Malware Analysis

Short Course

If you know the enemy and know yourself, you need not fear the result of hundred battles Sun Tzu, Art of War

Course Title: Malware Analysis

Who can attend: This course is of particular interest to IT professionals in the areas of incident response, forensic investigation, Windows Security, and System administration. The course is also interesting to IT professionals interested by the field of malware based attacks and anyone interested in the field of hacking and security.

Requirements:
  - Intermediate Programming skills
  - Basic knowledge of network concepts:
    1. IP Addressing
    2. Standard protocols: HTTP, DNS, etc.
  - Basic Dos/Linux commands: ls, cd, cp, mkdir, etc.
  - Some background on Assembly Language.

Duration: 4 days (Weekend)

Dates*: February 22 - 25, 2017

Location: Information and Computer Science Department, KFUPM, Al-Dhahran, Saudi Arabia.

Instructor: Dr. Sami Zhioua

Course Fees: 3000 SAR (Special fees available for CCSE students (ICS, SWE, COE, SE) and KFUPM staff)

Registration information: Department of Continuing Education, Building 54, Room 107.

For further details: zhioua@kfupm.edu.sa 

* If you are a group and you are interested to take the course in a  different date, you can contact the instructor for arrangement

 

Course Poster [PDF]

What to bring ?

To carry out all course Labs successfully, we highly recommend that you bring a Laptop with the following minimum requirements:
- i5 processor
- 8GB of RAM
- 150GB of free hard-disk (internal or external)
- VirtualBox and VmWare Player (or workstation) installed.

Alternatively, you can use the available Lab machines, but some exercises will be quite slow.

What you will get ?

- Course material (Hard copy of course slides)
- Lab Manual: detailed instructions for the Lab steps
- More than 100GB of Virtual Machines well configured for learning and practicing with penetration testing.
- Offical Penetration Testing Certificate from KFUPM.

 

Malware Analysis:

Information security attacks involving malware (Trojans, Rootkits, Destructive malwares, Spywares, etc.) are expected to be more and more frequent in the few next years. Recent attacks against Iran's nuclear facilities (Stuxnet malware) and Saudi Aramco (Shamoon malware) are only the premises of devastating cyber-attacks. This recent wave of attacks is characterized by using highly targeted malwares; attackers are now designing zero-day malwares targeting specific organizations. Typical security and antivirus products do not provide protection against such crafted and specific malwares. Hence, the targeted organization is left alone in trying to detect and clean-up such attacks.
In this context, organizations which are exposed to malware attacks should be prepared to deal with such incidents. Failure to react efficiently in such situations might have serious consequences. Since malwares are more and more targeted, relying on antivirus products does not provide a sufficient protection. There is a need for in-house malware analysis expertise. Having IT professionals with malware analysis skills improves significantly the ability of the organization to face urgent malware incidents. Organizations in critical fields such as oil-industry, electricity, etc. are particularly concerned.

This course teaches a practical approach to examining malicious programs that target or run on Microsoft Windows. It gives a deep coverage of malware based attacks and prepares IT professionals to analyze malware and understand their inner-working.
The material taught in this course helps IT professionals at two levels: detection and containment.
 

  • It will help security administrators analyze suspicious files (System updates, software installers, etc.) for malicious content that could lead to devastating consequences.
  • It will help incident responders to assess the severity and repercussions of a malware attack and then to determine how to contain the incident and plan recovery steps efficiently and in a timely manner.

Course Overview

The course is organized into four parts:

Part 1: Malware development

Before digging into malware analysis, it is essential to deeply understand how malwares are developed and what are the most recent advances in malware based hacking. In this part we try also to answer questions such as:

         What are the different types of malwares?

         How files get infected?

         How malwares can bypass security products?

         What are the main anti-virus techniques?

Part 2: Malware Static Analysis

The first step in any malware analysis process is to study the file machine code without executing it. In this part we try to answer questions such as:

          Is the analyzed file armored (packed, encrypted, etc.)?

          What the imported and exported APIs might tell about the analyzed file?

          Is the file structure suspicious?

          Are there indicators in the assembly instructions of the presence of malicious payload?

Part 3: Malware Dynamic Analysis

To deeply understand the inner-working of a suspected file, it is essential to monitor the execution of the file inside a closed and controlled environment. In this part, we try to cover the following issues:

          How to set up a virtual malware analysis lab?

          How to step through malware assembly instructions?

          How to monitor Windows internals activities (Processes, Threads, etc.)?

          How to monitor and interpret registry modifications?

          How to monitor malware network activity?

Part 4: Stuxnet and Shamoon Malware Analysis

The last part of the course is to apply all skills acquired in the course to analyze the recent and sophisticated Stuxnet and Shamoon malwares. In this final part, participants will be invited to:

 - Analyze the PE structure of Stuxnet and Shamoon

 - Analyze Stuxnet Shamoon malware assembly instructions

 - Execute Stuxnet and Shamoon malwares in virtual lab

 - Defeat encryption to reveal its hidden sections

 - Analyze the destructive features.

