Malware Analysis Apprenticeship

This five-day hands on course provides participants with an opportunity to learn best practices for analyzing malicious code. In addition to classroom instruction and hands-on exercises, attendees will be given real-world malicious code samples to dissect. Participants will acquire a fundamental understanding of a variety of malware analysis tools and techniques which can directly support their organization's incident response efforts and increase performance in their functional role(s).

Participants will initially be introduced to the common terms used in the malware community and how those have evolved over the past few years. The focus will be on preparing participants to communicate effectively with peers and others in the security community, when discussing malware. Exercises will include analyzing public malware reports, installing a rootkit and performing surface analysis of a well-known piece of malware.

The second day of the course will focus on the programming aspects of malware and how commonly used APIs and cryptographic routines can be recognized. Students will write basic programs using the Windows API to become familiar with the common functionality utilized by malicious code authors. Additionally the basics of assembly language programming will be reviewed, to lay the foundation for debugging and reverse engineering work.

The third day of the course will be devoted to run-time or dynamic analysis. Initially students will learn how to create a secure and trusted environment for performing analysis. Hands-on exercises will then give attendees the opportunity to develop a familiarity with the common monitoring tools that are available for the Windows platform and perform their own run-time analysis on malware samples from the wild.

The fourth day will introduce students to using a debugger to understand malware. Not only does a debugger enable fine-grained analysis and control over a piece of malware, it is often an essential tool for dealing with compressed or packed code. Participants will be challenged to unpack various malware samples during the lab portion of the day.

The fifth and final day will cover advanced static reverse engineering techniques, often required for tasks such as uncovering hidden functionality in a piece of malware.

Who should attend?

U.S. Government Employees and Contractors Only.

Technical staff who manage or support networked information systems and have (recommended):

• one year of practical experience with networked systems or equivalent training/education
• six months of security administration experience
• six months of experience programming with C or C++
• a strong understanding of TCP/IP networking

Topics

• Trends in malicious code growth
• Common classes of malware
• Common attack vectors
• Surface analysis of malware
• Run-time analysis of malware
• System monitoring
• Debuggers
• Static reverse engineering of malware
• Disassemblers

Objectives

• Differentiate between common classes of malware
• Identify common attack vectors used to inject malicious code onto a system
• Understand fundamental malware analysis techniques
• Perform surface analysis of malware, to include a calculating cryptographic hashes and file sizes
• Build a secure environment within which analysis can be performed
• Identify malware network touch points via runtime analysis
• Run a malicious program using a debugger
• Unpack common malware packers
• Recognize common malware fingerprints in assembly
• Identify custom encoding routines

Prerequisites

Each student will be required to provide their own laptop for the duration of the course. The student's laptop must meet the following:

• Minimum hardware recommendations:
• DVD-ROM drive
• 1.6 GHz CPU
• 2.0 GB RAM
• 20 GB of available disk space
• Windows XP Service Pack 2 or 3 installed
• IDAPro disassembler, version 5.3 or higher
• Sysinternals suite (Free Download)
• Microsoft Visual C++ 2010 Express (Free Download)
• VMWare Workstation installed (30-day trial version is available)
• A VMWare virtual machine, created with Windows XP Service Pack 2 or 3 installed

Materials

Participants will receive a CD containing the course materials and analysis tools.

Schedule

This five-day course meets at the following times:
Days 1-4, 9:00 a.m.-5:00 p.m.
Day 5, 9:00 a.m.-3:00 p.m.