Malware Analysis

Overview

This course will teach you techniques used by analysts throughout the field to identify, profile and assess malicious software, as well as how to build signatures to help incident responders detect infections in their own environments.


What to expect

This is a two day course that runs from 8:00a-5:00p. There are 3 tracks within this course:

Novice:

This track is for those with no background in programming and/or little to no knowledge of windows internals. In this track, you will spend the first day participating in lectures and labs covering the safe handling of malware, basic static and dynamic analysis, the basics of x86 assembly, and Windows Internals. The second day you will be turned loose to reinforce and build upon what you learned by completing self-paced lessons, labs, and puzzles. These lessons will include topics such as writing malware signatures, identifying malware behavior, using a debugger, and analyzing malicious documents.

Main:

This track is for those who have some foundational knowledge of programming and windows internals. In this track, you will spend both days participating in instructor directed lectures and labs. The first day will cover the safe handling of malware, basic static and dynamic analysis, x86 assembly, and windows internals. We’ll then kick off the second day with lectures and labs covering debugging with Ida, dumping malware memory with Olly, and identifying more complicated malware behaviors such as process injection and dll side-loading. We will end the day with a series of short labs and lectures on malicious documents, in which we will discuss the pdf file format, malicious JavaScript, malicious VBA, and malicious PowerShell.

Advanced:

This track is for malware analysts or those who have already taken a course on malware analysis. Those who choose this track should have a strong knowledge of windows internals and be comfortable working in Olly and Ida. In this course, you will stick with the “Main” group for a brief lecture on the safe handling of malware, and then you’ll be turned loose with two labs to analyze. The first will be a lightly obfuscated sample from a basic, but prolific, APT family. The second will be heavily obfuscated malware from a highly skilled APT family.

Regardless of the track you choose, you will have experienced instructors supporting you all along the way.

Who should attend

  • Security Operations Center Staff
  • Reverse Engineers
  • Incident Responders
  • Software Engineers
  • System Administrators

Is this course right for me

This course is designed to benefit students of any level. Whether you’re new to the field and want a high level over view of malware analysis, or you’re an experience analyst in search of some quality time with a fun sample, we’ve got you covered.

What should I bring

You MUST have a laptop on which you have admin rights. You cannot participate in this class using a locked down machine. Additionally, the laptop should be capable of running two VMs simultaneously - 4 gigs of RAM is the bare minimum, but the labs will be more enjoyable with 8 or more. You MUST have a functioning virtual environment ready for the first day of class or we will recommend that you move to a different course. We recommend you arrive with your VMs configured, but there will be instructors available to assist with configuration the afternoon or evening before the first day of class if you get stuck somewhere.

Laptop Configuration

Laptop and software setup sessions usually happen the afternoon or evening before the first day of class. Please check the schedule for details and come early if you would like help making sure everything is ready to go for class. Students who enroll in the course will receive a configuration guide several weeks before CyberFire. We recommend you begin configuring your VM early, allowing time for things to go wrong. We strongly recommend that you use VMWare Workstation Pro (Windows and Linux) or VMWare Fusion (OS X). You can try it out for 30 days for free, though you’ll likely want a license if you’re going to be analyzing malware regularly. VMWare Workstation Player will not suffice for our purposes, as we need the ability to create snapshots and Workstation Player does not provide this ability. The instructors will not be prepared to troubleshoot issues outside of the recommended platform.