SAS

Dissecting Malware

Four-day course on reverse engineering

There are just a handful of reverse engineers clustered at the very top of the information security profession. From March 30 through April 2, 2017, one of them — Principal Security Researcher at Kaspersky Lab Nicolas Brulez — will deliver a course on the subject he has been training people around the world on for 12 years, malware reverse engineering. You won’t be stumped for days on end by reversing challenges anymore, because you’ll take away from St. Maarten tricks and efficient moves to reverse faster.

At Kaspersky Lab’s SAS 2017, those who are trying to break into the next level of digital investigation and malware analysis will benefit greatly — the SAS team has prepared three dedicated courses. Students will find out how to hunt for rare samples, study link analysis to see hidden connections, and learn reverse engineering techniques to see how the malicious code actually works.

You can take advantage of these “surgical” studies if you’re a practitioner of malware research, do forensics or incident response, or deal with reversing in general. You need to know assembly language and how to use tools such as debuggers and disassemblers (IDA). If you were analyzing code 10 years ago, you’ll find it easy to jump back into reversing. The good thing about it is that the tools and techniques remain almost the same, so reverse engineers just have to adapt a little bit to new technologies. Join the training to make sure that the world hasn’t turn upside down while you were chilling.

Journey to the inside of famous malware

Each day the students will practice reverse engineering skills on samples from such malicious programs as Cloud Atlas, MiniDuke or Red October that can be applied to modern analysis. The course program will help you develop the following skills:

Unpacking malware manually

Packers have been around for more than 10 years. In all this time they have had just one aim: making malware analysis more difficult and time-consuming. As it is time which is crucially important for a researcher, unpacking samples quickly is the goal of Day 1 of the training. Be ready to unpack some of the “celebrities” of the malware universe.

Actual malware analysis

After Day 2 you will be able to perform static shell code analysis using IDA as if you had never stopped doing it. You quickly take code from one sample hashing algorithm and easily re-implement it. Other exercises are included too, such as analyzing MiniDuke, which is written in machine assembly language and has an extremely small and unsuspicious file size.

Dissecting APTs

The last two days gives you the chance to practice what you learned in the first two days. You will define the components of malware and observe its functions, investigating the way it communicates with C&C servers. Only an understanding of how malware works will allow an IT security expert to stop the infection.

Hardware requirements

  • Legitimate version of IDA Pro
  • Virtual Machine with Windows XP SP3 installed (to avoid compatibility issues)
  • OllyDbg
  • Python 2.7
  • PE Editor (e.g. LordPE or other)
  • Hex Editor (e.g. Hiew or other)
  • Import Reconstructor/fixer: Imprec, Universal Import Fixer 1.2
  • PEID

The class is limited to a maximum of 20 participants — so book a seat at sas.kaspersky.com to be sure you are on the list.

Dissecting Malware

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox