and how advanced malware hides from forensics tooling and investigators .
Part 5: Other Topics
Finally, Part 5 covers additional techniques and topis that did not fit in well with the other chapters. This section covers topics like obfuscating malware and malicious behaviors via encoding and encryption, how packers work and how to unpack malware, and how to make your malware analysis lab a bit more resilient to evasive malware.
Chapters in Part 5:
- Chapter 16: Encoding and Encryption
- Chapter 17: Packers and Unpacking Malware
- Chapter 18: Tips for Building an Anti-evasion Analysis Lab
What you’ll learn:
- How malware implements obfuscation and encryption to complicate analysis and hide malicious activity, and how to analyze obfuscated code.
- How malware uses packers and crypters, and how to analyze packed malware.
- How to configure and tune your analysis lab to help streamline analysis of malware that may be detecting your lab environment.
Pre-Order the Book!
If you decide to legally purchase my book (instead of pirating it), it would be much appreciated. I need to buy beer, a new gaming PC, feed my family, you know, important stuff.
How to pre-order:
- You can order the book directly from the No Starch Press publisher website. If you order from No Starch, you also can get access to an Early Access version of the book, as well as the finished book!
- You can order on Amazon. Sometimes Amazon has deals and this may be cheaper, but you do not get access to the Early Access version. Amazon ships to many places in the world, so this is an advantage.
- There are other sites you can order from as well, such as local bookstores. Just Google “Evasive Malware book”.
If you decide to pre-order the Early Access version of my book, I would love your feedback! If you spot technical errors, spelling and grammar errors, or even if you just want to tell me “It’s amazing!” or “It sucks!”, I want to hear your feedback 🙂 Feel free to contact me via Twitter or LinkedIn.
A lot of love for the infosec community went into this book, so I hope you enjoy it! 🙂