Korea 2013

Seoul, Korea, Republic Of | Mon, Nov 11 - Sat, Nov 23, 2013

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

The SANS Institute is currently the leader in the commercial IR and Computer Forensic training market. They have a large number of quality courses.
Jason Luttgens, Matthew Pepe, Kevin Mandia, Incident Response & Computer Forensics, Third Edition - July 2014

The best SANS course I've ever attended, and it was easy to say that, great structure of knowledge, great teaching skills, great function.
Karel Nykles, CESNET, z. s. p. o.

This popular malware analysis course has helped forensic investigators, incident responders and IT administrators acquire practical skills for examining malicious programs that target Microsoft Windows. This training also teaches how to reverse-engineer Web browser malware implemented in JavaScript and Flash, as well as malicious documents, such as PDF and Microsoft Office files. The course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger and other tools for turning malware inside-out.

The malware analysis process taught in this class helps incident responders assess the severity and repercussions of a situation that involves malicious software and plan recovery steps. Forensics investigators also learn how to understand key characteristics of malware discovered during the examination, including how to establish indicators of compromise (IOCs) for scoping and containing the incident.

A Methodical Approach to Reverse-Engineering

The course begins by covering fundamental aspects of malware analysis. You'll learn how to set up an inexpensive and flexible laboratory for understanding the inner-workings of malicious software and will understand how to use the lab for exploring characteristics of real-world samples. Then you will learn to examine the program's behavioral patterns and code. Afterwards, we experiment with reverse-engineering compiled Windows executables and Web browser malware.

The course continues by discussing essential x86 assembly language concepts. You will examine malicious code to understand the program's key components and execution flow. Additionally, you will learn to identify common malware characteristics by looking at Windows API patterns and will examine excerpts from bots, rootkits, keyloggers and downloaders. You will understand how to work with PE headers and handle DLL interactions. Furthermore, you will learn tools and techniques for bypassing anti-analysis capabilities of armored malware, experimenting with packed executables and obfuscated browser scripts.

You will also learn to analyze malicious document files that take the form of Microsoft Office and Adobe PDF documents. Such documents act as a common infection vector and need to be understood by enterprises concerned about both large-scale and targeted attacks. The course also explores memory forensics approaches to examining rootkits. Memory-based analysis techniques also help understand the context of an incident involving malicious software.

The course culminates with a series of capture-the-flag style challenges, designed to reinforce the techniques learned in class and to provide additional opportunities for learning practical, hands-on malware analysis skills.

Hands-On Training for Malware Analysis and Reversing

Hands-on workshop exercises are a critical aspect of this course and allow you to apply reverse-engineering techniques by examining malware in a controlled environment. When performing the exercises, you will study the supplied specimen's behavioral patterns and examine key portions of its code. We examine malware on a Windows virtual machine that you will infect during the course and use the supplied Linux virtual machine (REMnux) that includes tools for examining and interacting with malware. At the end of the course, students will participate in a hands-on tournament, which will provide practical, hands-on malware analysis challenges in a fun setting.

Complexity of the Course: Formalizing and Expanding Your Malware Analysis Skills

While the field of reverse-engineering malware is in itself advanced, the course begins by covering this topic from an introductory level and quickly progresses to discuss tools and techniques of intermediate complexity. Overall, the goal of the course is to act as a practical way for the motivated technologists to enter the field of malware analysis and reversing.

Neither programming experience nor the knowledge of assembly is required to benefit from the course. However, you should have a general idea about core programming concepts, such as variables, loops and functions. The course spends some time discussing essential aspects of x86 assembly language, allowing malware analysts to navigate through malicious executables using a debugger and a disassembler.

Course Syllabus
Course Contents InstructorsSchedule
  FOR610.1: Malware Analysis Fundamentals Jess Garcia Mon Nov 11th, 2013
9:00 AM - 5:00 PM

Section one lays the groundwork for malware analysis by presenting the key tools and techniques malware analysts use to examine malicious programs. You will learn how to save time by exploring Windows malware in two phases. Behavioral analysis focuses on the program's interactions with its environment, such as the registry, the network and the file system. Code analysis focuses on the specimen's code and makes use of a disassembler and a debugger tools such as IDA Pro and OllyDbg. You will learn how to build a flexible laboratory to perform such analysis in a controlled manner, and set up such a lab on your laptop. You will then learn how to use the key analysis tools by examining a malware sample in the lab you just set up-with guidance and explanations from the instructor - to reinforce the concepts discussed throughout the day.

