Higher Ed IT Pros: Take the SANS Survey & Enter to Win iPad

DFIR Summit

Austin, TX | Mon Jul 8 - Tue Jul 16, 2013

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

This popular malware analysis course has helped forensic investigators, incident responders and IT administrators acquire practical skills for examining malicious programs that target Microsoft Windows. This training also teaches how to reverse-engineer Web browser malware implemented in JavaScript and Flash, as well as malicious documents, such as PDF and Microsoft Office files. The course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger and other tools for turning malware inside-out.

The malware analysis process taught in this class helps incident responders assess the severity and repercussions of a situation that involves malicious software and plan recovery steps. Forensics investigators also learn how to understand key characteristics of malware discovered during the examination, including how to establish indicators of compromise (IOCs) for scoping and containing the incident.

A Methodical Approach to Reverse-Engineering

The course begins by covering fundamental aspects of malware analysis. You'll learn how to set up an inexpensive and flexible laboratory for understanding the inner-workings of malicious software and will understand how to use the lab for exploring characteristics of real-world samples. Then you'll learn to examine the program's behavioral patterns and code. Afterwards, you'll experiment with reverse-engineering compiled Windows executables and Web browser malware.

The course continues by discussing essential x86 assembly language concepts. You'll examine malicious code to understand the program's key components and execution flow. Additionally, you'll learn to identify common malware characteristics by looking at Windows API patterns and will examine excerpts from bots, rootkits, keyloggers and downloaders. You'll understand how to work with PE headers and handle DLL interactions. Furthermore, you'll learn tools and techniques for bypassing anti-analysis capabilities of armored malware, experimenting with packed executables and obfuscated browser scripts.

Towards the end of the course, you'll learn to analyze malicious document files that take the form of Microsoft Office and Adobe PDF documents. Such documents act as a common infection vector and need to be understood by enterprises concerned about both large-scale and targeted attacks. The course also explores memory forensics approaches to examining rootkits. Memory-based analysis techniques also help understand the context of an incident involving malicious software.

Hands-On Training for Malware Analysis and Reversing

Hands-on workshop exercises are a critical aspect of this course and allow you to apply reverse-engineering techniques by examining malware in a controlled environment. When performing the exercises, you'll study the supplied specimen's behavioral patterns and examine key portions of its code. You'll examine malware on a Windows virtual machine that you'll infect during the course and will use the supplied Linux virtual machine (REMnux) that includes tools for examining and interacting with malware.

Complexity of the Course: Formalizing and Expanding Your Malware Analysis Skills

While the field of reverse-engineering malware is in itself advanced, the course begins by covering this topic from an introductory level and quickly progresses to discuss tools and techniques of intermediate complexity. Overall, the goal of the course is to act as a practical way for the motivated technologists to enter the field of malware analysis and reversing.

Neither programming experience nor the knowledge of assembly is required to benefit from the course. However, you should have a general idea about core programming concepts, such as variables, loops and functions. The course spends some time discussing essential aspects of Intel assembly to allow malware analysts navigate through malicious executables using a debugger and a disassembler.

Topics Covered in This Reverse-Engineering Malware Course Include:

  • Configuring the malware analysis lab
  • Assembling the toolkit for malware forensics
  • Performing behavioral analysis of malicious Windows executables
  • Performing static and dynamic code analysis of malicious Windows executables
  • Intercepting system and network-level activities in the analysis lab
  • Patching compiled malicious Windows executables
  • Shortcuts for speeding up malware analysis
  • Core concepts for reverse-engineering malware at the code level
  • x86 Intel assembly language primer
  • Identifying key assembly logic structures with a disassembler
  • Patterns of common malware characteristics at the Windows API level
  • Working with PE headers of malicious Windows executables
  • Handling DLL interactions and API hooking
  • Manual unpacking of protected malicious Windows executables
  • Tips and tricks for bypassing anti-analysis mechanisms built into malware
  • Analyzing protected malicious browser scripts written in JavaScript and VBScript
  • Reverse-engineering malicious Flash programs
  • Analyzing malicious Microsoft Office (Word, Excel, PowerPoint) and PDF documents
  • Examining shellcode in the context of malicious files
  • Analyzing memory to assess malware characteristics and reconstruct infection artifacts
  • Using memory forensics to analyze rootkit infections

Authors of the reverse-engineering malware course created the following cheat sheets to summarize some of the concepts and tools you'll learn:

You can get a sense for malware analysis approaches explored in this course by looking at the following resources:

Course Syllabus
Course Contents InstructorsSchedule
  FOR610.1: Malware Analysis Fundamentals Jake Williams Thu Jul 11th, 2013
9:00 AM - 5:00 PM
Overview

Day one lays the groundwork for malware analysis by presenting the key tools and techniques malware analysts use to examine malicious programs. You'll learn how to save time by exploring Windows malware in two phases. Behavioral analysis focuses on the program's interactions with its environment, such as the registry, the network and the file system. Code analysis focuses on the specimen's code and makes use of a disassembler and a debugger tools such as IDA Pro and OllyDbg. You will learn how to build a flexible laboratory to perform such analysis in a controlled manner, and you'll set up such a lab on your laptop. You will then learn how to use the key analysis tools by examining a malware sample in the lab you just set up-with guidance and explanations from the instructor-to reinforce the concepts discussed throughout the day.

