Description
Basic Malware Analysis teaches you all the fundamental requirements necessary to analyze malicious software from a behavioral perspective. Using system monitoring tools this course teaches how to observe malware in a controlled environment to quickly analyze its malicious affects to the system. From simple keyloggers to massive botnets this class covers a wide variety of current threats used on the Internet today with actual samples being analyzed in the training environment. With the majority of the class being hands-on each student will be issued a laptop with a secure environment to learn the skills and essential methodologies required to be an effective malware analyst.
Course Details:
- 70% Labs, 30% Lecture using real-world malware samples
- Laptops are provided during the class
- Students receive USB Flash drives of all malware and student labs
- Students receive Microsoft Windows Registry Guide E-Book
Objectives
Upon completion of this course, you will be able to perform the following tasks:
- How to identify malware and discover it's capabilities
- How to setup a secure lab environment to analyze malicious software
- How to use open source tools to characterize malware samples quickly
- Obfuscation methods used by attackers to escape detection
Prerequisites
You should possess knowledge of the following:
- Attending students should have a thorough understanding of Microsoft Windows
- Experience with VMWare software although not required would be beneficial
- Knowledge of networking protocols and Wireshark filtering is recommended but not required
Who Should Attend
- Threat operation analysts seeking to have a better understanding of malware
- Incident responders who need to quickly address a system security breach
- Forensic investigators who need to identify malicious software
- Individuals who have experimented with malware analysis and want to expand their malware analysis techniques and methodologies
Outline
- Reverse Engineering
- Static Analysis
- Dynamic /Behavioural Analysis
- Malware Overview
- Malware Defined
- Malware Intentions and Motivations
- Malware Types
- Virus
- Worm
- Backdoor
- Trojan Horse
- Malicious Mobile Code
- User Mode Rootkit
- Kernel Mode Rootkit
- Combination Malware
- Vulnerabilites
- Malware threats research websites
- Technologies to fight Malware and their limitations
- Intrusion Detection Systems
- Intrusion Prevention Systems
- Anti-Virus Software
- Hacker Effectiveness Using Malware
- Windows Internals Regarding Malware Analysis
- Windows API
- Commonly DLLs and Their Usage
- API Disadvantages
- Process Hooking (Sysinternals Process Monitor)
- SSDT
- Native Operating System Calls
- Building An Analysis Environment
- Webserver
- File Server
- Database
- Victim Machine
- Lab Support Structure
- Virtualization
- Advantages and Disadvantages
- Behavioural Analysis Process (BA)
- 9 Step Behavioural Analysis Process
- Understanding and Using the BA Process
- Knowing Your Goals
- BA Tools Of The Trade
- VMWare Workstation
- Sysinternals Suite
- I-Defense Tools
- PE Explorer
- Packed Executable Detection Software
- Wireshark
- Baselining
- Why Baseline a System?
- Baselining Important System Areas
- System Services
- Registry Settings
- File Hashes
- Active Processes
- Auto Start Processes
- Document Embedded Malware
- How to Embed Documents Inside Other Documents
- Word Documents and VBS Support
- Hijacking Internet Explorer
- PDF Malware
- Embedded and Obfuscated Javascript
- Macro Viruses
- Melissa Virus
- Cert Advisories
- Document Open Macro
- AutoOpen Macro
- Botnets
- Bot Discussion / Definition
- Estonia Attack
- Spam King
- Old School IRC Botnets
- DBot
- RBot
- Modern Botnets
- Stormworm
- Keyloggers
- Purposes
- Simple Versus Advanced
- Keylogger Types
- Hardware
- Inline Devices
- Internal Devices
- Replacement Keyboards
- Software
- Kernel Mode
- Hook Based
- Creative Methods
- Remote Access Keyloggers
- Wireless Keylogger Sniffers
- Acoustic Keyloggers
- Hardware
- Malicious Mobile Code
- Java Applets
- Javascript
- VMScripts
- ActiveX Controls
- Browser Attack Vectors
- Resource Exhaustion
- Browser Hijacking
- Stealing Cookies
- XSS Attacks
- IFrame Injection
- Reducing Risk of MMC Attacks
- Spyware Browser Plug-ins
- Backdoors
- Definition
- Common Backdoor Types
- Local Escalation
- Remote Execution
- Remote Command Line Access
- Remote Gui Control
- Propagation Methods
- Methods of Persistence
- Finding Backdoors
- Trojan Horses
- Definition
- Goals of a Trojan Horse
- Trojan Horse Versus Backdoor
- Trojan Horse Methods of Infection
- Filename Corruption
- Wrapper Programs
- User Mode Rootkits
- What are Rootkits
- Windows Kernel Mode Versus User Mode
- Rootkit Benefits for Hackers
- Historical User Level Rootkits
- HE4Hook
- Vanquish
- Aphex
- Hacker Defender
- User Level Rootkit Detection
- VMWare Detection
- Why Malware Does VMWare Detection
- HoneyNets and HoneyPots
- Methods of VMDetction
- IDTR Detection Method
- SIDT, SGDT, SLDT Detction Methods
- Destructive Malware
- Surviving Destructive Malware
- CHM Malware
- Normal CHM File Usage
- Advantages of CHM Files
- Disadvantages of CHM Files
- VBScript Support
- CHM Malware Detection
- Kernel Mode Rootkits
- User Mode Versus Kernel Mode Revisited
- Kernel Mode Impacts
- Common KMRs
- Rial
- Heroin
- afhrm
- Kernel Mode Rootkit Detection
- Student Practical Demonstration:
- Using the tools, skills, and methodologies taught in Days 1 through 4 of the class students will derive the answers to questions regarding one final real-world malware specimen. Each student will have to reverse engineer the malware to discover its capabilities and persistence level as well as the threat level of the malware.
Lab Outline
- Day 1
- BA Tools of the Trade Walk-Through
- Building a Malware Analysis Environment
- Day 1 Malware Sample 1
- Day 1 Malware Scenario
- Day 2
- Documented Embedded Malware Sample 1
- Documented Embedded Malware Sample 2
- Macro Virus Malware Sample
- Day 2 Malware Scenario
- Day 3
- Keylogger Malware Sample
- Malicious Mobile Code Example
- User Mode Rootkit Malware Sample
- Day 3 Malware Scenario
- Day 4
- VMWare Detection Example
- Destructive Malware Sample
- CHM Malware Sample
- Kernel Mode Rootkit Sample
- Day 4 Malware Scenario
- Day 5 Student Practical Demonstration:
- Using the tools, skills, and methodologies taught in Days 1 through 4 of the class students will derive the answers to questions regarding one final real-world malware specimen. Each student will have to reverse engineer the malware to discover its capabilities and persistence level as well as the threat level of the malware.