Advanced Malware Training: with Next-gen Tools

VDA Labs | July 24-25


Day 1: Malware Distribution

  • Using next-gen Security Tools
Intro the course, tools, and techniques. We'll analyze events collected by Bromium micro-VMs. Bromium will help a SOC analyst to understand a threat quickly, and pull out critical IOCs. But the deepest levels of understanding will still be manual. That's what the course will be about.

  • Recognizing the Exploit Vector
Teach more about the details of a typical endpoint compromise. Begin work to determine which exploit was used on a victim.
We'll learn how to decompile a SWF file with JPEXS FFDEC

  • Unraveling Exploit Obfuscation
Malware exploits are highly obfuscated to hide attacker tricks. Begin work toward peeling back the layers of this onion.
We teach how to use tools such as FireBUG and JavaScript Deobfuscator.

  • Circumventing Exploit Kit Encryption
In the latest exploit kits, communications are not just obfuscated with simple tricks, but industry grade encryption is employed at most layers. We begin work to decrypted key stages of the attack.

  • Understanding Moving Target Communications
Exploit kits use various tricks to make stopping them difficult. Even if a sample is obtained, they may phone home to a different server every day. They sometimes only accept connections at certain times and from certain IP blocks. We examine how these DGA algorithms work.

Day 2: Malware Analysis

  • Detecting Angler in the Wild
We have now figured out what the EK looks like at various levels. Lets help the community. If we develop and share a YARA signature, all of the security vendors and open source security groups can pick it up and help detect this malware in the wild. Of course it'll morph to avoid the detection, but that's all part of this game.

  • Performing Safe Dynamic Analysis
So we've figured out how the EK works. But what does it do? It ultimately needs to drop a malware payload. But what is the soup du jour? We begin our analysis of the payloads that were dropped in this event. A common approach to analyzing a malware payload is to run it in various sandboxed environments to automate the analysis of the constant flood of evolving threats.

  • Analyzing Files Statically
Before we begin a deeper analysis of the file with in-depth tools like IDA pro and debuggers, it's often fruitful to load the malware into a variety of simple file analysis tools, which perform numerous tests on the binary. These tools help us reason about rather the binary is malware, detect packers/crypto, and so much more, without needing to get into the bits and bytes – just yet. We'll show how to use the tools covered in this section.

  • Reversing Malware with Debugging Tools
Sometimes breaking custom encryption or packing statically can be difficult. Going back and forth between static and dynamic analysis is common. You can even debug right from within IDA pro, if you want to run certain sections of code to see what it will actually do. We teach the tools and techniques.

  • Reversing Malware with IDA pro
Once the malware is unpacked, static analysis is typically much easier. Also, we don't have to worry about anti-debugging, once we switch to static analysis. Though time consuming, this, lowest level of analysis may be necessary if all of the details of the malware are required.

  • Customizing Reports: From Researchers to CISOs
Threat intelligence needs to reported differently at each level. CISOs care about different things compared to researchers. We describe the best ways to share the right data, to the right people, so the best actions can be taken. We also look at TI sharing tools and standards.

Who Should Take this Course

SOC analysts, pentesters, developers, testers, QA, managers, malware analysts, etc. Anyone who wants to greatly deepen their knowledge about how the latest threats can be quickly and thoroughly analyzed.

Student Requirements

It is recommended that students take the prior malware course (Deeper Investigations for the SOC) to be sure your background is suitable.

What Students Should Bring

For any VDA class students should bring:
  • Modern laptop capable of playing a VM (player, workstation, or fusion)
  • Plenty of HD (at least 70 GB free), CPU (at least 4 cores), and RAM (at least 8 GB) You'll need a USB port to copy the VM media to your HD

What Students Will Be Provided With

Training material (book and VM). None can be shared with non-students.


Dr. Joshua Stroschein has spent over a decade as a programmer and consultant with a focus on application security. His expertise includes malware analysis, application security, software development, reverse engineering, and exploitation. Josh has taught VDA classes on 3 continents now - and loves it!