.

[Article]-Review: SANS FOR610 Reverse Engineering Malware

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Aug 03, 2010 1:27 pm

[Article]-Review: SANS FOR610 Reverse Engineering Malware

Although this was completed before BH and DC, I personally needed a few days to recover. But my what a great time. But that's a story for another time. Now for a great review that many of you have been excited to read. As mentioned, this does cover the 5-day version of the course. Enjoy and be sure to send your thanks and thoughts to Justin and/or Lenny. And that's what I'll do right now... Thanks guys for your time and efforts.

Also, we have worked out a deal with SANS to get all you EH-Netters out there a 10% discount code that will work on everything SANS offers including live courses, events and vLive. Simply use discount code: Connect_EHN10.

Spread the word!!

Permanent link: [Article]-Review: SANS FOR610 Reverse Engineering Malware


Image


Review by Justin Kallhoff, CISSP, C|EH, GPCI, GCIH et al 

Current statistical evidence from multiple reputable sources suggests current signature-based anti-malware technologies have detection rates below 35%. I don’t think any of us expect that percentage to increase, instead I expect it continue to decrease as malware authors continue to learn, cooperate, and gain sophistication. This disturbing trend has information security paranoids, like me, continually evangelizing “it’s not a matter of if, it’s a matter of when” your organization will experience a compromise.

Those of us responsible for protecting organizations from malware or responding when defenses fail need to elevate our reverse engineering and forensics skills for the rocky road that lies ahead. I have been frustrated a number of times while attempting to determine what a particular piece of malware did to a system. A majority of organizations lack defense-in-depth and appropriate logging levels, so it can be very difficult to determine who did what, when, and what may or may not have changed as a result. In many situations, a post-mortem analysis or a reenactment may be required to determine the extent of the incident. This is where Lenny Zeltser’s SANS Forensics 610: Reverse Engineering Malware course comes in handy. It is now a 5-day, in-depth course covering a multitude of topics involving malware analysis.  



Don
CISSP, MCSE, CSTA, Security+ SME
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Aug 03, 2010 2:31 pm

Re: [Article]-Review: SANS FOR610 Reverse Engineering Malware

Nicely written, good review. Also thanks for the coupen code.. this certainly comes in handy for some readers. :)

So how many EH-Netters actually clicked on the 'malicious' link? ;)
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Aug 05, 2010 1:41 pm

Re: [Article]-Review: SANS FOR610 Reverse Engineering Malware

Catch Lenny and FOR610 Reverse Engineering Malware on vLive:

Start Date:  Monday, January 17, 2011
End Date:   Thursday, February 17, 2011
Meeting Times:   7:00 PM - 10:00 PM EST


This popular malware analysis course has helped numerous IT administrators, forensics investigators, malware specialists, and other security professionals fight malicious code. The course teaches a practical approach to examining malicious software that runs natively on Microsoft Windows, and covers web-based malware such as JavaScript and Flash files. You will learn how to reverse-engineer malicious programs using a variety of system and network monitoring utilities, a disassembler, a debugger, and other tools for turning malware inside-out.

Security incident responders benefit from knowing how to reverse-engineer malware, because this process helps in assessing the event's scope, severity, and repercussions. It also assists in containing the incident and in planning recovery steps. Those who perform forensic investigations also benefit from the course, because they learn how to understand key characteristic of malware present on compromised systems.

This unique course provides a rounded approach to reverse-engineering by covering both behavioral and code analysis aspects of the analysis. As a result, the course makes the topic accessible even to individuals with a limited exposure to programming concepts. The materials do not assume that the students are familiar with malware analysis; however, the complexity of concepts and techniques increases as the course progresses.

The course begins by covering fundamental aspects of malware analysis. You will learn how to set up an inexpensive and flexible laboratory for understanding inner-workings of malicious software, and will understand how it can be used to explore characteristics of real-world specimens. You will then learn to examine the program's behavioral patterns and code. You will experiment with reverse-engineering compiled Windows executables and browser-based malware.

The course continues by discussing essential x86 assembly language concepts. You will learn to examine malicious code to understand the program's key components and execution flow. You will also learn to identify common malware characteristics by looking at Windows API use patterns, and will examine excerpts from bots, rootkits, key loggers, and downloaders. You will understand how to work with PE headers and handle DLL interactions. You will also learn tools and techniques for bypassing anti-analysis capabilities of armored malware, experimenting with packed executables and obfuscated browser scripts.

You will also learn how to analyze malicious document files that take the form of Microsoft Office and Adobe PDF documents. Such documents act as a common infection vector and need to be understood by enterprises concerned about both large-scale and targeted attacks. The course also explores memory forensics approaches to examining rootkits. Memory-based analysis techniques also help you to understand the context of an incident involving malicious software.

Hands-on workshop exercises are a critical aspect of this course, and allow you to apply reverse-engineering techniques by examining malware in a controlled environment. When performing the exercises, you will study the supplied specimen's behavioral patterns, and examine key portions of its code. You will examine malware on a Windows virtual machine that you will infect during the course, and will use the supplied Linux virtual machine that includes tools for examining and interacting with Windows and browser malware.

Complexity of the Course
While the field of reverse-engineering malware is in itself advanced, the course begins by covering this topic from introductory level and quickly progresses to discuss malware analysis tools and techniques of intermediate complexity.

Neither programming experience, nor the knowledge of assembly is required to benefit from the course. However, it helps to understand core programming concepts, such as variables, loops, and functions. The course spends some time discussing essential aspects of x86 assembly to allow malware analysts navigate through malicious executables using a debugger and a disassembler.



For more info:
http://www.sans.org/info/63128

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Thu Aug 05, 2010 2:31 pm

Re: [Article]-Review: SANS FOR610 Reverse Engineering Malware

Finally read it. One of the best reviews I've read. Justin 'unpacked' each day and provided a very clear picture of what's there in the course.

@awesec
I clicked it. Unfortunately, the link has been removed. (:

Return to /root

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software