- My team at Savvis provides security assessments, design, and operational assistance for businesses.
- Learn how to analyze malware at my SANS course in New York, London, DC, and over the Web.
- My new 2-day course on Combating Malware debuts in Las Vegas at half price; full price in DC.
Related Content:
- Intro to Malware Analysis Webcast
- Combating Malicious Software Articles
- SANS Computer Forensics Site
More about the course:
|
New! My 2-day Combating Malware in the Enterprise course debuts in Las Vegas at half price (September); full price in DC (December). |
Reverse-Engineering Malware: Malware Analysis Tools and Techniques
The Reverse-Engineering Malware (REM) course, which I present at SANS Institute, teaches a practical approach to examining malicious software that runs natively on Microsoft Windows, and covers web-based malware such as JavaScript and Flash files. This malware analysis training will teach you how to reverse-engineer malicious programs using a variety of system and network monitoring utilities, a disassembler, a debugger, and other tools for turning malware inside-out.
On this page you will find:
- Course Overview
- Topics Covered
- Complexity of the Course
- Who Should Attend?
- When and Where Can You Attend?
- Interviews
- Related Content
Course Overview
Security incident responders benefit from knowing how to reverse-engineer malware, because this process helps in assessing the event's scope, severity, and repercussions. It also assists in containing the incident and in planning recovery steps. Those who perform forensic investigations also benefit from the course, because they learn how to understand key characteristic of malware present on compromised systems.
This unique course provides a rounded approach to reverse-engineering by covering both behavioral and code analysis aspects of the analysis. As a result, the course makes the topic accessible even to individuals with a limited exposure to programming concepts. The materials do not assume that the students are familiar with malware analysis; however, the complexity of concepts and techniques increases as the course progresses.
The course begins by covering fundamental aspects of malware analysis. You will learn how to set up an inexpensive and flexible laboratory for understanding inner-workings of malicious software, and will understand how it can be used to explore characteristics of real-world specimens. You will then learn to examine the program's behavioral patterns and code. You will experiment with reverse-engineering compiled Windows executables and browser-based malware.
The course continues by discussing essential x86 assembly language concepts. You will learn to examine malicious code to understand the program's key components and execution flow. You will also learn to identify common malware characteristics by looking at Windows API use patterns, and will examine excerpts from bots, rootkits, key loggers, and downloaders. You will understand how to work with PE headers and handle DLL interactions. You will also learn tools and techniques for bypassing anti-analysis capabilities of armored malware, experimenting with packed executables and obfuscated browser scripts.
You will also learn how to analyze malicious document files that take the form of Microsoft Office and Adobe PDF documents. Such documents act as a common infection vector, and need to be understood by enterprises concerned about both large-scale and targeted attacks. The course also explores memory forensics approaches to examining rootkits. Memory-based analysis techniques also help understand the context of an incident involving malicious software.
Hands-on workshop exercises are a critical aspect of this course, and allow you to apply reverse-engineering techniques by examining malware in a controlled environment. When performing the exercises, you will study the supplied specimen's behavioral patterns, and examine key portions of its code. You will examine malware on a Windows virtual machine that you will infect during the course, and will use the supplied Linux virtual machine (REMnux) that includes tools for examining and interacting with Windows and browser malware.
This popular malware analysis course has helped numerous IT administrators, forensics investigators, malware specialists, and other security professionals fight malicious code.
