Expansion of the SANS Reverse-Engineering Malware (REM) Course FOR610 in 2010

I am pleased to announce the 2010 expansion of the FOR610: Reverse-Engineering Malware (REM) course I teach at SANS Institute. This note outlines:

New Topics Added to the Course as Part of the Expansion

As the world of malware continues to evolve, so must the defenders’ ability to understand the nature of the threat. Fortunately, the development of tools and techniques for reverse-engineering malicious software is not standing still. I’m excited about the opportunity to cover additional approaches to analyzing malware as part of the course expansion.

Here are the highlights of the updates introduced as part of the newly-added Day 5 materials:

  • The course now uses a specialized Ubuntu-based Linux distribution I designed to ease many malware analysis tasks. REMnux comes with a number of useful reversing tools installed and configured to save time.
  • The course expands its coverage of shellcode analysis, explaining common patterns of x86 assembly instructions used by malware to exploit vulnerable applications and gain initial access to the victim’s computer.
  • The course now explains how to analyze malicious Microsoft Office documents, covering tools such as Frank Boldewin’s OfficeMalScanner and Microsoft’s OffVis.
  • The course now teaches steps for analyzing malicious Adobe PDF documents, making use of utilities such as Origami and Didier Stevens’ PDF Tools.
  • The course now covers practical techniques for analyzing malware using memory forensics. These approaches make use of tools such as the Volatility Framework and associated plug-ins. The discussion of memory forensics will bring us deeper into the world of user and kernel-mode rootkits, and allow us to use context of the infection to reverse-engineer malware more efficiently.

Upcoming Training Events Featuring New Materials

Starting in June 2010, all scheduled live REM course events will include Day 5 materials. For a listing of venues where you can participate in the course, see my main REM course page.

Discounts for REM Course Alumni Considering a Skills Refresh

If you’ve already attended the 4-day version of the REM course (SEC610), you can take the whole 5-day class at a 50% discount or take just Day 5 at one-fifth the full course price. This promotion is only valid in 2010. Please contact tuition@sans.org to receive your discount code.

Update to the GREM Certification to Reflect the Changes

The GREM certification will be updated to stay in sync with the materials covered by the newly-expanded REM course. The update will be rolled out in a way that matches the schedule of events where updated REM course materials will be presented. Current GREM holders will not be required to re-certify; however, when their certification comes up for renewal, the certification’s scope will include updated REM course materials. For questions related to GREM, please contact GIAC at info@giac.org

Contributors to the New Materials

The newly course materials were co-authored by the following individuals and an anonymous contributor:

Many thanks to these individuals for their contributions. I am also grateful to the many kind souls who have provided valuable feedback and guidance regarding the new materials.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more