My Road to Digital Forensics Excellence

Sans 610 GREM

Posted by Paul Bobby on June 24, 2009

What a fine piece of work.

I imagine that any subject that I have a deep interest in, and yet nominal skills, may evoke the same response after attending a four day class – and perhaps that was the case with Sans 610. But the Reverse Engineering of Malware; now that’s a topic that doesn’t have a 10page primer for ramping up to expert.

The material presented is thorough, the labs reinforced newly learned skills, but it would all be for naught without a decent presenter. Lenny Zeltser is one such presenter. He did a very good job, patient, taking time to answer all questions, no annoying presenter problems (erm, er, ‘stories’, etc) and of course knew the subject matter very well.

The course was divided in to seven sections:

  1. Analysis fundamentals: focusing on the general approach to creating an analysis environment to perform controlled behavioral and code analysis of the specimen.
  2. Controlling the Trojan: this section took an IRC bot through behavioral analysis and code analysis. The specimen had no anti analysis features, so the analysis focused on observing and documenting behavior, code contructs and ultimately being able to communicate and control the bot.
  3. Deeper Analysis: Used some new tools, such as HoneyD, and introduced basic patching of executables during the debug phase.
  4. The Web ecosystem: Examination of browser based malware, flash, java, javascript etc.
  5. Code Analysis: Contained an assembly primer, basic high level structures represented in assembly, and of great interest was the presentation of malware constructs in assembly (for example, HTTP C2 download, sniffing, DLL injection etc)
  6. Self-defending malware: Explores all the techniques used by malware to prevent the reversing process
  7. Analyzing web malware: Basically a part two to the web ecosystem section.

Phew, what an action packed four days.

I will start to post reverse engineering information to this blog along with my usual 4n6 data as I start to experiment more and more. In my Corporate environment, there is a never ending supply of malware for sure.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: