Malware Reverse Engineering (MRE)
What has become accepted as “malware reverse engineering training” involves full-spectrum analysis of malicious code both dynamically (run-time) and statically (disassembly). What this means for “run-time” analysis is that you put the malware on a virtual machine and run a packet sniffer (like Wireshark), a registry monitor (like RegShot), a file monitor (like CaptureBat) and then a process monitor (like Process Explorer and Process Monitor). Debugging involves looking at the malware in a disassembler (like IDA Pro). The goal is to understand the code and its behavior in order to find the functionality and or obfuscation methods within the malicious binary.
Some common “reverse engineering” concepts attempt to answer the questions:
-
Where is it connecting to?
-
Does it modify the registry?
-
Does it modify the file system?
-
Does it modify any running processes or start any new ones?
-
Does it employ any forms of obfuscation?
-
What is the purpose the malware? (i.e. Does it steal user credentials, capture screenshots, exfiltrate files?)
The goal of our malware analysis and reverse engineering training class is to provide a methodical hands-on approach to reverse-engineering by covering both behavioral and code analysis aspects of the analytical process. We will also give ample time in practical labs that focus on specific malware reverse engineering concepts.
Topics & Concepts Covered in Malware Analysis and Reverse Engineering Training Include:
-
Tools & Techniques for “Run-Time” Analysis
-
Crash-Course in x86 Assembly
-
Basic Static Analysis
-
Network Traffic Analysis
-
Debugging & Disassembling Malicious Binaries
-
This course was created to fill a need in the community to expand both awareness and knowledge of malware. Cyber actors continue to develop and deploy complex malware to target nearly every industry and it is imperative that analysts be educated to analyze these samples and employ the techniques to help mitigate these threats.
