October 12, 2015 at 10:24 pm #8843SephStormParticipant
Hi all. A while ago I won a SANS course of my choosing through this lovely website. Hopefully that program is still going, but in the meantime I wanted to stop by and drop off my review of the course I chose, FOR 610, Reverse Engineering Malware.
Book 1 is an introduction to malware analysis. It covers basic dynamic analysis, static code analysis, and has a large lab setup section. Looking at the cheat sheets I can see there are a lot of tools that are new to me that I will be using.
I am a bit suprised at this point that basic static analysis was barely mentioned. I’m not sure how relevant it still is, but no memtion of hashing and submitting the sample online for scanning (or doing it locally)
So far i’ve made it through the first two sections listed above, still need to setup the lab per the instuctions. I will also need to go back and do the lab from book1 when I get setup.
The code analysis section is decent. Once I re-read it this morning it was easier to understand and so far, easier to understand than the PMA book.
NOTE: it appears the book is going backwards to cover static analysis. It’s very strange and I don’t know why the book is setup this way. This is not in the teaching section, it’s in the “lab setup and validation” portion, but it looks like there is going to be more instruction. Just flipping through they will be covering additional techniques and tools. I’ll be coming back to edit this post when I get through the book tonight hopefully.
ook 1 is a good introduction like I said before. The lecture material does serve to reinforce the material and to answer any questions, though it seems that my group must be pretty knowledgeable, few questions are asked.
Book 2 starts getting into code analysis. Specifically assembly and understanding code conversions. (usually so far, seeing how C|C++ instuctions appear in assembly when looking at jumps and loops.
What I like about the book and lecture material for this book is that while it doesn’t baby you, it is clear and flows logically. I know a little about assembly, but even without it, I think I could pick it up by reading and listening to the instructor (and seeing him do it). Seeing the instructor open a file in IDA Pro or Olly D, is really helpful. It is a different learning style than the one presented in something like PMA. The advice I would give you though, use the additional materials with book 2, don’t think you can read your way through if you aren’t comfortable ith ASM, listen to the MP3 or lecture, go through it on your own time (There isn’t really enough time during the breaks to do it) I would actually suggest this: Read the book prior to the class. Either a day before, or something. Listen to the lecture during your class time, and do all the labs at the end of the class or while he is working them. You can actually do them during your reading, and you can ask questions you had during the lecture while he is doing them, but you’ll likely get it while he is doing them.
I don’t know how I like doing this class through vLive, as time management is an issue. Class is held at night. If you are working the day after your class, getting sleep can be an issue. Having to juggle work, transportation, sleep, ect can be… annoying. During book2 part 1 I was half asleep for a portion of the class and had to head off to bed during the last part (about an hr), so in addition to my “review” I had to try to watch the missing hr. well the next night, SWTOR came out with an update, no sleep that night, certainly no studying… Next night was class book2 part 2… so now i’m going to have to catch up on 2 nights this weekend. It can easily snowball.
October 12, 2015 at 10:25 pm #54221SephStormParticipant
Day three starts off with dealing with packed malware. We discuss recognizing packed malware, automated and manual methods for unpacking, debugging. We learn that there are issues with ASLR and unpacking malware, that unpacking is often a trial and error process.
We also brefly step back into dynamic analysis, talking about network connection tools such as INetSim, Fiddler, Honeyd, ect.
Day 4 deals with bypassing anti-analysis defenses. We discuss how malware may act differently when being analyzed automatically or manually. We see how malware may shut down when certain tools are opened (such as wireshark or analysis tool processes), some samples may contain numerous types of anti-analysis techniques, and sometimes you will have to perform code level analysis to find what is in your way, dump a new exe and try again, only to find that there is another roadblock. We discuss patching executables, as well as some really sneaky anti-analysis defenses that really illustrate the need to have a properly setup lab. Later in the day we try a number of lab examples.
Day 5 is about Malicious documents and memory forensics.
I’ve technically finished the course at this point, and long story short i’m going back through for review and relearning, its going to take some time, I purchased my exam attempt and took a practice test, far from where I want to be. It seemed to me that a number of the questions seemed to come out of left field or used terminology that was not used during the course. An example of a question type that may have been present would be something about how to trigger a breakpoint when you need to set to its authentication function. Wha? authentication function? I know how to set a software or hardware breakpoint, I know when to use which, but I don’t remember anything about authentication. Or a question about something seen when examining a packed executable. The get being that the sample wasn’t packed, but had the name of the programming language shown by the tool, but it has a version number. Unless you knew that the name of the language was a language, not a packer, there is no way to tell the difference. Seems to me an unfair question since that specific language was never discussed.
I remember some threads somewhere that discussed this exam, and perhaps mentioned such issues, obviously I will need to review those, as well as creating an index. As you all may know, I don’t generally create indexes, most people do and I can see their use, but I never have. In this case I may do it to better study, and to insure I can access everything when I need it. This will also likely be the first GIAC exam where I use both practice exams I expect.
In the end however this is a good thing for me, i’m already being considered for a position with malware analysis duties, i’ll have to talk to the person, make sure i’m going to have a mentor, but i’m seriously considering it.
- You must be logged in to reply to this topic.