CPE/CMU Credits: 6

Topics
  • Configuring the malware analysis lab
  • Assembling the toolkit for malware forensics
  • Performing behavioral analysis of malicious Windows executables
  • Performing static and dynamic code analysis of malicious Windows executables
  • Additional learning resources for reverse-engineering malware

 
  FOR610.2: Additional Malware Analysis Approaches Jake Williams Fri Jul 12th, 2013
9:00 AM - 5:00 PM
Overview

Day two builds upon the fundamentals introduced earlier in the course and discusses techniques for uncovering additional aspects of the malicious program's functionality. You will learn about packers and the analysis approaches that may help bypass their defenses. You will also learn how to patch malicious executables to change their functionality during the analysis without recompiling them. Additionally, you'll also understand how to redirect network traffic in the lab to better interact with malware, such as bots and worms, to understand their capabilities. You'll also experiment with the essential tools and techniques for analyzing Web-based malware, such as malicious browser scripts and Flash programs.

CPE/CMU Credits: 6

Topics
  • Reinforcing the dynamic analysis concepts learned in 610.1
  • Patching compiled malicious Windows executables
  • Analyzing packed malicious executable files
  • Intercepting network connections in the malware lab
  • Analyzing Web browser malware implemented in JavaScript and Flash

 
  FOR610.3: Malicious Code Analysis Jake Williams Sat Jul 13th, 2013
9:00 AM - 5:00 PM
Overview

Day three focuses on examining malicious Windows executables at the assembly level. You will discover approaches for studying inner-workings of a specimen by looking at it through a disassembler and, at times, with the help of a debugger. The day begins with an overview of key code reversing concepts and presents a primer on essential x86 Intel assembly concepts, such as instructions, function calls, variables and jumps. You will also learn how to examine common assembly constructs, such as functions, loops and conditional statements. During the second half of the day we discuss how malware implements common characteristics, such as keylogging, packet spoofing and DLL injection at the assembly level. You will learn how to recognize such characteristics in malicious Windows executables.

CPE/CMU Credits: 6

Topics
  • Core concepts for reverse-engineering malware at the code level
  • x86 Intel assembly language primer
  • Handling anti-disassembling techniques
  • Identifying key x86 assembly logic structures with a disassembler
  • Patterns of common malware characteristics at the Windows API level (DLL injection, hooking, keylogging, sniffing, etc.)

 
  FOR610.4: Self-Defending Malware Jake Williams Sun Jul 14th, 2013
9:00 AM - 5:00 PM
Overview

Day four begins by covering several techniques malware authors commonly employ to protect malicious Windows executables from being analyzed, often with the help of packers. You will learn how to bypass analysis defenses, such as structured error handling for execution flow, PE header corruption, fake memory breakpoints, tool detection, integrity checks and timing controls. It's a lot of fun! As with the other topics covered throughout the course, you will be able to experiment with such techniques during hands-on exercises. On this day, we'll also revisit the topic of Web browser malware, learning to use additional tools and approaches for analyzing more complex malicious scripts written in VBScript and JavaScript.

CPE/CMU Credits: 6

Topics
  • Identifying packers
  • Manual unpacking of packed and otherwise protected malicious Windows executables
  • Tips and tricks for bypassing anti-analysis mechanisms built into malware
  • Additional techniques for analyzing obfuscated browser scripts using tools such as SpiderMonkey

 
  FOR610.5: Malicious Documents and Memory Forensics Jake Williams Mon Jul 15th, 2013
9:00 AM - 5:00 PM
Overview

This section starts by exploring common patterns of assembly instructions often used to gain initial access to the victim's computer. Next, we will learn how to analyze malicious Microsoft Office documents, covering tools such as OfficeMalScanner and explore steps for analyzing malicious PDF documents with utilities such as Origami and PDF Tools. Another major topic covered in this section is the reversing of malicious Windows executables using memory forensics techniques. We'll explore this topic with the help of tools such the Volatility Framework and associated plug-ins. The discussion of memory forensics will bring us deeper into the world of user and kernel-mode rootkits and allow us to use context of the infection to reverse-engineer malware more efficiently.

CPE/CMU Credits: 6

Topics
  • Analyzing malicious Microsoft Office (Word, Excel, PowerPoint) and Adobe PDF documents
  • Examining shellcode in the context of malicious files
  • Analyzing memory to assess malware characteristics and reconstruct infection artifacts
  • Using memory forensics to analyze rootkit infections

 
Additional Information
 
  Laptop Required

Important! Bring your own laptop and a pre-installed Windows XP virtual machine!

A properly configured laptop is required to participate in this course. Prior to the start of class, you must install the necessary software as described below. If you do not carefully read and follow these instructions, you are guaranteed to leave the course unsatisfied, since you will not be able to participate in hands on-exercises that are essential to this course.

