Black Hat USA 2009 4-day Training Session

July 25-28

Advanced Malware Analysis

Nick Harbour, MANDIANT

Overview

Many malware authors take deliberate steps to thwart the reverse engineering of their tools. Students will learn to combat sophisticated malware head-on by studying its anti-analysis techniques. This course focuses on advanced topic areas related to combating malware defense mechanisms, and as such, a practiced and robust malware analysis skill set is required. Before learning specific malware anti-analysis techniques, students will arm themselves with critical skills by learning to script IDA Pro and various debuggers to overcome challenging or repetitive tasks. Students will learn detailed information about defeating packed and armored executables and be challenged to defeat several difficult specimens throughout the course. Malware stealth techniques such as process injection and rootkit technology will be introduced, and tools and methodologies will be presented to aid analysis of such techniques. Hands on exercises, labs, and instruction cover the following topic areas:

• IDA Pro Scripting
• Scriptable Debuggers
• How to Conduct Analysis of Nontraditional Programs
• How to Unpack Strongly Protected Binaries
• How to Defeat Anti-Reverse Engineering Techniques
• How to Recognize and Defeat Data Encryption and Encoding Techniques
• How to Capture and Analyze Stealth Malware

What You Will Get:

• Student Manual
• Class handouts
• MANDIANT gear

Who Should Attend the Class:

Information security staff, forensic investigators or others requiring an understanding of how to overcome difficult challenges in malware analysis.

Prerequisites:

Training or experience in malware analysis and excellent knowledge of computer and operating system fundamentals is required. Some exposure to software development is highly recommended. Attendance in MANDIANT Malware II – Intermediate Malware Analysis, while not required, is extremely beneficial.

Trainers:

Nick Harbour is a Principal Consultant with Mandiant. He specializes in Malware Analysis and Incident Response as well as both offensive and defensive research and development. He also teaches malware analysis and reverse engineering. Nick's ten year history in the security industry began as a researcher and forensic examiner at the DoD Computer Forensics Lab (DCFL) where he helped pioneer the field of computer forensics. Nick is a developer of both free software including most notably dcfldd, the popular forensic disk imaging tool, tcpxtract, a tool for carving files out of network traffic and Mandiant Red Curtain and FindEvil, tools for identifying malicious binaries. He is also an expert in anti-reverse engineering technologies and has developed binary hardening tools such as PE-Scrambler. Nick is also a trained chef!

Jerrold “Jay” Smith is a Principal Consultant at Mandiant. Mr. Smith focuses on Mandiant's Federal Services work, providing specialized computer forensics and information security solutions for the company's federal client base. Mr. Smith has over five years experience in technical development experience in support of government computer network operations (CNO).

Mr. Smith came to Mandiant from the National Security Agency (NSA) where he most recently served as technical lead for a multi-million dollar strategic CNO development effort. In addition to his daily research and development duties Mr. Smith led a development team of government civilians, military personnel, and contractors. He worked with management to set time tables for product deliverables and oversaw the project through its entire life-cycle, from design, development, and testing through to its successful deployment.

Mr. Smith is a graduate of the NSA's three-year Systems and Network Interdisciplinary program (SNIP). This program provides participants with many computer and network security courses and allows them to contribute to a number of offices that have a CNO mission. During these tours Mr. Smith contributed technically to several research efforts and productizing CNO tools. Additionally he delivered numerous classified briefings of his research findings to large government audiences.

Mr. Smith holds a Masters of Science degree in Computer Science from Johns Hopkins University, and a Bachelor of Science degree in Electrical Engineering and Computer Science from the University of California, Berkeley. He also holds a Top Secret security clearance.

Super Early: Ends Mar 15	Early: Ends May 1	Regular: Ends Jul 1	Late: Ends Jul 22	Onsite:
$3500	$3600	$3800	$4000	$4300