Reverse Engineering Malware explores malware analysis tools and techniques in depth. Understanding the capabilities of malware is critical to an organization’s ability to derive threat intelligence, respond to information security incidents, and fortify defenses. This course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger, and other tools useful for turning malware inside-out.
The course begins by covering fundamental aspects of malware analysis. You will learn how to set up an inexpensive and flexible laboratory to examine the inner workings of malicious software, and how to use the lab to uncover characteristics of real-world malware samples. Then you will learn to examine the specimens’ behavioral patterns and code. The course continues by discussing essential x86 assembly language concepts. You will examine malicious code to understand its key components and execution flow. In addition, you will learn to identify common malware characteristics by looking at suspicious Windows API patterns employed by bots, rootkits, keyloggers, downloaders, and other types of malware.
You will learn how to analyze malicious documents that take the form of Microsoft Office and Adobe PDF files. Such documents act as a common infection vector and may need to be examined when dealing with large-scale infections as well as targeted attacks. The course also explores memory forensics approaches to examining malicious software, especially useful if the software exhibits rootkit characteristics.
The course culminates with a series of capture-the-flag style challenges designed to reinforce the techniques learned in class and provide additional opportunities to learn practical, hands-on malware analysis skills in a fun setting.
Hands-on workshop exercises are a critical aspect of this course and allow you to apply malware analysis techniques by examining malware in a lab that you control. When performing the exercises, you will study the supplied specimens’ behavioral patterns and examine key portions of their code. To support these activities, you will receive pre-built Windows and Linux virtual machines that include tools for examining and interacting with malware.
You Will Learn How To:
- Build an isolated, controlled laboratory environment for analyzing the code and behavior of malicious programs.
- Employ network and system-monitoring tools to examine how malware interacts with the file system, registry, network, and other processes in a Windows environment.
- Control relevant aspects of the malicious program’s behavior through network traffic interception and code patching to perform effective malware analysis.
- Use a disassembler and a debugger to examine the inner workings of malicious Windows executables.
- Bypass a variety of packers and other defensive mechanisms designed by malware authors to misdirect, confuse, and otherwise slow down the analyst.
- Recognize and understand common assembly-level patterns in malicious code, such as DLL injection and anti-analysis measures.
- Assess the threat associated with malicious documents, such as PDF and Microsoft Office files, in the context of targeted attacks.
- Derive Indicators of Compromise from malicious executables to perform incident response triage.
- Utilize practical memory forensics techniques to examine the capabilities of rootkits and other malicious program types.