Presented at
AppSec USA 2015,
Sept. 23, 2015, 3:30 p.m.
(90 minutes)
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. Students will learn how to extract host and network-based indicators from a malicious program. Students will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.
What You Will Learn:
Hands-on malware dissection
How to create a safe malware analysis environment
How to quickly extract network and host-based indicators
How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
How to debug malware and modify control flow and logic of software
To analyze assembly code after a crash course in the Intel x86 assembly language
Windows internals and APIs
How to use key analysis tools like IDA Pro and OllyDbg
What to look for when analyzing a piece of malware
The art of malware analysis - not just running tools
Labs are scheduled throughout the course and reinforce the concepts taught in each module. The estimate is that between 60% - 70% of class time is spent on lab work.
Who Should Take This Course?
Software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.
Students should have:
Excellent knowledge of computer and operating system fundamentals
Computer programming fundamentals and Windows Internals experience is highly recommended
What Should Students Bring?
Students must bring their own laptop with VMware Workstation, Server, or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.
A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.
Presenters:
-
James “Tom” Bennett
James T. Bennett is a seasoned malware analyst with over 10 years of experience working to improve technologies used to detect threats on the network and host levels.
Mr. Bennett is currently employed as a Staff Threat Research Engineer with FireEye where he analyzes malware used in targeted attacks in order to improve detection technologies and aid in incident response and threat intelligence gathering.
-
Dominic Weber
- Senior Manager - FireEye
Hi !
I am Dominic Weber and I have 13 years of computer forensic experience researching NTFS, ExFAT and the Windows key management If you've used EnCase, you've used my C++/ Windows code. Before that I Worked in 3D full body motion capture / rendering and video games.
I work on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as a Senior Manager and Malware Research Engineer with FireEye where I analyze malware and research other stuff.
For fun I tell terrible jokes and solve live escape rooms.
-
Peter Kacherginsky
- Reverse Engineer - FireEye
Peter Kacherginsky is a malware analyst, exploit developer, penetration tester, and incident responder with over 8 years of experience in the security industry. He is a big fan of IDA Pro and won last year's IDA Pro plugin contest. A number of Peter's open source security tools have been included in the Kali Linux/Backtrack security distribution.
Mr. Kacherginsky works on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as a Senior Reverse Engineer where he reverses malware, researches and develops analysis tools and techniques, and teaches malware courses.
Links:
Similar Presentations: