Analysis of Malware by Reverse Engineering

This training is about the analysis of malware by reverse-engineering. When automatic analysis tools can no longer work as expected (malware escaping their analysis environment, unknown threat, need to answer specific questions…), it becomes necessary to analyze the malware manually. Therefore, we offer an initiation training for malware analysis going from a novice level to an initiated one. For the sake of understanding, malware analysis is done at pseudo code level with a Windows-API focus approach.

The first part of the course focuses on the technical and conceptual presentation of the different forms of malware threats, from historical viruses to the most recent and modern ones. The purpose of this part is to cover the different technologies used by malware to propagate or execute itself as well as to cover their malicious nature through numerous examples. This approach aims to better understand the threat to analyze it more efficiently.

The second part of the course focuses on the practical application of the previously learned concepts presented through a series of practical exercises and it ends with an operational real case study. For this purpose, analyze will be driven by practicing reverse engineering at a pseudo-code level, close to C/C++ programming. The goal is to be able to understand simple malware in an efficient way and to be able to identify some malware threat intelligence elements. In the end of the training, an unpublished and special crafted for this training malware will be provided to the participant.

Note that the content of this training is mainly focused on the Windows operating system (since a large part of the threat is there) but it also presents threats in the Linux environment. In fact, the most important is to understand the algorithms used by malware and how to find them via reverse engineering before focusing on the specifics of a given technique or an operating system.

In the end, all participants will have a better understanding of what is possible and of what is not possible in the field of malware, through a didactic and practical introduction to reverse engineering, based on relatively simple but particularly representative examples. The participants will have the opportunity to expand their knowledge of malware and associated threats by observing technical details from more than ten different types of malwares over two intensive days.

Day 1:

  • Introduction to malware:
    • Basic concept definition: program, virus, worm, malware, antivirus software …
  • Technical refresher on the operating system
    • Microsoft & Posix API
    • Useful API: File, Network, Crypto, Process, …
  • Computer virus Fundamentals
    • Life cycles of a virus
    • Different kinds of virus
  • Malware and technical description illustrated with real cases
    • Trojan / RAT
    • Spyware / Adware
    • Worms / Bots
    • Rootkits
    • Keyloggers
    • Ransomware / Wiper
  • Other technologies used by malware
    • Polymorphism and packer software
    • Fileless Malware & reinfection
    • Script malware (VBScript, PowerShell, other)
  • Presentation of a secure analysis environment for malware
    • Introduction to sandboxing environment
    • Tooling for malware analysis
  • Conclusion & practice
    • IDA: analysis of simple samples

Day 2:

  • Exercises and practice:
    • Exercises with malware samples:
    • WannaCry: Ransomware (2017) by exploiting a vulnerability (EternalBlue) leaked from the NSA.
    • NotPetya: Ransomware/Wiper (2017) infected hundreds of thousands computer in the world by reusing the EternalBlue vulnerability.
    • German Parliament: RAT (2015) targeting German institution that might be of Russian origin.
  • Workshop:
    • Full analysis of an unknown malware (for half a day)
    • Analysis of an unknown malware specifically written for this training and based on real cases
    • Network, system interaction, and propagation analysis (malware analysis tooling)
    • Introduction to possible remediation

About the Speaker