Topics Covered
The key topics covered by the course include:
- Configuring the malware analysis lab
- Assembling the malware analysis toolkit
- Performing behavioral analysis of malicious Windows executables
- Performing static and dynamic code analysis of Malicious Windows executables
- Intercepting system and network-level activities in the analysis lab
- Patching compiled malicious Windows executables
- Shortcuts for speeding up malware analysis
- Core concepts for reverse-engineering malware at the code level
- x86 Intel assembly language primer
- Identifying key x86 assembly logic structures with a disassembler
- Patterns of common malware characteristics at the Windows API level
- Working with PE headers of malicious Windows executables
- Handling DLL interactions and API hooking
- Manual unpacking of protected malicious Windows executables
- Tips and tricks for bypassing anti-analysis mechanisms built into malware
- Analyzing protected malicious browser scripts written in JavaScript and VBScript
- Reverse-engineering malicious Flash programs
- Analyzing malicious Microsoft Office and PDF documents
- Examining shellcode in the context of malicious files
- Analyzing memory to assess malware characteristics and reconstruct infection artifacts
- Using memory forensics to analyze rootkit infections
You will learn to analyze malware using tools such as:
- System Monitor, Process Explorer, CaptureBAT, Regshot, VMware
- BinText, LordPE, QuickUnpack, Firebug, PELister, PEiD
- IDA Pro, OllyDbg and plug-ins such as OllyDump, HideOD
- Rhino, Malzilla, SpiderMonkey, Jsunpack-n
- Internet Explorer Developer Toolbar, cscript
- Honeyd, NetCat, Wireshark, curl, wget, xorsearch
- OfficeMalScanner, OffVis, Radare, FileInsight
- Volatility Framework and plug-ins such as malfind2 and apihooks
- SWFTools, Flare, shellcode2exe, fake DNS server, and others
Complexity of the Course
While the field of reverse-engineering malware is in itself advanced, the course begins by covering this topic from introductory level and quickly progresses to discuss malware analysis tools and techniques of intermediate complexity.
Neither programming experience, nor the knowledge of assembly is required to benefit from the course. However, it helps to understand core programming concepts, such as variables, loops, and functions. The course spends some time discussing essential aspects of x86 assembly to allow malware analysts navigate through malicious executables using a debugger and a disassembler.
Who Should Attend?
You will benefit from this course if you deal with incidents involving malware and would like to learn how to understand key aspects of malicious programs.
Individuals who found this course particularly useful often had responsibilities in the areas of incident response, forensic investigation, Windows security, and system administration.
The majority of course participants have a strong understanding of core systems and networking concepts, and have had a limited exposure to programming and assembly concepts.
Prerequisites:
- Students should have a computer system that matches the stated laptop requirements. Some software needs to be installed before students come to class.
- Students should be familiar with using Windows and Linux operating environments and be able to troubleshoot general connectivity and setup issues.
- Students should be familiar with VMware Workstation and be able to create and configure virtual machines.
- Students are recommended to have a high-level understanding of key programming concepts, such as variables, loops, and functions; however, no programming experience is necessary.
When and Where Can You Attend?
I will be presenting the malware analysis course via the following venues:
- SANS New York event in October 2010 in New York, NY
- SANS London conference in November-December in London, UK
- SANS CDI East conference in December 2010 in Washington, DC
- SANS Security West conference in May 2011 in San Diego, CA
- SANS vLive! Internet-based live learning program, starting January 2011
- SANS OnDemand web platform for learning at your own pace
Interviews Related to Malware and Reversing
If you'd like to learn more about my perspective on malicious software and the reversing process, check out the following podcast and text-based conversations in which I participated:
- Discussion about malware analysis and REMnux on the SecuraBit Episode 61 podcast.
- Interview about malware analysis trends and careers by the Ethical Hacker Network
- Malicious document analysis conversation on the PaulDotCom Episode 200 podcast
- Interview about malware threats and analysis trends on InfoSec Daily Podcast Episode 43.
- Malware interview on the McAfee AudioParasitics podcast (part 1, 2)
Related Content
- Review of the malware analysis course by the Ethical Hacker Network
- Reverse-Engineering Malware Cheat Sheet
- Introduction to Malware Analysis Webcast
- Building a Malware Analysis Toolkit Using Free Tools
- Malware Analyst Job Description
- Students' Comments About the Course
- Using VMware for Malware Analysis
- FOR610 Course Page on SANS Website: Register Here
- GIAC Certification on Malware Analysis (GREM)
- ConvertShellcode Tool
- What to Include in a Malware Analysis Report
Copyright © 1995-2010 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.