Advanced Malware Analysis

Transcription

1 Advanced Malware Analysis Serving as the final class in our malware series Advance Malware Analysis will challenge you more that ever. Using the latest malware samples that are the hardest to reverse engineer we push our students to use every means necessary to defeat all defensive measures employed by Malware authors to wreak havoc across the internet. Each malware sample analyzed in class will require first unpacking the sample and removing any software armoring or protection put in place to thwart the security analyst. After the student successfully removes armoring agents they ll have to navigate past several anti-debugging techniques employed by the most elite malware samples today. Finally each sample will required skillful knowledge and usage of OllyDbg or IDA Pro tools with scripting abilities to reverse engineer the destructive code and determine exactly what the malware does. **Please note this course requires extensive skills and programming knowledge. It is recommended that the student attend Intermediate Malware Analysis, Assembly for Reverse Engineers, and Introduction to Python before attending this course or have equivalent experience. Topics include: Malicious document analysis Extracting and analyzing embedded shell script from documents Manually unpacking obfuscated malware Methods for Analyzing and Defeating Armored Malware Advanced Rootkits, DLL s and Windows Services Advanced Anti-Reversing Malware Class Details: 5 Days M-F, Laptops are provided Students receive course USB Flash Drive of tools and labs

2 Day 1 Agenda Microsoft Office Malicious Documents Instructor will demonstrate methods and techniques for manually analyzing malicious documents WITHOUT running them against the vulnerable version of MS Office they are targeting. Students will walk through samples for: Word DOC embedded malware Excel XLS embedded malware PowerPoint PPT embedded malware IDA Pro BinLoad SysInternals Suite Adobe PDF Malicious Documents Instructor will describe and demonstrate methods and techniques for manually analyzing these malicious documents WITHOUT running them against the vulnerable version of Adobe Reader they are targeting. Students will walk through several PDF samples targeting current vulnerabilities. MDAT BinLoad IDA Pro This day concludes with a relevant and challenging malware samples in which they must remove the embedded executables for MS Office and Adobe files as the scenario for the day.

3 Day 2 Agenda Manually Unpacking Obfuscated Malware Instructor will: Describe and demonstrate situations where malware analysts tools break and Auto-Unpacking fails. Students will: Analyze a packed executable which will break if attempting to be unpacked through a malware autounpacker. Manually unpack and restore the original executable. Students will be given modified version of other real-world packers. (2-3 samples) Day concludes with a relevant and challenging malware sample which students must unpack as the scenario for the day. IDA Pro

4 Day 3 Agenda Methods for Analyzing and Defeating Armored Malware Instructor will: Describe and demonstrate common anti-debugging techniques used by malware authors to detect whether or not they are being analyzed. Describe and demonstrate common anti-reversing techniques used by malware authors to confuse and increase difficulty of the RE process. Students will: Analyze and bypass Anti-debugging checking routines to get the executable to completely unpack. Combine lessons learned from Day Two to manually unpack and restore the original executable and then defeat the anti-debugging routines. Analyze a sample making use of many popular anti-reversing techniques and will have to develop IDA Scripts to clean up the code to make it easier to Reverse Engineer. Combine lessons learned from Day One, Two, Three to manually unpack and restore the original executable, defeat the anti-debugging routines, and finally defeat anti-reversing routines. This day concludes with a relevant and challenging malware sample which they must unpack as the scenario for the day. IDA Pro w/ IDA Scripting emphasis

5 Day 4 Agenda Rootkits, DLL s and Windows Services Instructor will cover the following topics: Demonstrate reversing Windows rootkits Provide an overview of Windows Kernel data structures and what they mean Show how to detect interrupt table hooks and SSDT hooks Examining NDIS chains to find backdoor TCP/IP stacks Reversing DLL s Overview of Windows DLLs Loading DLLs, DLL Exports Windows Services Overview of Windows Services structures Service installation and execution routines Service lifetime Students will combine lessons learned from Day One, Two, Three to manually unpack and restore the original executable service DLL and rootkit, defeat the anti-debugging routines, and finally defeat anti-reversing routines. IDA Pro w/ IDA Scripting emphasis

6 Day 5 Agenda Conficker or other Relevant Sample Students will combine lessons learned from all week and use the skills they ve learned to analyze a challenging high level piece of malware in a DOC/PDF format. Each student will have to perform the following objectives: Manually unpack and restore the original executable Defeat the anti-debugging routines Defeat anti-reversing routines Develop network signatures IDA Pro w/ IDA Scripting emphasis