SANS Security West 2021 is right around the corner! Choose from over 30 interactive courses, plus Core & Cyber Defense NetWars.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Reverse Engineering Malware

Featuring 5 Papers as of January 4, 2021

  • Developing a JavaScript Deobfuscator in .NET Graduate Student Research
    by Roberto Nardella - January 4, 2021 

    JavaScript, a core technology of the World Wide Web, is a recently born scripting language and, starting from its early years, became notorious within the cyber security community not only for well-known security problems like Cross Site Scripting (XSS) or Cross Site Request Forgery (CSRF), but also for its flexibility in offering a valid vehicle for the implementation of the first stage of a malware attack.

  • Automated Detection and Disinfection of Ransomware Attacks using Roadblock Software by Hemant Kumar - March 18, 2020 

    We often hear about ransomware locking data and demanding the ransom. Ransomware is a kind of malware that prohibits users from accessing their system or files and mostly requires a ransom payment to regain access. This results in data loss, downtime, lost productivity, including reputational harm. Financial losses from ransomware attacks are predicted to exceed 11.5 Billion Dollars in 2019 with ransomware attacks on businesses every 14 seconds. The extension and complexity of ransomware are advancing at a high rate. Malware authors utilize several sophisticated techniques to evade current security defenses, and all the encryption happens in less than a minute. So, there is a need to develop an automated software that performs detection of various kind of ransomware without depending on the signature of malware, and that can also disinfect the live system against various kind of ransomware attacks under a minute and thus containing the infection from further spreading it to other systems. The software should also notify the incident response team of the detected ransomware attacks and its IOCs so that they can further protect the organization from a similar type of attack. Roadblock software solves this problem by detecting various kinds of ransomware attacks and dis-infecting the system without any need for a reboot in less than a minute. It leads to no data loss, no downtime, no lost productivity, and no reputational harm. The dis-infection process is not dependent on malware signatures or malware coding, and it works by performing fast and deep forensics of the system that is pre-installed with Roadblock, so that it can detect new ransomware variant.

  • Leveraging the PE Rich Header for Static Malware Detection and Linking by Maksim Dubyk - July 1, 2019 

    An ever-increasing number of malware samples are identified and assessed daily. Malware researchers have the difficult mission of classifying and grouping these malware specimens. Defenders must not only judge if a file is malicious or benign, but also determine how a file may relate to other groupings of known samples. The static comparison of file and file-format based properties are often utilized to execute this objective at scale. This paper builds upon previously identified Windows’ portable executable (PE) static comparison techniques through the exploration of the undocumented PE Rich header. The Rich header is a PE section that serves as a fingerprint of a Windows’ executable’s build environment. This under-utilized wealth of information can provide value to defenders in support of classifying and associating PE-based malware. This paper explores how to extract the details hidden in the Rich header and how they might be exploited to link and classify malware samples. In addition, this paper evaluates how the static linking of PE rich header sections compare to traditional static PE linking techniques.

  • Analysis of a Multi-Architecture SSH Linux Backdoor by Angel Alonso-Parrizas - June 17, 2019 

    A key aspect in any intrusion is to attempt to gain persistence on the compromised system. Threat actors and criminals assure persistence through different mechanisms including backdoors. The existence of backdoors is nothing new and over the years very popular backdoors targeting most Operating Systems and many application have been developed. This paper focuses on the code analysis of an SSH Linux backdoor used in the wild by a criminal group from 2016 to at least October 2018. The backdoor runs in multiple architectures; however, the research focuses on the ARM version of the backdoor using the recently released reversing tool Ghidra, which has been developed by the NSA.

  • Unpacking & Decrypting FlawedAmmyy by Mike Downey - April 22, 2019 

    Malware authors commonly utilize packers (Roccia, 2017) as a method of concealing functionality and characteristics of their malicious code, making an analyst’s job more difficult. Second stage executables may also be encrypted, requiring the analyst to gather an understanding of how this code is manipulated. The ability to unpack and decrypt malicious software is a critical step in understanding intent and the scope of malware capabilities. The goal of this paper is to provide real-world application of the unpacking and decoding techniques required to analyze a remote access Trojan (RAT) known as FlawedAmmyy. While basic static and dynamic analysis will not be covered, this paper will focus on the step-by-step procedures to unpack and decrypt a FlawedAmmyy sample within a debugger.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.