CPE/CMU Credits: 6

  • Configuring the malware analysis lab
  • Assembling the toolkit for malware forensics
  • Performing behavioral analysis of malicious Windows executables
  • Performing static and dynamic code analysis of malicious Windows executables
  • Additional learning resources for reverse-engineering malware

  FOR610.2: Additional Malware Analysis Approaches Jess Garcia Tue Nov 12th, 2013
9:00 AM - 5:00 PM

Section two builds upon the fundamentals introduced earlier in the course and discusses techniques for uncovering additional aspects of the malicious program's functionality. You will learn about packers and the analysis approaches that may help bypass their defenses. You will also learn how to patch malicious executables to change their functionality during the analysis without recompiling them. Additionally, you will also understand how to redirect network traffic in the lab to better interact with malware, such as bots and worms, to understand their capabilities. We also experiment with the essential tools and techniques for analyzing Web-based malware, such as malicious browser scripts and Flash programs.

CPE/CMU Credits: 6

  • Reinforcing the dynamic analysis concepts learned in 610.1
  • Patching compiled malicious Windows executables
  • Analyzing packed malicious executable files
  • Intercepting network connections in the malware lab
  • Analyzing Web browser malware implemented in JavaScript and Flash

  FOR610.3: Malicious Code Analysis Jess Garcia Wed Nov 13th, 2013
9:00 AM - 5:00 PM

Section three focuses on examining malicious Windows executables at the assembly level. You will discover approaches for studying inner-workings of a specimen by looking at it through a disassembler and, at times, with the help of a debugger. The day begins with an overview of key code reversing concepts and presents a primer on essential x86 Intel assembly concepts, such as instructions, function calls, variables and jumps. You will also learn how to examine common assembly constructs, such as functions, loops and conditional statements. During the second half of the day we discuss how malware implements common characteristics, such as keylogging, packet spoofing and DLL injection at the assembly level. You will learn how to recognize such characteristics in malicious Windows executables.

CPE/CMU Credits: 6

  • Core concepts for reverse-engineering malware at the code level
  • x86 Intel assembly language primer
  • Handling anti-disassembling techniques
  • Identifying key x86 assembly logic structures with a disassembler
  • Patterns of common malware characteristics at the Windows API level (DLL injection, hooking, keylogging, sniffing, etc.)

  FOR610.4: Self-Defending Malware Jess Garcia Thu Nov 14th, 2013
9:00 AM - 5:00 PM

Section four begins by covering several techniques malware authors commonly employ to protect malicious Windows executables from being analyzed, often with the help of packers. You will learn how to bypass analysis defenses, such as structured error handling for execution flow, PE header corruption, fake memory breakpoints, tool detection, integrity checks and timing controls. It's a lot of fun! As with the other topics covered throughout the course, you will be able to experiment with such techniques during hands-on exercises. On this day, we also revisit the topic of Web browser malware, learning to use additional tools and approaches for analyzing more complex malicious scripts written in VBScript and JavaScript.

CPE/CMU Credits: 6

  • Identifying packers
  • Manual unpacking of packed and otherwise protected malicious Windows executables
  • Tips and tricks for bypassing anti-analysis mechanisms built into malware
  • Additional techniques for analyzing obfuscated browser scripts using tools such as SpiderMonkey

  FOR610.5: Malicious Documents and Memory Forensics Jess Garcia Fri Nov 15th, 2013
9:00 AM - 5:00 PM

Section five starts by exploring common patterns of assembly instructions often used to gain initial access to the victim's computer. Next, we will learn how to analyze malicious Microsoft Office documents, covering tools such as OfficeMalScanner and explore steps for analyzing malicious PDF documents with utilities such as Origami and PDF Tools. Another major topic covered in this section is the reversing of malicious Windows executables using memory forensics techniques. We will explore this topic with the help of tools such the Volatility Framework and associated plug-ins. The discussion of memory forensics will bring us deeper into the world of user and kernel-mode rootkits and allow us to use context of the infection to reverse-engineer malware more efficiently.

