CanSecWest Applied Security Conference: Vancouver, British Columbia, Canada

CanSecWest: Security Masters Dojo Vancouver

Next Session Dates:	March 22-23 2010
Venue:	Sheraton Wall Center Vancouver, Canada
Duration:	1 or 2 Day Courses. Sessions begin at 10:00 a.m. and go to 6 p.m.
Registration Maximum:	15 Students per course session.

Introduction to Malware Analysis

Instructors:
Jason Geffner, NGS
Scott Lambert, Microsoft

Register for this course.

Target Audience:

This class is for security analysts who wish to learn how to statically and dynamically analyze malware to understand its functionality.

Description:

Security researchers are facing a growing problem in the complexity of malicious executables. While dynamic black-box automation tools exist to discover what malware will do on a given execution, it is often important for an analyst to know the full capabilities of a given malware sample. What port does it listen on? What password does it expect for backdoor access? What files will it write to? What will it do tomorrow that it didn't do today?

This class will focus on teaching attendees the steps required to understand the functionality of given malware samples.

This is a hands-on course. Attendees will work on real-world malware through a series of lab exercises designed to build their expertise in understanding the analysis process.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Key Learning Objectives:

x86 Assembly language
PE File format
API functions often used by malware
Anti-analysis tricks and how to defeat them
Exploits and Shellcode
A methodology for analyzing malware with and without the use of specialized tools

General Learning Objectives:

An understanding of how to use reverse engineering tools
An understanding of low-level code and data flow

Course Outline:

Day 1

Administrivia and Background Information
Dynamic Analysis vs. Static Analysis
Windows Internals
Code and Data Flow on x86 Systems
x86 Assembly Language
PE File Format

Day 2

Analyzing malware with IDA Pro
Analyzing malware with OllyDbg
Exploits and Shellcode
Malware Deobfuscation

Course Style:

Combination of lecture and lab. Labs will be interspersed with lectures and will include both group and individual work.

What to Bring:

Attendees must bring their own laptop with Microsoft Windows XP, Microsoft Windows Server 2003, or Microsoft Windows Vista, or Microsoft Windows 7 installed inside of a virtual machine.

Attendees are expected to have the following software installed in a virtual machine prior to the first day of the course:

API Imports/Exports Viewer - Dependency Walker
http://www.dependencywalker.com/
API Logger - Auto Debug
http://www.autodebug.com/download.php
Debugger - OllyDbg
http://www.ollydbg.de/download.htm
Disassembler - IDA Pro
http://www.hex-rays.com/idapro/idadowndemo.htm
Hex Editor - Hex Workshop
http://www.bpsoft.com/downloads/index.html
Import Table Reconstructor and Memory Dumper - Import REConstructor
http://www.woodmann.com/collaborative/tools/index.php/ImpREC
Packer Detector - PEiD
http://peid.has.it/
PE Editor - LordPE
http://www.woodmann.com/collaborative/tools/index.php/LordPE
Resource Monitor - Process Monitor
http://www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.msp

Prerequisites:

Attendees should be comfortable in the Windows environment.

Attendee Expectations:

Attendees will be required to work both alone and in groups when performing analysis of malware samples. In addition, attendees will also share the results of their analysis with respective classmates.