SECURITY 601

Reverse-Engineering Malware - Hands-On

Monday, December 11, 2006 - Tuesday, December 12, 2006 : 8:30am - 5pm
James Shewmaker, SANS Certified Instructor
6 CPE Credits Per Day

Laptop RequiredFree

Promo Trailer for the REM Course on YouTube

Please note that SEC601 Reverse Engineering Malware alumni will receive 50% discount when registering for the entire SEC610 course. Please contact tuition@sans.org to receive your discount code.

SEC610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques offers the full course with option to add a certification attempt.
SEC601: Reverse-Engineering Malware: The Essentials of Malware Analysis is days 1 & 2 of SEC610.
SEC602: Reverse-Engineering Malware: Additional Tools and Techniques is days 3 & 4 of SEC610.

Regarding Reverse Engineering, the person who authorized my trip to take the course said, 'That investment has already paid for itself.' -Chet Langin, Information Security Analyst, Southern Illinois University

Expand your capacity to fight malicious code by learning how to analyze viruses, worms, and trojans. This two-day course discusses the essential techniques for examining malware using a variety of system monitoring tools, a disassembler, and a debugger. Although it is an advanced course, it does not assume that the students are familiar with malware analysis; however, the difficulty level of concepts and techniques increases quickly as the course progresses.

This course covers key aspects of reverse-engineering malicious code. The instructor explains how to set up an inexpensive and flexible laboratory used for understanding the inner-workings of malware, and demonstrates the process by exploring capabilities of real-world specimens. During this course, you will learn to examine the program's behavioral patterns and assembly code, and will study techniques for bypassing common code obfuscation techniques. You will also learn the roles and capabilities of tools such as VMware, Snort, Filemon, Regmon, IDA Pro, and OllyDbg.

Hands-on workshop exercises are an essential part of this course and will give you a chance to apply reverse-engineering techniques by examining malicious code in a carefully-controlled environment. When performing the analysis, you will study the program's behavioral patterns and will examine key portions of its assembly code.

Topics covered by the course include:

• Configuring the laboratory environment
• Assembling the analysis toolkit
• Performing behavioral and code analysis
• Bypassing authentication mechanisms
• Examining protected executables
• Intercepting network connections
• Patching compiled executables
• Analyzing browser-based malware

You will learn how to reverse-engineer malicious software using tools such as:

• Filemon, Regmon, Regshot
• BinText, strings, LordPE
• VMware, IDA Pro, OllyDbg
• Snort, NetCat, Honeyd

Who should attend:

• Individuals responsible for protecting the organization from malicious code
• Anyone who is curious about inner-workings of malicious code

Prerequisites:

• Students should have a computer system that matches the laptop requirements note (some software needs to be installed before you come to class).
• Students should be familiar with using Windows and Linux operating environments, and with troubleshooting general connectivity and setup issues.
• Students should have a general understanding of programming concepts such as stacks and function calls.

Attending a SANS conference provides attendees with a great opportunity to learn from and share with world class IS Security professionals at a reasonable cost.
-Theresa Wahl, USAF