Modern Malware Analysis
Detection, Analysis and Reverse Engineering
2 Day Training: August 1,2
Malware authors go to great lengths to bypass enterprise security to deliver malware, avoid detection after the initial intrusion and maintain persistence to compromise an organization. To achieve this, malware authors employ a wide variety of obfuscation and anti-analysis techniques at each phase of an attack. In Modern Malware Analysis, you will get hands-on with real-world malware and learn how to identify key indicators of compromise (IOCs)/indicators of attack (IOAs), apply analysis to enhance security products to protect your users and infrastructure and gain a deeper understanding of malware behavior through reverse engineering. Open-source and limited use tools such as Ghidra, IDA Pro Free/Demo, Oledump/OleVBA, PE Studio, dnSpy and Suricata will be utilized to perform deep technical analysis of malware, focusing on developing effective strategies to maximize your time spent. By the end of this course you will be able to analyze malicious office documents and reverse engineer Java, .NET, Mac OS X and Android malware. These skills ultimately allow you to generate valuable threat intelligence to aid in your efforts to defend your organization or respond to an incident.
This is a fast-paced course designed to take you deep into malware operations – from delivery methods to payloads! Each day will end with comprehensive analysis activities and exercises to test and reaffirm key learning objectives. This course is designed to not just simply be 2 days of lecture, but an immersive and interactive learning experience.This is an ideal course for security analysts, malware analysts/researchers and blue teams that need to get hands-on diving deep into malicious software.
Key Learning Objectives
- Understand different attack methods used by malicious actors, how this affects your analysis and effective ways for disrupting the attack
- Learn the tools and skills needed to perform analysis on malicious office documents, exploit kits, Java and .NET binaries, native code binaries (PE files) and shellcode, OS X and Android malware
- Become proficient in utilizing reversing tools to identify and defeat obfuscation, packing and anti-analysis techniques.
- Gain a deeper understanding of binary file formats and how to analyze them to learn more about malware behaviour
- Leverage static and dynamic tools to develop a hybrid approach for effectively analyzing malware including assembly level debuggers, disassemblers, decompilers and sandboxes
- Identify key indicators of compromise to update security products such as an IDS/IPS
- Learn how to leverage network traffic to gain a deeper understanding of malware behavior
- Generate custom threat intelligence for your organisation
Who Should Attend
This course will take students through key phases of malware operations, providing deep technical analysis and hands-on labs to gain experience detecting, analyzing and reverse engineering malware. This is an ideal course for security analysts, threat researchers, malware researchers and anyone tasked with defending an organization to get hands-on diving deep into malware.
Day 1: Analysing Delivery Mechanisms
- Basic analysis and leveraging open source intelligence – strings, hashes and threat intelligence sharing platforms such as VirusTotal and AlienVault OTX
- Take a brief look at exploit kits and techniques for unraveling common code obfuscation techniques used in browser-based code
- Analyzing malware infrastructure through a server compromise
- Identify anti-analysis techniques, understand their impact and develop effective strategies for mitigating during analysis
Day 2: Analysing Malware Payloads
- Reverse engineering bytecode - decompiling Microsoft .NET and Java binaries
- Analyzing malware intended for Mac OS X - packages, Mach-O binaries and application bundles
- Addressing mobile malware by exploring malicious Android applications
- Identifying evidence of data exfiltration
- Analyzing Windows-based shellcode, along with common obfuscation techniques
- Leveraging network traffic analysis to identify malware families
- Automating IOC extraction from malware samples
The primary requirement for this course is a desire to learn and the determination to tackle challenging problems. In addition, having some familiarization with the following topics will help students maximize their time in this course:
- Basic malware analysis
- An understanding of programming languages such as control structures (IF statements, loops and functions), data structures (objects, structures, arrays) and variable usage
- Ability to read assembly for Intel 32 and 64 bit architectures
- Proficiency with a Windows-based debugger such as WinDbg, x64dbg or Immunity
To help prepare for this course, it is recommended that students be familiar with information from the following sources:
- A brief overview of malicious office documents Hack-in-the-Box CommSec Track 2018
- Assembly and Intel’s 32/64-bit architecture Specifically concepts from chapters 1 - 5
- Getting started with reverse engineering
- Linux/Windows/Mac desktop environment
- A laptop with the ability to run virtualization software such as VMWare or VirtualBox
- Access to the system BIOS to enable virtualization, if disabled via the chipset
- Ability to temporarily disable anti-virus or white-list folders/files associated with lab material
- A laptop that the attendee is comfortable handling live malware on
- Enough disk space to store at least a single 40 GB VM, although multiple VMs may be used
Students will be provided with
Students will be provided with all of the lab material used throughout the course in a digital format. This includes all lab material, lab guides and virtual machines used for training. This course will also utilize several live classroom sharing resources, such as chat and notes to ensure that students have access to all material discussed throughout the training. Comprehensive lab guides will also be provided to ensure that students have the ability to continue learning after the course ends and maximize the knowledge gained from this course.
Dr. Josh Stroschein
Dr. Josh Stroschein is an Assistant Professor at Dakota State University where he teaches malware analysis, software exploitation, reverse engineering, and penetration testing. Josh also works as a malware analyst for Bromium, an end-point security company and is the Director of Training for the Open Information Security Foundation (OISF). Josh has spent years developing security-related courses and is passionate about sharing that knowledge with others all over the world. Josh lives in South Dakota with his wife Janice and three children.