This course is not currently offered by Global Knowledge. Information here is provided for reference only.

Almost every Incident Response involves some Trojan, back door, virus component, or rootkit. Incident Responders must be able to perform rapid analysis on the malware encountered in an effort to determine the purpose of unknown code. Without understanding the functionality of the malware, remediation efforts usually fail to meet expectations. This course provides an introduction to the tools and methodologies used to perform dynamic and static analysis on portable executable programs found on Windows systems.

What You'll Learn

• The primary types of malware - A malware bestiary
• How to create a safe malware analysis environment
• Malware analysis shortcuts
• The malware analysis and reporting process
• Legal issues involving malware analysis and reverse engineering
• Methodologies - differences between static and dynamic analysis
• How malware discovered on real systems was used as part of an elaborate intrusion
• Bits, bytes, binary, decimal, hexadecimal and converting values between the various numbering conventions
• Code, compilers, and compilation
• The tools used to identify obfuscation methods used by malware authors and the tools used by analysts to recover the "hidden" data
• The fundamentals of assembly language programming
• How to perform dynamic analysis using virtual machines and system monitoring utilities to capture the system, registry, and network activity generated during malware analysis

Who Needs to Attend

Information technology staff, information security staff, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in malware analysis.

Prerequisites

• General knowledge of computer and operating system fundamentals
• Some exposure to software development
• Experience in assembly and C is beneficial though not required

Follow-On Courses

There are no follow-ons for this course.

Course Outline

1. Introduction to Malware

Get an introduction to the methodology behind malware analysis in this section which establishes a baseline for advanced discussions. Get acquainted with some of the tools commonly used for malware analysis as the instructor walks you through how to establish a safe environment to conduct malware analysis and the importance of this process.

2. Malware Analysis Case Studies

Instructors will share their experiences through the study of four different malware binaries that were part of a real intrusion. Learn how the binaries were discovered, how they were analyzed, and results of the analysis. Gain an understanding of how complex the use of malware was as part of the larger intrusion. In short, gain the big-picture methods required to perform malware analysis.

3. Simple Malware Analysis Tools

Learn a variety of shortcuts that can be used to facilitate the analysis of commonly used malware. Learn to generate MD5 checksums to identify known malware, various web sites which allow upload of suspicious code, and other approaches which can give a malware analyst a head start on the analysis process.

4. Source Code & Compilers

Get an introduction to the C programming language and create sample C programs to better understand how binary executable programs are produced by malware authors.

5. Bits and Bytes

Review low-level data in a variety of formats. In this section, gain a firm understanding of how to convert numbers to and from binary, decimal, and hexadecimal. Explore more advanced topics critical to malware analysis such as little and big endian bit ordering, signed and unsigned numbers, floating point, and character sets. Learn the basic information required to create the foundation for low-level malware analysis.

6. Introduction to Assembly Language (x86) & Windows Programming

Assembly is the highest-level language that can be reliably recovered from machine code when source code is not available. In this section, you'll get a basic understand of assembly as you learn how x86 processors handle assembly instructions, how memory is handled, how mathematical functions are performed, and basic looping processes. All of this is presented at a level appropriate to someone with little or no programming experience.

7. Methodology and Review

Prior to starting the final exercise, you'll be reminded of each of the steps involved in dynamic and static malware analysis. Get an example checklist of steps to help you stay on target during the exercise, and instructors will provide tips and hints from their personal analysis experience to help you reach your goal successfully.

8. Debugging Malware Walkthrough

As the final exercise, instructors will help you through the analysis of an unknown binary found on a compromised system "in the wild". During this dynamic analysis process, you'll use all of the tools and techniques learned during the previous sections in an organized manner to determine the functionality and purpose of the file. This exercise also stresses the importance of careful documentation during the malware analysis process.