In this chapter, you started with configuring your Linux installation for network traffic analysis, after which you had a better look at Xor-based obfuscation and related tools. Thereafter, you analyzed a malicious web page and got a good look at the overall workflow, approach, tools such as Malzilla and Firebug to perform script based debugging, shellcode extraction, and conversion and analysis using simple and already available tools such as the hex editor and shellcode-2-exe converter. You got to know about the USC2 encoding and why the NULL characters are eliminated from the exploit codes, which is this chapter was a download-execute type of exploit also known as a drive-by download. You were quickly introduced to bytecode analysis tools and a rapid fire round on document analysis tools. Thereafter, you took a detailed overview of Redline from Mandiant as a tool to perform malware memory forensics and its various options and features. You were also introduced to the OpenIOC standard and the IOCe editor tool. Moving on, you were introduced to malware intelligence related concepts and tools – for malware sample collection, honeypots, monitoring tools, visualization tools and analyses sandboxes that will certainly aid you in gathering as much information about malware in all its various forms.

Recapitulation: At this point, you have a sound understanding of the computing concepts required to get you started in malware analysis for the Windows platform. You are well acquainted with the assembly programming concepts, conventions, and tools for Windows and the VC++ 2008 development environment. You understand the toolchain for converting source code to binary code and how binary code can be reverse engineered to get a pretty good representation of its design and functionality. Things like calling conventions, registers, call stack, inline assembler, lib file generation is not new to you. You have been introduced to the malware analysts tool set and got a good overview of IDA Pro – the industry standard diassembler/debugger. Thereafter, you proceeded with indepth malware analysis of a real world destructive malware (MBRkiller-DarkSeoul) and understood what malware analysts do and how they approach reverse engineering, keeping in mind that you can be as creative or resourceful as you want. You then worked on kernel debugging and Windows internals concepts to further solidify your understanding of the analysis process. Finally, you dealt with web based malware (JS/Dropper) and exploits (various CVEs) and got to know how you might be able to approach such threats in your own analysis. To conclude, you were pointed in the direction of malware intelligence and its significance in the current climate. This sets the baseline, which you absolutely must be comfortable with to progress with more complex threats. I do hope you got the best out of it. While the book has page limits, you should have no problem exploring the bounds of each discussed topic and begin and/or continue your journey into malware analysis mastery. How far you take it is up to your hard work and dedication. Let us all make the world a safer place to be in - to the best of our abilities!