Black Hat USA 2009 Weekend Training Session

July 25-26

Black Hat USA 2009 Weekday Training Session

July 27-28

Introduction to Malware Analysis

Jason Geffner & Scott Lambert

Overview:

Security researchers are facing a growing problem in the complexity of malicious executables. While dynamic black-box automation tools exist to discover what malware will do on a given execution, it is often important for an analyst to know the full capabilities of a given malware sample. What port does it listen on? What password does it expect for backdoor access? What files will it write to? What will it do tomorrow that it didn't do today?

This class will focus on teaching attendees the steps required to understand the functionality of given malware samples.

This is a hands-on course. Attendees will work on real-world malware through a series of lab exercises designed to build their expertise in understanding the analysis process.

Course Schedule

Day 1

• Administrivia and Background Information
• Dynamic Analysis vs. Static Analysis
• Windows Internals
• Code and Data Flow on x86 Systems
• x86 Assembly Language
• PE File Format

Day 2

• Analyzing malware with IDA Pro
• Analyzing malware with OllyDbg
• Exploits and Shellcode
• Malware Deobfuscation

Who Should Attend

This class is for security analysts who wish to learn how to statically and dynamically analyze malware to understand its functionality. Previous experience is not required with reverse engineering or Windows internals.

What Do I Get?

Hard copies of lecture slides and lab exercises.

A CD containing all of the freely distributable tools that will be used in the course.

Course Length

Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

What to Bring

Attendees must bring their own laptop with Microsoft Windows XP, Microsoft Windows Server 2003, or Microsoft Windows Vista installed inside of a virtual machine.

Attendees are expected to have the following software installed in a virtual machine prior to the first day of the course:

• API Imports/Exports Viewer - Dependency Walker
• API Logger - Auto Debug
• Debugger - OllyDbg
• Disassembler - IDA Pro
• Hex Editor - Hex Workshop
• Import Table Reconstructor and Memory Dumper - Import REConstructor
• Packer Detector – PEiD
• PE Editor – LordPE
• Resource Monitor – Process Monitor

Trainer:

Jason Geffner

joined Next Generation Security Software Ltd. in June of 2007 as a Principal Security Consultant.

Prior to joining NGS, Jason spent nearly three years as a Reverse Engineer on Microsoft Corporation's Anti-Malware Team, where his work involved analyzing malware samples, deobfuscating binaries, and writing tools for analysis and automation. Jason was the Security Research & Response owner of the Windows Malicious Software Removal Tool (MSRT). He chose which new malware families for the MSRT to detect and clean each month based on his analysis of the telemetry and trends of the underground malware community. Jason authored tens of thousands of malware signatures and dozens of malware analyses based on static and dynamic analyses of obfuscated binaries. His work on the MSRT helped hundreds of millions of Windows users each month keep their computers safe and secure. While at Microsoft, Jason was recognized for his reverse engineering skills and for his efforts to drive awareness of reverse engineering practices throughout the company by being given the formal job title “Reverse Engineer”; Jason was the only Microsoft employee with this title.

Jason graduated from Cornell University in 2004 with a Bachelor of Science in Computer Science. He spent his summer of 2003 with Compuware Corporation where he performed full source code recovery on malware samples and penetration-tested in-house copy-protection systems via reverse engineering. During the summer of 2002, Jason worked for Pitney Bowes, where he reverse engineered software security solutions and developed process-stealthing technologies.

Jason holds several patents in the fields of reverse engineering and network security. He is a member of the Reverse Engineering Conference (REcon) Program Committee, is a regular trainer at Black Hat and other industry conferences, is often credited in industry talks and publications, and has been actively reverse engineering and analyzing software protection methods since 1995.

Scott Lambert

is a Security Program Manager on the Secure Windows Initiative (SWI) team at Microsoft. He owns enhancing the internal security tools at Microsoft, including various fuzzing tools. Leveraging his industry experience, Lambert works to ensure that SWI tools identify the vast majority of vulnerability classes.

Prior to joining Microsoft, Lambert developed, maintained and supported numerous computer security applications ranging from Vulnerability Assessment and Risk Management software to Network and Host-Based Intrusion Detection/Prevention Systems for companies such as L-3 Network Security, Veridian Information Solutions, Symantec Corporation and TippingPoint, a division of 3Com. In addition, he developed and implemented test plans for the evaluation of both wired and wireless Intrusion Detection Systems and performed advanced protocol analysis in support of research and validation of various computer and network vulnerabilities and attack techniques.

Super Early: Ends Mar 15	Early: Ends May 1	Regular: Ends Jul 1	Late: Ends Jul 22	Onsite:
$1800	$1900	$2100	$2300	$2600