Sans 610 GREM
Posted by Paul Bobby on June 24, 2009
What a fine piece of work.
I imagine that any subject that I have a deep interest in, and yet nominal skills, may evoke the same response after attending a four day class – and perhaps that was the case with Sans 610. But the Reverse Engineering of Malware; now that’s a topic that doesn’t have a 10page primer for ramping up to expert.
The material presented is thorough, the labs reinforced newly learned skills, but it would all be for naught without a decent presenter. Lenny Zeltser is one such presenter. He did a very good job, patient, taking time to answer all questions, no annoying presenter problems (erm, er, ‘stories’, etc) and of course knew the subject matter very well.
The course was divided in to seven sections:
- Analysis fundamentals: focusing on the general approach to creating an analysis environment to perform controlled behavioral and code analysis of the specimen.
- Controlling the Trojan: this section took an IRC bot through behavioral analysis and code analysis. The specimen had no anti analysis features, so the analysis focused on observing and documenting behavior, code contructs and ultimately being able to communicate and control the bot.
- Deeper Analysis: Used some new tools, such as HoneyD, and introduced basic patching of executables during the debug phase.
- Code Analysis: Contained an assembly primer, basic high level structures represented in assembly, and of great interest was the presentation of malware constructs in assembly (for example, HTTP C2 download, sniffing, DLL injection etc)
- Self-defending malware: Explores all the techniques used by malware to prevent the reversing process
- Analyzing web malware: Basically a part two to the web ecosystem section.
Phew, what an action packed four days.
I will start to post reverse engineering information to this blog along with my usual 4n6 data as I start to experiment more and more. In my Corporate environment, there is a never ending supply of malware for sure.