The following are minimal hardware requirements for your laptop:

  • DVD-ROM drive
  • 2 GHz CPU (a faster processor is recommended)
  • 2GB RAM (more memory is recommended)
  • 10 GB of available disk space (more space is recommended)
  • Ethernet network port

Creating a Windows Virtual Machine Using VMware

You will use VMware to simultaneously run multiple virtual machines when performing hands-on exercises. You must have VMware Workstation version 8 or higher installed on your system. If you do not own and cannot purchase VMware Workstation, you can download a free trial copy from VMware. VMware will send you a 30-day serial number if you register for the trial at their Web site.

When analyzing malware, you will make use of a virtual Windows machine running within VMware. You will be asked to infect this virtual machine when examining malicious code. You must create a Windows XP (32-bit) virtual machine using your copy of VMware before coming to class. Note that this involves not only creating a virtual machine shell using VMware, but also installing your copy of the Windows XP operating system into the virtual machine.

If you don't have Windows XP installation medium, you can obtain a free virtual machine from Microsoft if you are running Windows 7 Professional, Enterprise, or Ultimate on your base system. To do this and to import the virtual machine into VMware, follow instructions here.

Install Windows XP with Service Pack 3 (32-bit) on your virtual machine. Don't install anti-virus software on the Windows virtual machine. Lastly, be sure to install Internet Explorer 8 or higher into your Windows virtual machine.

Shut down your Windows virtual machine and configure it to use the "Host-only" network connection. You can do this by selecting Settings of your virtual machine in VMware, clicking Network Adapter on the Hardware tab, and selecting "Host-only." Then, start the virtual machine and confirm that you received an IP address from the VMware built-in DHCP server. You can do this by typing "ipconfig" on the command prompt within your virtual machine.

Hands-on exercises will involve operating with malicious code. Although VMware will provide you with reasonable isolation, we do not recommend using a production system as your laboratory machine. We expect you to exercise due caution when handling malicious code.

Additional Tools You Will Receive

We will provide you with additional tools for completing hands-on exercises. Additionally, we will provide you with a pre-built Linux virtual machine (REMnux) so that you do not need to build your own. Hardware requirements outlined above are meant to ensure that you have sufficient memory and disk space available to simultaneously run the Windows virtual machine (that you will build yourself before class) and the Linux virtual machine (that we will provide to you during class).

Final Checklist

Review the following checklist when leaving for the training event to make sure that your laptop is prepared for the course:

  • Your laptop meets hardware requirements outlined in this note.
  • VMware Workstation 6 or higher is installed.
  • The VMware Workstation license will not expire before the class (if using a trial copy).
  • You created a VMware virtual machine running Windows XP with Service Pack 3 (32-bit) and Internet Explorer 8 installed.
  • Your Windows virtual machine is using "Host-only" network connection and is able to obtain an IP address from the DHCP server built into VMware.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Individuals who found this course particularly useful often had responsibilities in the areas of incident response, forensic investigation, Windows security and system administration.
  • You'll benefit from this course if you deal with incidents involving malware and would like to learn how to understand key aspects of malicious programs.
  • The majority of course participants have a strong understanding of core systems and networking concepts and have had some limited exposure to programming and assembly concepts.
  • Some individuals who attended the course have experimented with aspects of malware analysis prior to the course and were looking to formalize and expand their malware forensics expertise.

 
  Prerequisites
  • Students should have a computer system that matches the stated laptop requirements. Some software needs to be installed before students come to class.
  • Students should be familiar with using Windows and Linux operating environments and be able to troubleshoot general connectivity and setup issues.
  • Students should be familiar with VMware Workstation and be able to create and configure virtual machines.
  • Students are recommended to have a high-level understanding of key programming concepts, such as variables, loops and functions; however, no programming experience is necessary.

 
  You Will Be Able To
  • Build an isolated laboratory environment for analyzing code and behavior of malicious programs
  • Employ network and system-monitoring tools to examine how malware interacts with the file system, the registry, the network and other processes on Microsoft Windows.
  • Uncover and analyze malicious JavaScript, VB Script, and ActionScript components of web pages, which are often used as part of drive-by attacks.
  • Control some aspect of the malicious program's behavior through network traffic interception and code patching.
  • Use a disassembler and a debugger to examine inner-workings of malicious Windows executables.
  • Bypass a variety of defensive mechanisms designed by malware authors to misdirect, confuse and otherwise slow down the analyst.
  • Recognize and understand common assembly-level patterns in malicious code, such as DLL injection.
  • Assess the threat associated with malicious documents, such as PDF and Microsoft Office files in the context of targeted attacks.
  • Derive Indicators of Compromise (IOCs) from malicious executables to contain and recover from the incident.
  • Utilize practical memory forensics techniques to examine capabilities of rootkits.

 
  Press & Reviews

"Highly valuable content, greatly increased my understanding of malware and techniques to reverse engineer."- Kenneth Miltenberger, US Coast Guard

"I thought I knew reversing. This class taught me so much more and provided easy understandings of complex reversing tasks." -David Werden, NGIS

"This is the most complete malware analysis course I have ever taken. An awesome variety of tools and techniques for the malware analyst." - Anonymous

"It is an excellent course for those who want a hands-on experience understanding an under the hood view of malware and how it works." -Ryan Denniston, DoD