I am pleased to announce the 2008 expansion of the Reverse-Engineering Malware course in 2008 from 2 days to 4 days. A lot of the participants of the original 2-day course have been asking, "When will you offer a more advanced version of the class?" It's finally here.
The original SEC601 course covered the essentials of malware analysis. The new SEC602 course focuses on the more in-depth malware analysis topics. We spend a day on malicious code analysis, identifying key logic structures, and reviewing assembly-level examples of common malware categories. The second day focuses on manual and automated unpacking and other considerations for bypassing self-defending mechanisms in malware. We also learn to combat advanced obfuscation techniques in malicious Web scripts.
SANS plans to offer the full 4-day course as SEC610, and allow students to sign up for each 2-day course independently as well. To clarify: SEC610 = SEC601 + SEC602.
The GREM certification, based on the Reverse-Engineering Malware course, will cover the newly-expanded SEC610 course. Current GREM holders will not be required to re-take the exam; however, when their certification comes up for renewal, the exam will include the new materials from SEC602. (Please direct certification questions to GIAC).
The new materials are the result of collaboration with my colleagues from SANS and the Internet Storm Center, mainly Pedro Bueno, Michael Murr, Jim Shewmaker, and Bojan Zdrnja, who are the primary authors of the new materials. Many thanks to these individuals for their contributions and to those who have provided, and will provide, valuable feedback for keeping the course in top shape.
If you'd like to help fine-tune the new materials, please sign up for the new 2-day course (SEC602) in Boston, MA, the weekend of January 26-27, 2008. I'll be beta-testing the course there: some glitches may come up, but you can join this event at a 50% discount!
The course will formally debut at SANS 2008 in Orlando, FL, in April 2008. Students can sign up for the entire 4-day course (SEC610) or for the individual 2-day courses (SEC601 and SEC602). SEC601 alumni qualify for a 50% discount on the 4-day version of the course (SEC610) in 2008.