This webcast introduces you to practical approaches of reverse-engineering malicious software on a Windows system. I cover behavioral and code analysis phases, to make this topic accessible even to individuals with a limited exposure to programming concepts. You'll learn the fundamentals and associated tools to get started with malware analysis.
You can view and listen to the recorded version of this webcast at the SANS website. You can also download my slides, complete with full speaker notes. These slides are also useful when you cannot see full details on your screen while watching the webcast.
The presentation walks you through the analysis of a trojan program. If you'd like to experiment with the specimen, you can download the malicious executable here. The password for the archive is the word "infected". Be careful to take the lab isolation precautions I discuss in the presentation!
To learn how to analyze Windows malware on a Linux system, see my companion webcast Malware Analysis Essentials using REMnux.
If you'd like to learn about the full Reverse-Engineering Malware course I teach at SANS Institute, take a look at the REM course page.
My webcast mentioned a local behavior monitoring tool CaptureBAT. This tool is hard to find on the web. You can download a copy here.
Authored by Lenny Zeltser. Lenny is a seasoned business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. You can follow Lenny on Twitter, read his blog and circle him on Google+.
Copyright © 1995-2013 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.