Malware Analysis Intro

Presented at DeepSec 2018 „I like to mov &6974,%bx“, Unknown date/time (Unknown duration).

With Malware featuring crypto-trojans (ransomware), banking-trojans, information- and credential-stealers, bot-nets of various specifications, and, last but not least, industry- or even state-driven cyber espionage, the analysis of this kind of software ıs becoming more and more important these days. With a naturally strong focus on Microsoft Windows based systems this entertaining first-contact workshop introduces you to one of the most demanding but nonetheless compelling fields in IT-Security. On the basis of an especially designed, exciting scenario blended with various technical detours packed into a 6-stages workshop, students will * learn how easy it is to get infected by malicious software, * learn to assess what's possible and what isn't, * gain a comprehensive overview of the various malware categories and their according specifics, * learn about the individual phases of malware analysis and according tools including hands-on experience, * find out what malware analysts (are able to) do, * develop and hence understand typical strategic concepts and tactics in reverse engineering, * build a basic understanding of typical activities when dealing with cyber security incidents, * develop a realistic perspective regarding possibly upcoming malware incidents regarding their company, * learn a lot about the "hidden" gears under the hood of Microsoft Windows and modern operating systems in general and to locate and fill in gaps in their knowledge accordingly, * gather/train their abilities to deal with unforeseeable and even chaotic situations in a flexible and constructive manner thinking outside the box, * and, last but not least, build a stable foundation and therefore an ideal "trampoline" for next steps and further advancement in malware analysis. Agenda Station 1: Prologue - Who? How? What? Malware categories, adversaries, motives Station 2: The Lab - Setup, concepts, strategies, pitfalls and common mistakes Station 3: Initial Incident Handling - The first encounter Station 4: Sample Extraction - The needle in the haystack Station 5: Behavioral Analysis - Eavesdropping the OS Station 6: Code Analysis - Machinecode, portable executables, disassemblers, debuggers, strategies Prerequisites A laptop!!! As this workshop also features hands-on sessions students are expected to bring a laptop matching the following requirements: During the workshop we will work with virtual machines based on Oracle's free virtualization software VirtualBox. In this respect, please be sure that the laptop matches the according requirements (https://www.virtualbox.org/wiki/End-user documentation). General requirements for your laptop: * At least 80 GB free diskspace * At least 8 GB RAM * Activated virtualization support options in BIOS * Installed (!!) 7-Zip Tool (http://www.7-zip.org/) * Installed (!!) Oracle VirtualBox (https://www.virtualbox.org/)

Presenters:

  • Christian Wojner - Christian Wojner
    Christian Wojner is one of the core team members of the national and governmental computer emergency response team (CERT) of Austria (CERT.at/GovCERT Austria). Apart from his classical IT security incident handling and response duties, he particularly specializes in computer forensics with a very strong focus on analysis and reverse engineering of (malicious) software on Microsoft Windows based systems. In this respect, Christian is the author of various technical articles and papers, frequently gives talks specifically focusing on malware analysis, and supports the IT security community with his contributions in terms of forensical software tools, a lot of them as part of forensics software compilations like SANS' specialized Linux distributions for reverse engineering (REMnux) and computer forensics (SIFT). One of his most popular projects however, is "ProcDOT", which gave behaviour-based malware analysis a massive boost in terms of efficiency and simplicity due to its visual approach using animated, interactive behaviour graphs. Besides being featured in many articles, ProcDOT was the 2nd place winner of Russ McRee's Toolsmith "Tool of the Year Award" in 2013.

Links:

Similar Presentations: