Reverse Engineering Malware

Learn how to unpack and Reverse-Engineer malware in this 4-day class.

Covered Topics: Unpacking, Static and Dynamic Analysis, IDA Python and Targeted Attacks.

Day 1: Manually unpacking Malware

During the first day, students will focus on unpacking files manually in order to get working executables. Most famous packers will be covered in order to introduce various techniques that can be used on unknown packers. Also known as: How to unpack properly. Once completed, students will work on “malicious packers” and learn how to unpack samples of famous malware families. Nowadays, malware uses custom polymorphic packers to slow down analysis and thwart detection.

Day 2: Static Shellcode Analysis and IDA Primer

The second day focus on extracting shell codes from malicious documents and to reverse engineer them statically. The day focuses on tricks and shortcuts to use in IDA Pro for efficient static analysis, as well as introduction to IDA Python scripts used to speed up static reverse engineering.

A special approach to handle import by hash will be presented to the students, which can be used in many other scenarios.

Day 3-4: APT Reverse Engineering

Using the information learned in the first two days, students will work on several APT samples.

The goal of those two days is to be able to identify the actions of the threats, to be able to document their features and understand how they interact with C&C servers to receive commands.

INTENDED AUDIENCE

This class is intended for students who have been working with malware and doing reverse engineering in the past. Professionals doing Forensics Investigations, Incident Response, Malware Analysis can benefit from the course as long as they have the prerequisites listed below.

CLASS REQUIREMENTS

Level: medium and advanced

Prerequisites

• Students should be familiar with Debugging and IDA Pro; The class is not an introduction to reverse engineering.
• Students should be familiar with Assembly; We won’t cover assembly basics during the class.
• Students should have a laptop with required software installed before attending the class.
• Students should be familiar with VMware Workstation (or the VM of their choice).

Minimum Software to Install

• Legit version of IDA Pro (latest version preferred as the instructor uses the latest version)
• Virtual Machine with XP SP3 installed (to avoid troubleshooting tools problems during the class)
• OllyDbg
• Python 2.7 should be installed in both the host and on the guest machine.
• PE Editor (eg: LordPE or your favorite PE editor)
• Hex Editor (eg: Hiew or your favorite hex editor)
• Import Reconstructor/fixer: Imprec, Universal Import Fixer 1.2
• PEID

BIO

Nicolas previously worked at Kaspersky Lab as Principal Malware Researcher. His responsibilities included analyzing targeted attacks and complex malwares as well as Incident Handling.

Prior to joining Kaspersky Lab, Nicolas worked as a senior virus researcher for Websense Security Labs, and as the head of software security at Digital River/Silicon Realms when he was in charge of the anti-reverse engineering techniques used in the Armadillo protection system.

Over the last 16 years, Nicolas has authored numerous articles and papers on reverse engineering and presented at various security conferences such as RECON, ToorCon, SSTIC, Virus Bulletin, Hacker Halted, RuxCon, TakeDownCon, Pacsec etc.