Reverse Engineering Malware

Instructors: Nicolas Brulez
Dates: 17-20 June 2013
Availability: 18 Seats

Day 1: Manually unpacking Malware
During the first day, students will focus on unpacking files manually in order to get working executables. Most famous packers will be covered in order to introduce various techniques that can be used on unknown packers. Also known as: How to unpack properly. Once completed, students will work on "malicious packers" and learn how to unpack samples of famous malware families. Nowadays, malware uses custom polymorphic packers to slow down analysis and thwart detection.

Day 2: Malware Analysis 0x65
Once the samples are unpacked, the next step is to perform Reverse Engineering. The second day focuses on identifying common malicious characteristics. Covered topics: Malicious EXE/DLLS, MBR Debugging, Shellcode Analysis, Obfuscation and Dynamic / Static Analysis

Day 3 - 4 : Analysis of targeted attacks
Using the information learned in the first two days, students will work on anonymized targeted attacks samples. Students will work on identifying the components and their actions on infected systems.

Covered topics:
Spear phishing, exploits, persistence ,userland rootkits, backdoor, etc

Hands-on training:
During this 4 day course, students will focus mainly on hands-on exercices. A minimum number of slides will be provided when methotology is needed, but students will "learn by doing".

Who should attend?
This class is intended for students who have been working with malware and doing reverse engineering in the past. Professionals doing Forensics Investigations, Incident Response, Malware Analysis can benefit from the course as long as they have the prerequisites listed below.

Class Requirements

Students should be familiar with Debugging and IDA Pro: The class is not an introduction to reverse engineering. Students should be familiar with Assembly: We won't cover assembly basics during the class. Students should have a laptop with required software installed before attending the class. Students should be familiar with VMware Workstation (or the VM of their choice).

Minimum Software to install:
Legit version of IDA Pro (latest version preferred as the instructor uses the latest version)
Virtual Machine with XP SP3 installed
OllyDbg / Immunity Debug
Python 2.7 should be installed in both the host and on the guest machine.
PE Editor (eg: LordPE or your favorite PE editor)
Hex Editor (eg: Hiew of your favorite hex editor)
Import Reconstructor/fixer: Imprec, Universal Import Fixer 1.2


Nicolas currently works at Kaspersky Lab as a Malware Expert. His responsibilities include analyzing targeted attacks and complex malwares.

Prior to joining Kaspersky Lab, Nicolas worked as a senior virus researcher for Websense Security Labs, and as the head of software security at Digital River/Silicon Realms when he was in charge of the anti-reverse engineering techniques used in the Armadillo protection system.

Over the last 15 years, Nicolas has authored numerous articles and papers on reverse engineering and presented at various security conferences such as RECON, ToorCon, SSTIC, Virus Bulletin, Hacker Halted, RuxCon, TakeDownCon, Pacsec etc.