 

Hands-on Training for Malware Analysis

 

Hands-on workshop exercises are a critical aspect of this course and allow the participants to apply reverse-engineering techniques by examining malware in a controlled environment. In addition, participants will be exposed to malware programming techniques for a deeper understanding of the field.

 

Detailed Course Content     

 

A. Background material for Malware development and analysis

 

         Crash-course in intel architecture and assembly language

o   Memory

o   Registers

o   Execution Stack

o   Common assembly instructions

         Windows Architecture

o   Kernel Vs User Modes

o   Windows System programming (types, headers, references, etc.)

o   Processes, Threads, Services

o   Registry

         PE format (Windows Executable)

o   Headers

o   Sections

o   Using PE Viewers tools

o   Life of a PE file (Mapping, Dropping, Loading)

 

B. Malwares and Malware Development

 

         Malware Taxonomy

o   Virus

o   Worm

o   Trojan

o   Logic Bomb

o   Backdoor

o   Spyware, Adware

o   Dropper

o   Hybrid

o   Macro Virus

         File Infection

o   Beginning of file

o   End of file

o   Overwrite file

o   Insert into code

o   In a different file (companion)

         Malware Concealment Strategies

o   Multi-stage dropping

o   Encryption

o   Encryption Key issues

o   Stealth infection

o   Oligomorphism

o   Polymorphism

o   Metamorphism

o   Strong encryption  

         Anti-Virus Technologies

o   Scanning algorithms (Signature-based)

   Aho-Corasick

  Veldman

  Wu-Manber

o   Static Heuristics (not signature-based)

o   Integrity checkers

o   Verification (to reduce false-positives)

         Anti-Anti-Virus Techniques

o   Retroviruses

o   Entry Point Obfuscation (EPO)

o   Anti-Debugging

o   Anti-Disassembly

o   Anti-Virtualization

         Lab: Writing an encrypted virus in C language and #pragma blocks.

 

C. Malware Static Analysis

 

         Checking file signature

         Malware Strings

         Imports and exports

         Encryption and Packing

         Tools: md5sum, strings, PEView, PEiD, Resource Hacker, Dependency Walker

         Advanced Static Analysis:

o   Tutorial to IDA Pro tool

o   Static analysis with IDA Pro

         Lab: a step-by-step static analysis of several malware samples (keyloggers, backdoors, etc.)

 

D. Malware Dynamic Analysis

 

          Setting up a virtual malware analysis lab

          Monitoring Windows Activity using Process Monitor (Procmon)

          Analyzing processes using Process Explorer (Procexp)

          Comparing registry snapshots with Regshot

          Monitoring malware network traffic (Packet Sniffing tools)

          Debugging:

o      Debugging concepts (Stepping, Breakpoints, Tracing, Patching, etc.)

o      Debugging with ollyDBG

o      Debugging with IDA Pro

o      Using Plugins to automate analysis (ollyDump, etc.)

         Lab: a step-by-step dynamic analysis of several malware samples (trojan horses, logic bombs, etc.)

 

E. Analyzing Stuxnet and Shamoon Malware

(Extended Lab using Shamoon malware samples)

         Analysis of the PE structure of Shamoon

         Static analysis of Shamoon

         Dynamic analysis of Shamoon while executing

         Defeating Shamoon encryption

         Analyzing the destructive features (Wiper) of Shamoon.

         Reviewing malware analysis practices allowing the detection of similar attacks.

 

F. Advanced Topics

          Malware De-obfuscation (decryption, unpacking, etc.)

          Defeating anti-disassembly techniques

          Defeating anti-debugging techniques

          Defeating anti-virtualization techniques

         A survey of stealth malware techniques (rootkits, Import Table Hooking, Process Injection, etc.)

 

1.     About the Course Instructor: Dr. Sami Zhioua

Dr. Sami Zhioua is assistant professor at the Information and Computer Science department of KFUPM. Before, he was a post-doctoral research and teaching fellow at McGill University, Canada. He graduated from Laval University, Canada (Ph.D. 2008 and M.Sc. 2003). His research interests include information security, ethical hacking and anonymity protocols. He is the author of three books, several journal and conference papers and one patent. He already taught several security and Hacking related courses including:

SEC 511 - Fundamentals of Information Security and Assurance

         ICS 444 Computer and Network Security

         ICS 343 Fundamentals of Computer Networks

         Ethical Hacking (Penetration Testing)

Web Security

He also gave several public seminars about security and hacking related topics including:

         Know your Enemy: Hacking Exposed

         Know your Enemy: Hacking with Malware

Know your Enemy: Web Hacking and Security

Web page: http://faculty.kfupm.edu.sa/ICS/zhioua/

A Seminar on Hacking by Dr. Sami Zhioua (November 2011):

 

 

 

Sami Zhioua, January 2017