Advanced Malware Analysis
MANDIANT - Nick Harbour & Jay Smith
|// july 24 - 27|
USA 2010 4-day Training Session //July 24-27
Many malware authors take deliberate steps to thwart the reverse engineering of their tools. Students will learn to combat sophisticated malware head-on by studying its anti-analysis techniques. This course focuses on advanced topic areas related to combating malware defense mechanisms, and as such, a practiced and robust malware analysis skill set is required. Before learning specific malware anti-analysis techniques, students will arm themselves with critical skills by learning to script IDA Pro and various debuggers to overcome challenging or repetitive tasks. Students will learn detailed information about defeating packed and armored executables and be challenged to defeat several difficult specimens throughout the course. Malware stealth techniques such as process injection and rootkit technology will be introduced, and tools and methodologies will be presented to aid analysis of such techniques. Hands on exercises, labs, and instruction cover the following topic areas:
- IDA Pro Scripting
- Scriptable Debuggers
- How to Conduct Analysis of Nontraditional Programs
- How to Unpack Strongly Protected Binaries
- How to Defeat Anti-Reverse Engineering Techniques
- How to Recognize and Defeat Data Encryption and Encoding Techniques
- How to Capture and Analyze Stealth Malware
What to bring:
Students must bring their own Laptop with VMWare Workstation or Server installed. Laptops should have 10GB of free space.
Students who cannot meet the laptop requirements because of onsite registration or other reasons, please contact MANDIANT at firstname.lastname@example.org to see if a laptop can be provided for you.
What You Will Get:
- Student Manual
- Class handouts
- MANDIANT gear
Who Should Attend the Class:
Information security staff, forensic investigators or others requiring an understanding of how to overcome difficult challenges in malware analysis.
Training or experience in malware analysis and excellent knowledge of computer and operating system fundamentals is required. Some exposure to software development is highly recommended. Attendance in MANDIANT Malware II – Intermediate Malware Analysis, while not required, is extremely beneficial.
Nick Harbour is a Principal Consultant with Mandiant and is a well-known innovator in the field of computer security with over nine years experience in reverse engineering, computer forensics, network monitoring and software development. He is a recognized expert in the field of malware and currently focuses on malware analysis and research at Mandiant. Mr. Harbour is one of the authors of the malware detection tool Mandiant Red Curtain.
Mr. Harbour is routinely involved in large scale and high profile incident response, and has extensive incident response experience with government and defense contractor related intrusions which impact national security.
Mr. Harbour is an accomplished presenter and instructor. He has presented at the Black Hat briefings and regularly delivers training courses on Malware Analysis and Incident Response.
Prior to joining Mandiant, Mr. Harbour worked as a contractor engaged in technically challenging projects for a variety of government agencies. He is knowledgeable in many fields of government and has worked in the intelligence, counterintelligence, military and law enforcement communities. During his former position within the Defense department, he wrote tcpxtract, a popular tool for extracting files from arbitrary network traffic.
Mr. Harbour is a former Computer Forensics Examiner for the Department of Defense Computer Forensics Laboratory (DCFL) where he was primarily involved in research and development and highly classified special projects and operations. During his tenure at the DCFL Nick advanced the field of computer forensics by developing dcfldd, the popular imaging tool which revolutionized the way digital media is acquired, and fatback, a sophisticated file recovery tool and the only of its kind to run under the Linux/Unix environment.
Mr. Harbour currently holds a Top Secret security clearance.
Jerrold “Jay” Smith is a Principal Consultant at Mandiant. Mr. Smith focuses on Mandiant's Federal Services work, providing specialized computer forensics and information security solutions for the company's federal client base. Mr. Smith has over five years experience in technical development experience in support of government computer network operations (CNO).
Mr. Smith came to Mandiant from the National Security Agency (NSA) where he most recently served as technical lead for a multi-million dollar strategic CNO development effort. In addition to his daily research and development duties Mr. Smith led a development team of government civilians, military personnel, and contractors. He worked with management to set time tables for product deliverables and oversaw the project through its entire life-cycle, from design, development, and testing through to its successful deployment.
Mr. Smith is a graduate of the NSA's three-year Systems and Network Interdisciplinary program (SNIP). This program provides participants with many computer and network security courses and allows them to contribute to a number of offices that have a CNO mission. During these tours Mr. Smith contributed technically to several research efforts and productizing CNO tools. Additionally he delivered numerous classified briefings of his research findings to large government audiences.
Mr. Smith holds a Masters of Science degree in Computer Science from Johns Hopkins University, and a Bachelor of Science degree in Electrical Engineering and Computer Science from the University of California, Berkeley. He also holds a Top Secret security clearance.