Skip Navigation Links

Course Length:
5 Days
Course Description:
Malware, short for malicious software, is code designed to infiltrate and exploit a computer system or network without consent. This course provides students with a comprehensive study of the many types of Malware and their functions. The course stresses types of malware, global effects, Malware analysis and Incidence Response Plans. Lab exercises reinforce the lectures.
Who Should Attend:
This course will significantly benefit security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of their network infrastructure.
Benefits of Attendance:
Upon completion of this course, students will be able to:
  • Identify, classify, and organize malware
  • Identify and correlate information regarding domains, hostnames, and IP addresses
  • Analyze JavaScript, PDs, Office documents, and packet captures for signs of malicious activity
  • Automate the execution of malware in VMware or VirtualBox virtual machines
  • Build your own API monitor
  • Detect rootkits and stealth malware using forensic tools
  • Scan the file system and Registry for hidden data and bypass locked file restrictions and remove stubborn malware
  • Use a debugger to analyze, control, and manipulate a malware sample's behaviors
  • Create debugger plug-ins that monitor API calls, output HTML behavior reports, and automatically highlight suspicious activity
  • Decode, decrypt, and unpack data that attackers intentionally try to hide
  • Crack domain generation algorithms
  • Analyze malware distributed as Dynamic Link Libraries (DLLs)
  • Debug the kernel of a virtual machine infected with malware to understand its low-level functionality
  • Create scripts for WinDbg, unpack kernel drivers, and leverage IDA Pro's debugger plug-ins
  • Acquire memory samples from physical and virtual machines
  • Install the Volatility advanced memory forensics platform and associated plug-ins
  • Detect and extract code hiding in process memory
  • Rebuild binaries, including user mode programs and kernel drivers, from memory samples
  • Rebuild the import address tables (IAT) of packed malware based on information in the memory dump
  • Detect various forms of rootkit activity, including the presence of IAT, EAT, Inline, driver IRP, IDT, and SSDT hooks on a system
  • Identiy malware that hides in kernel memory without a loaded driver
  • Locate system-wide notification routines
  • Detect attempts to hide running Windows services
  • Detect active connections, listening sockets, and the use of raw sockets and promiscuous mode network cards
  • Extract volatile Registry Keys and values from memory
Prerequisites:
Students should have a basic understanding of Windows/ Linux operating systems, TCP/IP, and network security.
Course Outline:
  • Anonymizing Your Activities
    1. Conducting online investigations without exposing your own identity
  • Honeypots
    1. Using honeypots to collect the malware being distributed by bots and worms
    2. Grabbing new variants of malware families from the wild, sharing them in real time with other researchers, analyzing attack patterns, or building a workflow to automatically analyze the samples
  • Malware Classification
    1. Identifying, classifying, and organizing malware
    2. Detecting malicious files using custom anti-virus signatures
    3. Determining the relationship between samples
    4. Determining exactly what functionality attackers may have introduced into a new variant
  • Sandboxes and Multi-AV Scanners
    1. Leveraging online virus scanners and public sandboxes
    2. Using scripts to control the behavior of your sample in the target sandbox
    3. Submitting samples on command line with Python scripts
    4. Storing results to a database
    5. Scanning for malicious artifacts based on sandbox results
  • Researching Domains and IP Addresses
    1. Identifying and correlating information regarding domains, hostnames, and IP addresses
    2. Tracking fast flux domains
    3. Determining the alleged owner of a domain
    4. Locating other systems owned by the same group of attackers
    5. Creating static or interactive maps based on the geographical location of IP addresses
  • Documents, Shellcode, and URLs
    1. Analyzing JavaScript, PDs, Office documents, and packet captures for signs of malicious activity
    2. Extracting shellcode from exploits and analyzing it within a debugger or in an emulated environment
  • Malware Labs
    1. Building a safe, flexible, and inexpensive lab in which to execute and monitor malicious code
    2. Solutions involving virtual or physical machines and using real or simulated Internet
  • Automation
    1. Automating the execution of malware in VMware or VirtualBox virtual machines
    2. Creating custom reports about the malware's behavior, including network traffic logs and artifacts created in physical memory
  • Dynamic Analysis
    1. Building your own API monitor,
    2. Preventing certain evidence from being destroyed
    3. Logging file system and Registry activity in real time without using hooks
    4. Comparing changes to a process's handle table
    5. Logging commands that attackers send through backdoors
  • Malware Forensics
    1. Scanning the file system and Registry for hidden data
    2. Bypassing locked file restrictions and removing stubborn malware
    3. Detecting HTML injection and investigating a new form of Registry "slack" space
  • Debugging Malware
    1. Using a debugger to analyze, control, and manipulate a malware sample's behaviors
    2. Creating debugger plug-ins that monitor API calls, output HTML behavior reports, and automatically highlight suspicious activity
  • De-obfuscation
    1. Reverse-engineering a malware sample that encrypts its network traffic
    2. Techniques to crack domain generation algorithms
  • Working with DLLs
    1. Enumerating and examining a DLL's exported functions
    2. Running the DLL in a process of your choice (and bypass host process restrictions)
    3. Executing DLLs as a Windows service
    4. Converting DLLs to standalone executables
  • Kernel Debugging
    1. Debugging the kernel of a virtual machine infected with malware
    2. Creating scripts for WinDbg
    3. Unpacking kernel drivers
    4. Leveraging IDA Pro's debugger plug-ins
  • Memory Forensics with Volatility
    1. Acquiring memory samples from physical and virtual machines
    2. Installing the Volatility advanced memory forensics platform and associated plug-ins
    3. Beginning your analysis by detecting process context tricks and DKOM attacks
  • Memory Forensics: Code Injection and Extraction
    1. Detecting and extracting code (unlinked DLLs, shellcode, and so on) hiding in process memory
    2. Rebuilding binaries, including user mode programs and kernel drivers
    3. Rebuilding the import address tables (IAT) of packed malware based on information in the memory dump
  • Memory Forensics: Rootkits
    1. Detecting various forms of rootkit activity, including the presence of IAT, EAT, Inline, driver IRP, IDT, and SSDT hooks on a system
    2. Identifying malware that hides in kernel memory without a loaded driver
    3. Locating system-wide notification routines
    4. Detecting attempts to hide running Windows services
  • Network and Registry
    1. Exploring the artifacts created on a system due to a malware sample's network activity
    2. Detecting active connections, listening sockets, and the use of raw sockets and promiscuous mode network cards
    3. Extracting volatile Registry Keys and values from memory