HBFITES Data Center, Collaboration, Security, Storage, Wireless, Telepresence Training +91-9886770046 info@hbfites.com

BMA - Basic Malware Analysis

Description

Basic Malware Analysis teaches you all the fundamental requirements necessary to analyze malicious software from a behavioral perspective. Using system monitoring tools this course teaches how to observe malware in a controlled environment to quickly analyze its malicious affects to the system. From simple keyloggers to massive botnets this class covers a wide variety of current threats used on the Internet today with actual samples being analyzed in the training environment. With the majority of the class being hands-on each student will be issued a laptop with a secure environment to learn the skills and essential methodologies required to be an effective malware analyst.

Course Details:

  • 70% Labs, 30% Lecture using real-world malware samples
  • Laptops are provided during the class
  • Students receive USB Flash drives of all malware and student labs
  • Students receive Microsoft Windows Registry Guide E-Book

Objectives

Upon completion of this course, you will be able to perform the following tasks:

  • How to identify malware and discover it's capabilities
  • How to setup a secure lab environment to analyze malicious software
  • How to use open source tools to characterize malware samples quickly
  • Obfuscation methods used by attackers to escape detection

Prerequisites

You should possess knowledge of the following:

  • Attending students should have a thorough understanding of Microsoft Windows
  • Experience with VMWare software although not required would be beneficial
  • Knowledge of networking protocols and Wireshark filtering is recommended but not required

Who Should Attend

  • Threat operation analysts seeking to have a better understanding of malware
  • Incident responders who need to quickly address a system security breach
  • Forensic investigators who need to identify malicious software
  • Individuals who have experimented with malware analysis and want to expand their malware analysis techniques and methodologies

Outline

  • Reverse Engineering
    • Static Analysis
    • Dynamic /Behavioural Analysis
  • Malware Overview
    • Malware Defined
    • Malware Intentions and Motivations
    • Malware Types
      • Virus
      • Worm
      • Backdoor
      • Trojan Horse
      • Malicious Mobile Code
      • User Mode Rootkit
      • Kernel Mode Rootkit
      • Combination Malware
    • Vulnerabilites
    • Malware threats research websites
    • Technologies to fight Malware and their limitations
      • Intrusion Detection Systems
      • Intrusion Prevention Systems
      • Anti-Virus Software
    • Hacker Effectiveness Using Malware
  • Windows Internals Regarding Malware Analysis
    • Windows API
    • Commonly DLLs and Their Usage
    • API Disadvantages
    • Process Hooking (Sysinternals Process Monitor)
    • SSDT
    • Native Operating System Calls
  • Building An Analysis Environment
    • Webserver
    • File Server
    • Database
    • Victim Machine
    • Lab Support Structure
    • Virtualization
      • Advantages and Disadvantages
  • Behavioural Analysis Process (BA)
    • 9 Step Behavioural Analysis Process
  • Understanding and Using the BA Process
  • Knowing Your Goals
  • BA Tools Of The Trade
    • VMWare Workstation
    • Sysinternals Suite
    • I-Defense Tools
    • PE Explorer
    • Packed Executable Detection Software
    • Wireshark
  • Baselining
    • Why Baseline a System?
    • Baselining Important System Areas
      • System Services
      • Registry Settings
      • File Hashes
      • Active Processes
      • Auto Start Processes
  • Document Embedded Malware
    • How to Embed Documents Inside Other Documents
    • Word Documents and VBS Support
    • Hijacking Internet Explorer
    • PDF Malware
    • Embedded and Obfuscated Javascript
  • Macro Viruses
    • Melissa Virus
    • Cert Advisories
    • Document Open Macro
    • AutoOpen Macro
  • Botnets
    • Bot Discussion / Definition
    • Estonia Attack
    • Spam King
    • Old School IRC Botnets
      • DBot
      • RBot
    • Modern Botnets
      • Stormworm
  • Keyloggers
    • Purposes
    • Simple Versus Advanced
    • Keylogger Types
      • Hardware
        • Inline Devices
        • Internal Devices
        • Replacement Keyboards
      • Software
        • Kernel Mode
        • Hook Based
        • Creative Methods
      • Remote Access Keyloggers
      • Wireless Keylogger Sniffers
      • Acoustic Keyloggers
  • Malicious Mobile Code
    • Java Applets
    • Javascript
    • VMScripts
    • ActiveX Controls
    • Browser Attack Vectors
      • Resource Exhaustion
      • Browser Hijacking
      • Stealing Cookies
      • XSS Attacks
      • IFrame Injection
    • Reducing Risk of MMC Attacks
    • Spyware Browser Plug-ins
  • Backdoors
    • Definition
    • Common Backdoor Types
      • Local Escalation
      • Remote Execution
      • Remote Command Line Access
      • Remote Gui Control
    • Propagation Methods
    • Methods of Persistence
    • Finding Backdoors
  • Trojan Horses
    • Definition
    • Goals of a Trojan Horse
    • Trojan Horse Versus Backdoor
    • Trojan Horse Methods of Infection
      • Filename Corruption
      • Wrapper Programs
  • User Mode Rootkits
    • What are Rootkits
    • Windows Kernel Mode Versus User Mode
    • Rootkit Benefits for Hackers
    • Historical User Level Rootkits
      • HE4Hook
      • Vanquish
      • Aphex
      • Hacker Defender
    • User Level Rootkit Detection
  • VMWare Detection
    • Why Malware Does VMWare Detection
    • HoneyNets and HoneyPots
    • Methods of VMDetction
    • IDTR Detection Method
    • SIDT, SGDT, SLDT Detction Methods
  • Destructive Malware
    • Surviving Destructive Malware
  • CHM Malware
    • Normal CHM File Usage
    • Advantages of CHM Files
    • Disadvantages of CHM Files
    • VBScript Support
    • CHM Malware Detection
  • Kernel Mode Rootkits
    • User Mode Versus Kernel Mode Revisited
    • Kernel Mode Impacts
    • Common KMRs
      • Rial
      • Heroin
      • afhrm
    • Kernel Mode Rootkit Detection
  • Student Practical Demonstration:
      Using the tools, skills, and methodologies taught in Days 1 through 4 of the class students will derive the answers to questions regarding one final real-world malware specimen. Each student will have to reverse engineer the malware to discover its capabilities and persistence level as well as the threat level of the malware.

    Lab Outline

  • Day 1
    • BA Tools of the Trade Walk-Through
    • Building a Malware Analysis Environment
    • Day 1 Malware Sample 1
    • Day 1 Malware Scenario
  • Day 2
    • Documented Embedded Malware Sample 1
    • Documented Embedded Malware Sample 2
    • Macro Virus Malware Sample
    • Day 2 Malware Scenario
  • Day 3
    • Keylogger Malware Sample
    • Malicious Mobile Code Example
    • User Mode Rootkit Malware Sample
    • Day 3 Malware Scenario
  • Day 4
    • VMWare Detection Example
    • Destructive Malware Sample
    • CHM Malware Sample
    • Kernel Mode Rootkit Sample
    • Day 4 Malware Scenario
  • Day 5 Student Practical Demonstration:
    • Using the tools, skills, and methodologies taught in Days 1 through 4 of the class students will derive the answers to questions regarding one final real-world malware specimen. Each student will have to reverse engineer the malware to discover its capabilities and persistence level as well as the threat level of the malware.