This five-day hands on course provides participants with an opportunity to learn best practices for analyzing malicious code. In addition to classroom instruction and hands-on exercises, attendees will be given real-world malicious code samples to dissect. Participants will acquire a fundamental understanding of a variety of malware analysis tools and techniques which can directly support their organization's incident response efforts and increase performance in their functional role(s).
Participants will initially be introduced to the common terms used in the malware community and how those have evolved over the past few years. The focus will be on preparing participants to communicate effectively with peers and others in the security community, when discussing malware. Exercises will include analyzing public malware reports, installing a rootkit and performing surface analysis of a well-known piece of malware.
The second day of the course will focus on the programming aspects of malware and how commonly used APIs and cryptographic routines can be recognized. Students will write basic programs using the Windows API to become familiar with the common functionality utilized by malicious code authors. Additionally the basics of assembly language programming will be reviewed, to lay the foundation for debugging and reverse engineering work.
The third day of the course will be devoted to run-time or dynamic analysis. Initially students will learn how to create a secure and trusted environment for performing analysis. Hands-on exercises will then give attendees the opportunity to develop a familiarity with the common monitoring tools that are available for the Windows platform and perform their own run-time analysis on malware samples from the wild.
The fourth day will introduce students to using a debugger to understand malware. Not only does a debugger enable fine-grained analysis and control over a piece of malware, it is often an essential tool for dealing with compressed or packed code. Participants will be challenged to unpack various malware samples during the lab portion of the day.
The fifth and final day will cover advanced static reverse engineering techniques, often required for tasks such as uncovering hidden functionality in a piece of malware.
U.S. Government Employees and Contractors Only.
Technical staff who manage or support networked information systems and have (recommended):
Each student will be required to provide their own laptop for the duration of the course. The student's laptop must meet the following:
Participants will receive a CD containing the course materials and analysis tools.
This five-day course meets at the following times:
Days 1-4, 9:00 a.m.-5:00 p.m.
Day 5, 9:00 a.m.-3:00 p.m.