Reverse Engineering Malware

Instructors: Nicolas Brulez
Dates: 23-26 June 2014
Capacity: 20 Seats

Day 1: Manually unpacking Malware
During the first day, students will focus on unpacking files manually in order to get working executables. Most famous packers will be covered in order to introduce various techniques that can be used on unknown packers. Also known as: How to unpack properly. Once completed, students will work on "malicious packers" and learn how to unpack samples of famous malware families. Nowadays, malware uses custom polymorphic packers to slow down analysis and thwart detection.

Day 2: Malware Analysis 0x65
Once the samples are unpacked, the next step is to perform Reverse Engineering. The second day focuses on analyzing various samples. Methods to identify malware behaviors and how to quickly identify interesting code segments will be shown to the students.

Day 3 - 4 : APT Reverse Engineering.
Using the information learned in the first two days, students will work on several APT samples, including the ones that made the headlines in 2013 and 2014.

The goal of those two days is to be able to identify the actions of the threats, to be able to document their features and understand how they interact with C&C servers to receive commands.

Hands-on training:
During this 4 day course, students will focus mainly on hands-on exercices. A minimum number of slides will be provided when methotology is needed, but students will "learn by doing".

Who should attend?
This class is intended for students who have been working with malware and doing reverse engineering in the past. Professionals doing Forensics Investigations, Incident Response, Malware Analysis can benefit from the course as long as they have the prerequisites listed below.

Class Requirements

Students should be familiar with Debugging and IDA Pro: The class is not an introduction to reverse engineering. Students should be familiar with Assembly: We won't cover assembly basics during the class. Students should have a laptop with required software installed before attending the class. Students should be familiar with VMware Workstation (or the VM of their choice).

Minimum Software to install:
Legit version of IDA Pro (latest version preferred as the instructor uses the latest version)
Virtual Machine with XP SP3 installed
OllyDbg / Immunity Debug
Python 2.7 should be installed in both the host and on the guest machine.
PE Editor (eg: LordPE or your favorite PE editor)
Hex Editor (eg: Hiew of your favorite hex editor)
Import Reconstructor/fixer: Imprec, Universal Import Fixer 1.2


Nicolas currently works at Kaspersky Lab as Principal Malware Researcher. His responsibilities include analyzing targeted attacks and complex malwares and Incident Handling.

Prior to joining Kaspersky Lab, Nicolas worked as a senior virus researcher for Websense Security Labs, and as the head of software security at Digital River/Silicon Realms when he was in charge of the anti-reverse engineering techniques used in the Armadillo protection system.

Over the last 16 years, Nicolas has authored numerous articles and papers on reverse engineering and presented at various security conferences such as RECON, ToorCon, SSTIC, Virus Bulletin, Hacker Halted, RuxCon, TakeDownCon, Pacsec etc.

To Register

Click here to register.