FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
The malware analysis process taught in this class helps incident responders assess the severity and repercussions of a situation that involves malicious software and plan recovery steps. Forensics investigators also learn how to understand key characteristics of malware discovered during the examination, including how to establish indicators of compromise (IOCs) for scoping and containing the incident.
A Methodical Approach to Reverse-Engineering
The course begins by covering fundamental aspects of malware analysis. You'll learn how to set up an inexpensive and flexible laboratory for understanding the inner-workings of malicious software and will understand how to use the lab for exploring characteristics of real-world samples. Then you'll learn to examine the program's behavioral patterns and code. Afterwards, you'll experiment with reverse-engineering compiled Windows executables and Web browser malware.
The course continues by discussing essential x86 assembly language concepts. You'll examine malicious code to understand the program's key components and execution flow. Additionally, you'll learn to identify common malware characteristics by looking at Windows API patterns and will examine excerpts from bots, rootkits, keyloggers and downloaders. You'll understand how to work with PE headers and handle DLL interactions. Furthermore, you'll learn tools and techniques for bypassing anti-analysis capabilities of armored malware, experimenting with packed executables and obfuscated browser scripts.
Towards the end of the course, you'll learn to analyze malicious document files that take the form of Microsoft Office and Adobe PDF documents. Such documents act as a common infection vector and need to be understood by enterprises concerned about both large-scale and targeted attacks. The course also explores memory forensics approaches to examining rootkits. Memory-based analysis techniques also help understand the context of an incident involving malicious software.
Hands-On Training for Malware Analysis and Reversing
Hands-on workshop exercises are a critical aspect of this course and allow you to apply reverse-engineering techniques by examining malware in a controlled environment. When performing the exercises, you'll study the supplied specimen's behavioral patterns and examine key portions of its code. You'll examine malware on a Windows virtual machine that you'll infect during the course and will use the supplied Linux virtual machine (REMnux) that includes tools for examining and interacting with malware.
Complexity of the Course: Formalizing and Expanding Your Malware Analysis Skills
While the field of reverse-engineering malware is in itself advanced, the course begins by covering this topic from an introductory level and quickly progresses to discuss tools and techniques of intermediate complexity. Overall, the goal of the course is to act as a practical way for the motivated technologists to enter the field of malware analysis and reversing.
Neither programming experience nor the knowledge of assembly is required to benefit from the course. However, you should have a general idea about core programming concepts, such as variables, loops and functions. The course spends some time discussing essential aspects of Intel assembly to allow malware analysts navigate through malicious executables using a debugger and a disassembler.
Topics Covered in This Reverse-Engineering Malware Course Include:
- Configuring the malware analysis lab
- Assembling the toolkit for malware forensics
- Performing behavioral analysis of malicious Windows executables
- Performing static and dynamic code analysis of malicious Windows executables
- Intercepting system and network-level activities in the analysis lab
- Patching compiled malicious Windows executables
- Shortcuts for speeding up malware analysis
- Core concepts for reverse-engineering malware at the code level
- x86 Intel assembly language primer
- Identifying key assembly logic structures with a disassembler
- Patterns of common malware characteristics at the Windows API level
- Working with PE headers of malicious Windows executables
- Handling DLL interactions and API hooking
- Manual unpacking of protected malicious Windows executables
- Tips and tricks for bypassing anti-analysis mechanisms built into malware
- Reverse-engineering malicious Flash programs
- Analyzing malicious Microsoft Office (Word, Excel, PowerPoint) and PDF documents
- Examining shellcode in the context of malicious files
- Analyzing memory to assess malware characteristics and reconstruct infection artifacts
- Using memory forensics to analyze rootkit infections
Authors of the reverse-engineering malware course created the following cheat sheets to summarize some of the concepts and tools you'll learn:
- Reverse-Engineering Malware Cheat Sheet
- Analyzing Malicious Documents Cheat Sheet
- REMnux Usage Tips for Malware Analysis on Linux
You can get a sense for malware analysis approaches explored in this course looking at the following resources:
- Introduction to Malware Analysis webcast by Lenny Zeltser
- REMnux for Malware Analysis article by Russ McRee
- A review of the FOR610: Reverse Engineering-Malware course by the Ethical Hacker Network
- A review of the FOR610: Reverse Engineering-Malware course by Chris Sanders
- Students' comments about the reverse-engineering malware course
- Malware Analyst Job Description by Lenny Zeltser
- Fun quiz to assess you malware analysis skills
|FOR610.1: Malware Analysis Fundamentals|
Day one lays the groundwork for malware analysis by presenting the key tools and techniques malware analysts use to examine malicious programs. You'll learn how to save time by exploring Windows malware in two phases. Behavioral analysis focuses on the program's interactions with its environment, such as the registry, the network and the file system. Code analysis focuses on the specimen's code and makes use of a disassembler and a debugger tools such as IDA Pro and OllyDbg. You will learn how to build a flexible laboratory to perform such analysis in a controlled manner, and you'll set up such a lab on your laptop. You will then learn how to use the key analysis tools by examining a malware sample in the lab you just set up-with guidance and explanations from the instructor-to reinforce the concepts discussed throughout the day.
