What to bring ?
To carry out all course Labs successfully, we highly recommend
that you bring a Laptop with the following minimum requirements:
What you will get ?
- Course material (Hard copy of course slides)
Information security attacks involving malware (Trojans,
Rootkits, Destructive malwares, Spywares, etc.) are expected to be more and more
frequent in the few next years. Recent attacks against Iran's nuclear facilities
(Stuxnet malware) and Saudi Aramco (Shamoon malware) are only the premises of
devastating cyber-attacks. This recent wave of attacks is characterized by using
highly targeted malwares; attackers are now designing zero-day malwares
targeting specific organizations. Typical security and antivirus products do not
provide protection against such crafted and specific malwares. Hence, the
targeted organization is left alone in trying to detect and clean-up such
This course teaches a practical approach to examining
malicious programs that target or run on Microsoft Windows. It gives a deep
coverage of malware based attacks and prepares IT professionals to analyze
malware and understand their inner-working.
The course is organized into four parts:
Part 1: Malware development
Before digging into malware analysis, it is essential to deeply understand how malwares are developed and what are the most recent advances in malware based hacking. In this part we try also to answer questions such as:
· What are the different types of malwares?
· How files get infected?
· How malwares can bypass security products?
· What are the main anti-virus techniques?
Part 2: Malware Static Analysis
The first step in any malware analysis process is to study the file machine code without executing it. In this part we try to answer questions such as:
· Is the analyzed file armored (packed, encrypted, etc.)?
· What the imported and exported APIs might tell about the analyzed file?
· Is the file structure suspicious?
· Are there indicators in the assembly instructions of the presence of malicious payload?
Part 3: Malware Dynamic Analysis
To deeply understand the inner-working of a suspected file, it is essential to monitor the execution of the file inside a closed and controlled environment. In this part, we try to cover the following issues:
· How to set up a virtual malware analysis lab?
· How to step through malware assembly instructions?
· How to monitor Windows internals activities (Processes, Threads, etc.)?
· How to monitor and interpret registry modifications?
· How to monitor malware network activity?
Part 4: Stuxnet and Shamoon Malware Analysis
The last part of the course is to apply all skills acquired in the course to analyze the recent and sophisticated Stuxnet and Shamoon malwares. In this final part, participants will be invited to:
- Analyze the PE structure of Stuxnet and Shamoon
- Analyze Stuxnet Shamoon malware assembly instructions
- Execute Stuxnet and Shamoon malwares in virtual lab
- Defeat encryption to reveal its hidden sections
- Analyze the destructive features.
Hands-on Training for Malware Analysis
Hands-on workshop exercises are a critical aspect of this course and allow the participants to apply reverse-engineering techniques by examining malware in a controlled environment. In addition, participants will be exposed to malware programming techniques for a deeper understanding of the field.
A. Background material for Malware development and analysis
· Crash-course in intel architecture and assembly language
o Execution Stack
o Common assembly instructions
· Windows Architecture
o Kernel Vs User Modes
o Windows System programming (types, headers, references, etc.)
o Processes, Threads, Services
· PE format (Windows Executable)
o Using PE Viewers tools
o Life of a PE file (Mapping, Dropping, Loading)
B. Malwares and Malware Development
· Malware Taxonomy
o Logic Bomb
o Spyware, Adware
o Macro Virus
· File Infection
o Beginning of file
o End of file
o Overwrite file
o Insert into code
o In a different file (companion)
· Malware Concealment Strategies
o Multi-stage dropping
o Encryption Key issues
o Stealth infection
o Strong encryption
· Anti-Virus Technologies
o Scanning algorithms (Signature-based)
o Static Heuristics (not signature-based)
o Integrity checkers
o Verification (to reduce false-positives)
· Anti-Anti-Virus Techniques
o Entry Point Obfuscation (EPO)
· Lab: Writing an encrypted virus in C language and #pragma blocks.
C. Malware Static Analysis
· Checking file signature
· Malware Strings
· Imports and exports
· Encryption and Packing
· Tools: md5sum, strings, PEView, PEiD, Resource Hacker, Dependency Walker
· Advanced Static Analysis:
o Tutorial to IDA Pro tool
o Static analysis with IDA Pro
· Lab: a step-by-step static analysis of several malware samples (keyloggers, backdoors, etc.)
D. Malware Dynamic Analysis
· Setting up a virtual malware analysis lab
· Monitoring Windows Activity using Process Monitor (Procmon)
· Analyzing processes using Process Explorer (Procexp)
· Comparing registry snapshots with Regshot
· Monitoring malware network traffic (Packet Sniffing tools)
o Debugging concepts (Stepping, Breakpoints, Tracing, Patching, etc.)
o Debugging with ollyDBG
o Debugging with IDA Pro
o Using Plugins to automate analysis (ollyDump, etc.)
· Lab: a step-by-step dynamic analysis of several malware samples (trojan horses, logic bombs, etc.)
E. Analyzing Stuxnet and Shamoon Malware
(Extended Lab using Shamoon malware samples)
· Analysis of the PE structure of Shamoon
· Static analysis of Shamoon
· Dynamic analysis of Shamoon while executing
· Defeating Shamoon encryption
· Analyzing the destructive features (Wiper) of Shamoon.
· Reviewing malware analysis practices allowing the detection of similar attacks.
F. Advanced Topics
· Malware De-obfuscation (decryption, unpacking, etc.)
· Defeating anti-disassembly techniques
· Defeating anti-debugging techniques
· Defeating anti-virtualization techniques
· A survey of stealth malware techniques (rootkits, Import Table Hooking, Process Injection, etc.)
1. About the Course Instructor: Dr. Sami Zhioua
Dr. Sami Zhioua is assistant professor at the Information and Computer Science department of KFUPM. Before, he was a post-doctoral research and teaching fellow at McGill University, Canada. He graduated from Laval University, Canada (Ph.D. 2008 and M.Sc. 2003). His research interests include information security, ethical hacking and anonymity protocols. He is the author of three books, several journal and conference papers and one patent. He already taught several security and Hacking related courses including:
SEC 511 - Fundamentals of Information Security and Assurance
· ICS 444 – Computer and Network Security
· ICS 343 – Fundamentals of Computer Networks
· Ethical Hacking (Penetration Testing)
He also gave several public seminars about security and hacking related topics including:
· Know your Enemy: Hacking Exposed
· Know your Enemy: Hacking with Malware
Know your Enemy: Web Hacking and Security
Web page: http://faculty.kfupm.edu.sa/ICS/zhioua/
A Seminar on Hacking by Dr. Sami Zhioua (November 2011):
Sami Zhioua, January 2017