CPE/CMU Credits: 6

  • Analyzing malicious Microsoft Office (Word, Excel, PowerPoint) and Adobe PDF documents
  • Examining shellcode in the context of malicious files
  • Analyzing memory to assess malware characteristics and reconstruct infection artifacts
  • Using memory forensics to analyze rootkit infections

  FOR610.6: Malware Reverse-Engineering Tournament Jess Garcia Sat Nov 16th, 2013
9:00 AM - 5:00 PM

Section six assigns students to the role of a malware reverse engineer, working as a member of an incident response and malware analysis team. Students are presented with a variety of hands-on challenges involving real-world malware in the context of a fun tournament. These challenges further student's ability to respond to typical malware reversing tasks in an instructor-led lab environment and offer additional learning opportunities. Moreover, the challenges are designed to reinforce skills covered in the first five sections of the course, making use of the hugely popular SANS NetWars tournament platform. By applying the techniques learned earlier in the course, students solidify their knowledge and can shore up skill areas where they feel they need additional practice.

CPE/CMU Credits: 6

  • Behavioral Malware Analysis
  • Dynamic Malware Analysis (using a debugger)
  • Static Malware Analysis (using a disassembler)
  • JavaScript Deobfuscation
  • PDF Document Analysis
  • Office Document Analysis
  • Memory Analysis

The students who score the highest in the malware reverse-engineering challenge will be awarded the coveted SANS' Digital Forensics Lethal Forensicator coin. Game on!

Additional Information
  Laptop Required

Important! Bring your own laptop and a pre-installed Windows XP virtual machine!

A properly configured laptop is required to participate in this course. Prior to the start of class, you must install the necessary software as described below. If you do not carefully read and follow these instructions, you are guaranteed to leave the course unsatisfied, since you will not be able to participate in hands on-exercises that are essential to this course.

The following are minimal hardware requirements for your laptop:

  • DVD-ROM drive
  • 2 GHz dual-core CPU (a faster processor is recommended)
  • 4GB RAM (more memory is recommended)
  • 10 GB of available disk space (more space is recommended)
  • Ethernet network interface card (NIC) or built-in Ethernet network port

Creating a Windows Virtual Machine Using VMware

You will use VMware to simultaneously run multiple virtual machines when performing hands-on exercises. You must have VMware Workstation version 8 or higher installed on your system. If you do not own and cannot purchase VMware Workstation, you can download a free trial copy from VMware. VMware will send you a 30-day serial number if you register for the trial at their Web site.

When analyzing malware, you will make use of a virtual Windows machine running within VMware. You will be asked to infect this virtual machine when examining malicious code. You must create a Windows XP (32-bit) virtual machine using your copy of VMware before coming to class. Note that this involves not only creating a virtual machine shell using VMware, but also installing your copy of the Windows XP operating system into the virtual machine.

If you don't have Windows XP installation medium, you can obtain a free virtual machine from Microsoft if you are running Windows 7 Professional, Enterprise, or Ultimate on your base system. To do this and to import the virtual machine into VMware, follow instructions here.

Install Windows XP with Service Pack 3 (32-bit) on your virtual machine. Don't install anti-virus software on the Windows virtual machine. Lastly, be sure to install Internet Explorer 8 or higher into your Windows virtual machine. Some labs in the course require the use of Internet Explorer 8 or higher.

Shut down your Windows virtual machine and configure it to use the "Host-only" network connection. You can do this by selecting Settings of your virtual machine in VMware, clicking Network Adapter on the Hardware tab, and selecting "Host-only." Then, start the virtual machine and confirm that you received an IP address from the VMware built-in DHCP server. You can do this by typing "ipconfig" on the command prompt within your virtual machine.

Hands-on exercises will involve operating with malicious code. Although VMware will provide you with reasonable isolation, we do not recommend using a production system as your laboratory machine. We expect you to exercise due caution when handling malicious code.

You will be asked to create multiple VMware snapshots during the course. Experience has shown that students with limited free disk space to take snapshots are more likely to experience VMware performance problems. It is recommended that test your ability to create a VMware snapshot and recover a VMware snapshot in a timely manner (creating a new snapshot should take less than 2 minutes). Some full disk encryption software interferes with VMware's ability to create snapshots in a timely fashion.

Additional Tools You Will Receive

We will provide you with additional tools for completing hands-on exercises. Additionally, we will provide you with a pre-built Linux virtual machine (REMnux) so that you do not need to build your own. Hardware requirements outlined above are meant to ensure that you have sufficient memory and disk space available to simultaneously run the Windows virtual machine (that you will build yourself before class) and the Linux virtual machine (that we will provide to you during class).