CPE/CMU Credits: 6
|FOR610.2: Additional Malware Analysis Approaches|
Day two builds upon the fundamentals introduced earlier in the course and discusses techniques for uncovering additional aspects of the malicious program's functionality. You will learn about packers and the analysis approaches that may help bypass their defenses. You will also learn how to patch malicious executables to change their functionality during the analysis without recompiling them. Additionally, you'll also understand how to redirect network traffic in the lab to better interact with malware, such as bots and worms, to understand their capabilities. You'll also experiment with the essential tools and techniques for analyzing Web-based malware, such as malicious browser scripts and Flash programs.
CPE/CMU Credits: 6
|FOR610.3: Malicious Code Analysis|
Day three focuses on examining malicious Windows executables at the assembly level. You will discover approaches for studying inner-workings of a specimen by looking at it through a disassembler and, at times, with the help of a debugger. The day begins with an overview of key code reversing concepts and presents a primer on essential x86 Intel assembly concepts, such as instructions, function calls, variables and jumps. You will also learn how to examine common assembly constructs, such as functions, loops and conditional statements. During the second half of the day we discuss how malware implements common characteristics, such as keylogging, packet spoofing and DLL injection at the assembly level. You will learn how to recognize such characteristics in malicious Windows executables.
CPE/CMU Credits: 6
|FOR610.4: Self-Defending Malware|
CPE/CMU Credits: 6
|FOR610.5: Malicious Documents and Memory Forensics|
This section starts by exploring common patterns of assembly instructions often used to gain initial access to the victim's computer. Next, we will learn how to analyze malicious Microsoft Office documents, covering tools such as OfficeMalScanner and explore steps for analyzing malicious PDF documents with utilities such as Origami and PDF Tools. Another major topic covered in this section is the reversing of malicious Windows executables using memory forensics techniques. We'll explore this topic with the help of tools such the Volatility Framework and associated plug-ins. The discussion of memory forensics will bring us deeper into the world of user and kernel-mode rootkits and allow us to use context of the infection to reverse-engineer malware more efficiently.
CPE/CMU Credits: 6
Important! Bring your own laptop and a pre-installed Windows XP virtual machine!
A properly configured laptop is required to participate in this course. Prior to the start of class, you must install the necessary software as described below. If you do not carefully read and follow these instructions, you are guaranteed to leave the course unsatisfied, since you will not be able to participate in hands on-exercises that are essential to this course.
The following are minimal hardware requirements for your laptop:
Creating a Windows Virtual Machine Using VMware
You will use VMware to simultaneously run multiple virtual machines when performing hands-on exercises. You must have VMware Workstation version 8 or higher installed on your system. If you do not own and cannot purchase VMware Workstation, you can download a free trial copy from VMware. VMware will send you a 30-day serial number if you register for the trial at their Web site.
When analyzing malware, you will make use of a virtual Windows machine running within VMware. You will be asked to infect this virtual machine when examining malicious code. You must create a Windows XP (32-bit) virtual machine using your copy of VMware before coming to class. Note that this involves not only creating a virtual machine shell using VMware, but also installing your copy of the Windows XP operating system into the virtual machine.
If you don't have Windows XP installation medium, you can obtain a free virtual machine from Microsoft if you are running Windows 7 Professional, Enterprise, or Ultimate on your base system. To do this and to import the virtual machine into VMware, follow instructions here.
Install Windows XP with Service Pack 3 (32-bit) on your virtual machine. Don't install anti-virus software on the Windows virtual machine. Lastly, be sure to install Internet Explorer 8 or higher into your Windows virtual machine.
Shut down your Windows virtual machine and configure it to use the "Host-only" network connection. You can do this by selecting Settings of your virtual machine in VMware, clicking Network Adapter on the Hardware tab, and selecting "Host-only." Then, start the virtual machine and confirm that you received an IP address from the VMware built-in DHCP server. You can do this by typing "ipconfig" on the command prompt within your virtual machine.
Hands-on exercises will involve operating with malicious code. Although VMware will provide you with reasonable isolation, we do not recommend using a production system as your laboratory machine. We expect you to exercise due caution when handling malicious code.
Additional Tools You Will Receive
We will provide you with additional tools for completing hands-on exercises. Additionally, we will provide you with a pre-built Linux virtual machine (REMnux) so that you do not need to build your own. Hardware requirements outlined above are meant to ensure that you have sufficient memory and disk space available to simultaneously run the Windows virtual machine (that you will build yourself before class) and the Linux virtual machine (that we will provide to you during class).
Review the following checklist when leaving for the training event to make sure that your laptop is prepared for the course:
If you have additional questions about the laptop specifications, please contact email@example.com.
|Who Should Attend|
|You Will Be Able To|
|Press & Reviews|
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.
*CPE/CMU credits not offered for the SelfStudy delivery method