Malware Analysis
Short Course
|
“If you know the enemy and know yourself, you
need not fear the result of hundred battles” – Sun Tzu, Art of
War Course Title: Malware Analysis Who can attend: This course is of particular interest to IT professionals in the areas of incident response, forensic investigation, Windows Security, and System administration. The course is also interesting to IT professionals interested by the field of malware based attacks and anyone interested in the field of hacking and security. Requirements: Duration: 4 days (Weekend) Dates*: February 22 - 25, 2017 Location: Information and Computer Science Department, KFUPM, Al-Dhahran, Saudi Arabia.
Instructor: Dr. Sami Zhioua Course Fees: 3000 SAR (Special fees available for CCSE students (ICS, SWE, COE, SE) and KFUPM staff) Registration information: Department of Continuing Education, Building 54, Room 107. For further details: zhioua@kfupm.edu.sa * If you are a group and you are interested to take the course in a different date, you can contact the instructor for arrangement
|
 |
What to bring ?
To carry out all course Labs successfully, we highly recommend
that you bring a Laptop with the following minimum requirements:
- i5 processor
- 8GB of RAM
- 150GB of free hard-disk (internal or external)
- VirtualBox and VmWare Player (or workstation) installed.
Alternatively, you can use the available Lab machines, but some exercises will
be quite slow.
What you will get ?
- Course material (Hard copy of course slides)
- Lab Manual: detailed instructions for the Lab steps
- More than 100GB of Virtual Machines well configured for learning and
practicing with penetration testing.
- Offical Penetration Testing Certificate from KFUPM.
Malware Analysis:
Information security attacks involving malware (Trojans,
Rootkits, Destructive malwares, Spywares, etc.) are expected to be more and more
frequent in the few next years. Recent attacks against Iran's nuclear facilities
(Stuxnet malware) and Saudi Aramco (Shamoon malware) are only the premises of
devastating cyber-attacks. This recent wave of attacks is characterized by using
highly targeted malwares; attackers are now designing zero-day malwares
targeting specific organizations. Typical security and antivirus products do not
provide protection against such crafted and specific malwares. Hence, the
targeted organization is left alone in trying to detect and clean-up such
attacks.
In this context, organizations which are exposed to malware attacks should be
prepared to deal with such incidents. Failure to react efficiently in such
situations might have serious consequences. Since malwares are more and more
targeted, relying on antivirus products does not provide a sufficient
protection. There is a need for in-house malware analysis expertise. Having IT
professionals with malware analysis skills improves significantly the ability of
the organization to face urgent malware incidents. Organizations in critical
fields such as oil-industry, electricity, etc. are particularly concerned.
This course teaches a practical approach to examining
malicious programs that target or run on Microsoft Windows. It gives a deep
coverage of malware based attacks and prepares IT professionals to analyze
malware and understand their inner-working.
The material taught in this course helps IT professionals at two levels:
detection and containment.
- It will help security administrators analyze suspicious files (System updates, software installers, etc.) for malicious content that could lead to devastating consequences.
- It will help incident responders to assess the severity and repercussions of a malware attack and then to determine how to contain the incident and plan recovery steps efficiently and in a timely manner.
Course Overview
The course is organized into four parts:
Part 1: Malware development
Before digging into malware analysis, it is essential to deeply understand how malwares are developed and what are the most recent advances in malware based hacking. In this part we try also to answer questions such as:
· What are the different types of malwares?
· How files get infected?
· How malwares can bypass security products?
· What are the main anti-virus techniques?
Part 2: Malware Static Analysis
The first step in any malware analysis process is to study the file machine code without executing it. In this part we try to answer questions such as:
· Is the analyzed file armored (packed, encrypted, etc.)?
· What the imported and exported APIs might tell about the analyzed file?
· Is the file structure suspicious?
· Are there indicators in the assembly instructions of the presence of malicious payload?
Part 3: Malware Dynamic Analysis
To deeply understand the inner-working of a suspected file, it is essential to monitor the execution of the file inside a closed and controlled environment. In this part, we try to cover the following issues:
· How to set up a virtual malware analysis lab?
· How to step through malware assembly instructions?
· How to monitor Windows internals activities (Processes, Threads, etc.)?
· How to monitor and interpret registry modifications?
· How to monitor malware network activity?
Part 4: Stuxnet and Shamoon Malware Analysis
The last part of the course is to apply all skills acquired in the course to analyze the recent and sophisticated Stuxnet and Shamoon malwares. In this final part, participants will be invited to:
- Analyze the PE structure of Stuxnet and Shamoon
- Analyze Stuxnet Shamoon malware assembly instructions
- Execute Stuxnet and Shamoon malwares in virtual lab
- Defeat encryption to reveal its hidden sections
- Analyze the destructive features.