Final Checklist

Review the following checklist when leaving for the training event to make sure that your laptop is prepared for the course:

  • Your laptop meets hardware requirements outlined in this note, including an Ethernet card and sufficient processor, memory and disk space.
  • VMware Workstation 8 or higher is installed.
  • The VMware Workstation license will not expire before the class (if using a trial copy).
  • You created a VMware virtual machine running Windows XP with Service Pack 3 (32-bit) and Internet Explorer 8 installed.
  • You're able to create and restore a snapshot of your Windows virtual machine in a reasonable amount of time.
  • Your Windows virtual machine is using "Host-only" network connection and is able to obtain an IP address from the DHCP server built into VMware.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  Who Should Attend
  • Individuals who found this course particularly useful often had responsibilities in the areas of incident response, forensic investigation, Windows security and system administration.
  • Anyone who deals with incidents involving malware and would like to learn how to understand key aspects of malicious programs.
  • Individuals that would like to gain a strong understanding of core systems and networking concepts and have had some limited exposure to programming and assembly concepts.
  • Anyone that has experimented with aspects of malware analysis prior to the course and are looking to formalize and expand their malware forensics expertise.

  • Students should have a computer system that matches the stated laptop requirements. Some software needs to be installed before students come to class.
  • Students should be familiar with using Windows and Linux operating environments and be able to troubleshoot general connectivity and setup issues.
  • Students should be familiar with VMware Workstation and be able to create and configure virtual machines.
  • Students are recommended to have a high-level understanding of key programming concepts, such as variables, loops and functions; however, no programming experience is necessary.
  Why Take This Course?

Course Topics

Topics Covered in This Reverse-Engineering Malware Course Include:

  • Configuring the malware analysis lab
  • Assembling the toolkit for malware forensics
  • Performing behavioral analysis of malicious Windows executables
  • Performing static and dynamic code analysis of malicious Windows executables
  • Intercepting system and network-level activities in the analysis lab
  • Patching compiled malicious Windows executables
  • Shortcuts for speeding up malware analysis
  • Core concepts for reverse-engineering malware at the code level
  • x86 Intel assembly language primer
  • Identifying key assembly logic structures with a disassembler
  • Patterns of common malware characteristics at the Windows API level
  • Working with PE headers of malicious Windows executables
  • Handling DLL interactions and API hooking
  • Manual unpacking of protected malicious Windows executables
  • Tips and tricks for bypassing anti-analysis mechanisms built into malware
  • Analyzing protected malicious browser scripts written in JavaScript and VBScript
  • Reverse-engineering malicious Flash programs
  • Analyzing malicious Microsoft Office (Word, Excel, PowerPoint) and PDF documents
  • Examining shellcode in the context of malicious files
  • Analyzing memory to assess malware characteristics and reconstruct infection artifacts
  • Using memory forensics to analyze rootkit infections

  Course Will Prepare You to:
  • Build an isolated laboratory environment for analyzing code and behavior of malicious programs.
  • Employ network and system-monitoring tools to examine how malware interacts with the file system, the registry, the network and other processes on Microsoft Windows.
  • Uncover and analyze malicious JavaScript, VB Script and ActionScript components of web pages, which are often used as part of drive-by attacks.
  • Control some aspect of the malicious program's behavior through network traffic interception and code patching.
  • Use a disassembler and a debugger to examine inner-workings of malicious Windows executables.
  • Bypass a variety of defensive mechanisms designed by malware authors to misdirect, confuse and otherwise slow down the analyst.
  • Recognize and understand common assembly-level patterns in malicious code, such as DLL injection.
  • Assess the threat associated with malicious documents, such as PDF and Microsoft Office files in the context of targeted attacks.
  • Derive Indicators of Compromise (IOCs) from malicious executables to contain and recover from the incident.
  • Utilize practical memory forensics techniques to examine capabilities of rootkits.

  Press & Reviews

"Highly valuable content, greatly increased my understanding of malware and techniques to reverse engineer."- Kenneth Miltenberger, US Coast Guard

"I thought I knew reversing. This class taught me so much more and provided easy understandings of complex reversing tasks." -David Werden, NGIS

"This is the most complete malware analysis course I have ever taken. An awesome variety of tools and techniques for the malware analyst." - Anonymous

"It is an excellent course for those who want a hands-on experience understanding an 'under the hood view' of malware and how it works." -Ryan Denniston, DoD