Two Days Left to Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or vLive Training!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Reverse Engineering Malware

Featuring 3 Papers as of July 2, 2019

  • Leveraging the PE Rich Header for Static Malware Detection and Linking by Maksim Dubyk - July 1, 2019 

    An ever-increasing number of malware samples are identified and assessed daily. Malware researchers have the difficult mission of classifying and grouping these malware specimens. Defenders must not only judge if a file is malicious or benign, but also determine how a file may relate to other groupings of known samples. The static comparison of file and file-format based properties are often utilized to execute this objective at scale. This paper builds upon previously identified Windows’ portable executable (PE) static comparison techniques through the exploration of the undocumented PE Rich header. The Rich header is a PE section that serves as a fingerprint of a Windows’ executable’s build environment. This under-utilized wealth of information can provide value to defenders in support of classifying and associating PE-based malware. This paper explores how to extract the details hidden in the Rich header and how they might be exploited to link and classify malware samples. In addition, this paper evaluates how the static linking of PE rich header sections compare to traditional static PE linking techniques.

  • Analysis of a Multi-Architecture SSH Linux Backdoor by Angel Alonso-Parrizas - June 17, 2019 

    A key aspect in any intrusion is to attempt to gain persistence on the compromised system. Threat actors and criminals assure persistence through different mechanisms including backdoors. The existence of backdoors is nothing new and over the years very popular backdoors targeting most Operating Systems and many application have been developed. This paper focuses on the code analysis of an SSH Linux backdoor used in the wild by a criminal group from 2016 to at least October 2018. The backdoor runs in multiple architectures; however, the research focuses on the ARM version of the backdoor using the recently released reversing tool Ghidra, which has been developed by the NSA.

  • Unpacking & Decrypting FlawedAmmyy by Mike Downey - April 22, 2019 

    Malware authors commonly utilize packers (Roccia, 2017) as a method of concealing functionality and characteristics of their malicious code, making an analyst’s job more difficult. Second stage executables may also be encrypted, requiring the analyst to gather an understanding of how this code is manipulated. The ability to unpack and decrypt malicious software is a critical step in understanding intent and the scope of malware capabilities. The goal of this paper is to provide real-world application of the unpacking and decoding techniques required to analyze a remote access Trojan (RAT) known as FlawedAmmyy. While basic static and dynamic analysis will not be covered, this paper will focus on the step-by-step procedures to unpack and decrypt a FlawedAmmyy sample within a debugger.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.