Hands-on Training for Malware Analysis
Hands-on workshop exercises are a critical aspect of this course and allow the participants to apply reverse-engineering techniques by examining malware in a controlled environment. In addition, participants will be exposed to malware programming techniques for a deeper understanding of the field.
| Detailed Course Content |
A. Background material for Malware development and analysis
· Crash-course in intel architecture and assembly language
o Memory
o Registers
o Execution Stack
o Common assembly instructions
· Windows Architecture
o Kernel Vs User Modes
o Windows System programming (types, headers, references, etc.)
o Processes, Threads, Services
o Registry
· PE format (Windows Executable)
o Headers
o Sections
o Using PE Viewers tools
o Life of a PE file (Mapping, Dropping, Loading)
B. Malwares and Malware Development
· Malware Taxonomy
o Virus
o Worm
o Trojan
o Logic Bomb
o Backdoor
o Spyware, Adware
o Dropper
o Hybrid
o Macro Virus
· File Infection
o Beginning of file
o End of file
o Overwrite file
o Insert into code
o In a different file (companion)
· Malware Concealment Strategies
o Multi-stage dropping
o Encryption
o Encryption Key issues
o Stealth infection
o Oligomorphism
o Polymorphism
o Metamorphism
o Strong encryption
· Anti-Virus Technologies
o Scanning algorithms (Signature-based)
§ Aho-Corasick
§ Veldman
§ Wu-Manber
o Static Heuristics (not signature-based)
o Integrity checkers
o Verification (to reduce false-positives)
· Anti-Anti-Virus Techniques
o Retroviruses
o Entry Point Obfuscation (EPO)
o Anti-Debugging
o Anti-Disassembly
o Anti-Virtualization
· Lab: Writing an encrypted virus in C language and #pragma blocks.
C. Malware Static Analysis
· Checking file signature
· Malware Strings
· Imports and exports
· Encryption and Packing
· Tools: md5sum, strings, PEView, PEiD, Resource Hacker, Dependency Walker
· Advanced Static Analysis:
o Tutorial to IDA Pro tool
o Static analysis with IDA Pro
· Lab: a step-by-step static analysis of several malware samples (keyloggers, backdoors, etc.)
D. Malware Dynamic Analysis
· Setting up a virtual malware analysis lab
· Monitoring Windows Activity using Process Monitor (Procmon)
· Analyzing processes using Process Explorer (Procexp)
· Comparing registry snapshots with Regshot
· Monitoring malware network traffic (Packet Sniffing tools)
· Debugging:
o Debugging concepts (Stepping, Breakpoints, Tracing, Patching, etc.)
o Debugging with ollyDBG
o Debugging with IDA Pro
o Using Plugins to automate analysis (ollyDump, etc.)
· Lab: a step-by-step dynamic analysis of several malware samples (trojan horses, logic bombs, etc.)
E. Analyzing Stuxnet and Shamoon Malware
(Extended Lab using Shamoon malware samples)
· Analysis of the PE structure of Shamoon
· Static analysis of Shamoon
· Dynamic analysis of Shamoon while executing
· Defeating Shamoon encryption
· Analyzing the destructive features (Wiper) of Shamoon.
· Reviewing malware analysis practices allowing the detection of similar attacks.
F. Advanced Topics
· Malware De-obfuscation (decryption, unpacking, etc.)
· Defeating anti-disassembly techniques
· Defeating anti-debugging techniques
· Defeating anti-virtualization techniques
· A survey of stealth malware techniques (rootkits, Import Table Hooking, Process Injection, etc.)
1. About the Course Instructor: Dr. Sami Zhioua
Dr. Sami Zhioua is assistant professor at the Information and Computer Science department of KFUPM. Before, he was a post-doctoral research and teaching fellow at McGill University, Canada. He graduated from Laval University, Canada (Ph.D. 2008 and M.Sc. 2003). His research interests include information security, ethical hacking and anonymity protocols. He is the author of three books, several journal and conference papers and one patent. He already taught several security and Hacking related courses including:
SEC 511 - Fundamentals of Information Security and Assurance
· ICS 444 – Computer and Network Security
· ICS 343 – Fundamentals of Computer Networks
· Ethical Hacking (Penetration Testing)
Web Security
He also gave several public seminars about security and hacking related topics including:
· Know your Enemy: Hacking Exposed
· Know your Enemy: Hacking with Malware
Know your Enemy: Web Hacking and Security
Web page: http://faculty.kfupm.edu.sa/ICS/zhioua/
A Seminar on Hacking by Dr. Sami Zhioua (November 2011):
Sami Zhioua, January 2017