Malware Analysis: Black Hat Edition
MANDIANT: Nick Harbour and Mike Sikorski
|// apr 12 - 13|
Almost every Incident Response involves some Trojan, back door, virus component, or rootkit. Incident Responders must be able to perform rapid analysis on the malware encountered in an effort to determine the purpose of unknown code. This course provides a rapid introduction to the tools and methodologies used to perform dynamic and static analysis on portable executable programs found on Windows systems.
Students will learn to infer the functionality of a program by analyzing disassembly and by watching how it changes a system as it runs. They will learn how to extract investigative leads from host and network-based indicators associated with a malicious program and how to identify specific coding constructs in disassembly. They will be taught the art of dynamic analysis, and they will be taught about several Windows APIs most often used by malware authors. Each section is filled with in class demonstrations, exercises where the students follow along with the instructor, and labs where the students practice what they have learned on their own.
What You Will Learn:
- How to create a safe malware analysis environment
- Malware analysis shortcuts
- Static Program Analysis Methodology
- Dynamic Program Analysis Methodology
- Methodologies-differences between static and dynamic analysis
- Bits, bytes, binary, decimal, hexadecimal and converting values between the various numbering conventions
- The fundamentals of assembly language programming
- How to perform dynamic analysis using system monitoring utilities to capture the system, registry and network activity generated during malware analysis
- Windows Internals and APIs
What You Will Get:
- Student Manual
- Class handouts
- MANDIANT gear
Who Should Attend the Class:
Information technology staff, information security staff, corporate investigators or others requiring an understanding of how malware works and the steps and processes involved in Malware Analysis.
Excellent knowledge of computer and operating system fundamentals is required. Some exposure to software development is highly recommended.
What to bring:
Students must bring their own Laptop with VMWare Workstation or Server installed. Laptops should have 10GB of free space.
Students who cannot meet the laptop requirements because of onsite registration or other reasons, please contact MANDIANT at firstname.lastname@example.org to see if a laptop can be provided for you.
Nick Harbour is a Principal Consultant with Mandiant. He specializes in Malware Analysis and Incident Response as well as both offensive and defensive research and development. He also teaches malware analysis and reverse engineering. Nick's ten year history in the security industry began as a researcher and forensic examiner at the DoD Computer Forensics Lab (DCFL) where he helped pioneer the field of computer forensics. Nick is a developer of both free software including most notably dcfldd, the popular forensic disk imaging tool, tcpxtract, a tool for carving files out of network traffic and Mandiant Red Curtain and FindEvil, tools for identifying malicious binaries. He is also an expert in anti-reverse engineering technologies and has developed binary hardening tools such as PE-Scrambler. Nick is also a trained chef!
Michael Sikorski is a Principal Engineer at Mandiant. As a member of the Federal Services Team, Mr. Sikorski provides specialized research and development security solutions to the company's federal client base. He Sikorski has five years of experience in technical development supporting government computer network operations (CNO) and nine years of experience in the field of computer security.
Mr. Sikorski came to Mandiant from Massachusetts Institute of Technology’s (MIT) Lincoln Laboratory where he conducted research and development on tools for passive network mapping; provided Red Team services on automated intrusion detection and response systems for mobile ad hoc networks; and built automated attack graphs for network security. He also contributed to multiple publications and served as a liaison between MIT and the National Security Agency (NSA), providing mission critical tools to the agency.
Mr. Sikorski is a graduate of the NSA's three-year Systems and Network Interdisciplinary Program (SNIP). This elite technical development program is designed to train NSA personnel in the art and science of system and network defense and exploitation. While at the NSA, he contributed to research in reverse engineering techniques, received multiple invention awards in the field of Network Analysis and led a team in the development of the host-based component of an active network defense system.
Mr. Sikorski holds a Bachelor of Science degree in Computer Engineering (with minor in Economics) from Columbia University and a Master of Science degree in Computer Science from Johns Hopkins University. He currently holds a Top Secret security clearance.