Behavioral Malware Analysis (BMA)

• How to identify malware and discover its capabilities
• How to set up a secure lab environment to analyze malicious software
• How to use free tools to characterize malware samples quickly
• Obfuscation methods used by attackers to escape detection

DAY 1:

Malware Analysis

• Static Analysis
• Dynamic/Behavioral Analysis

Malware Overview

• Definition of Malware
• Malware Intentions and Motivations
• Malware Types
  • Virus
  • Worm
  • Backdoor
  • Trojan
  • Malicious Mobile Code
  • User-Mode Rootkit
  • Kernel-Mode Rootkit
  • Combination Malware
• Vulnerabilities
• Malware threats research websites
• Technologies to fight Malware and their limitations
  • Intrusion Detection Systems
  • Intrusion Prevention Systems
  • Anti-Virus Software

Windows Internals for Behavioral Analysts

• Windows API
• Common Libraries
• Building An Analysis Environment

Behavioral Analysis Process (BA)

• Understanding The Process
• Knowing Your Goals

BA Tools of the Trade

• VMware Workstation
• Sysinternals Suite
• Regshot
• ApateDNS & Fakenet
• Wireshark
• PEID & PackerBreaker
• Process Hacker

DAY 2:

Baselining

• Why Baseline a System
• The Windows Registry
• Baselining Tools

Document-Embedded Malware

• How To Embed a Document
• Hijack Scenario
• Macro Viruses
• Melissa Virus Case Study

Adware, Spyware, and Ransomware Botnet Malware

• Definition of a Bot
• Botnet Communication Architecture
• Setting Up and Using IRC For Command and Control

DAY 3:

KeyLoggers

• Purposes
• Keylogger types
  • Hardware vs Software
• Remote Access Keyloggers
• Sniffers

Malicious Mobile Code (Interactive Web Apps)

• Definition of Malicious Mobile Code
• Attack Vectors
• Reducing Risk of MMC Attacks

Backdoors

• Common Backdoor Types
• Propagation Methods
• Persistence Methods
• Finding Backdoors

Trojan Horses

• Definition of a Trojan Horse
• Backdoor vs Trojan Horse
• Trojan Horse Infection Methods

Advanced Persistent Threat (APT)

• Definition of APT

User-Mode Rootkits

• Definition of a Rootkit
• Benefit of Rootkits for Attackers
• Kernel- vs User-Mode Rootkits
• Detection Methods

DAY 4:

Drop and Execute Malware

• Dropper vs Injector

VMWARE Detection

• Why Malware does VMware detection
• Honeynets and Honeypots
• Methods of VM Detection

Destructive Malware CHM Malware

• Normal CHM File Usage
• Advantages and Disadvantages of CHM Files

PDF Malware

Kernel-Mode Rootkits

DAY 5:

Student Practical

DAY 1:

• BA Process Lab 1
• BA Process Lab 2
• BA Process Lab 3
• Day 1 Scenario

DAY 2:

• Document-Embedded Malware 1
• Document-Embedded Malware 2
• Spyware Sample
• Ransomware Sample
• IRC Bot Sample
• Day 2 Scenario

DAY 3:

• Keylogger Sample
• MMC Implant Sample
• Backdoor Sample
• Trojan Horse Sample 1
• Trojan Horse Sample 2
• Day 3 Scenario

DAY 4:

• Drop & Execute Sample
• Anti-analysis Sample
• Destructive Sample
• CHM Sample
• PDF Sample
• Day 4 Scenario

DAY 5:

• Day 5 Practical

• Thorough understanding of Microsoft Windows
• Basic understanding of operating system internals
• Experience with VMWare software although not required would be beneficial
• Knowledge of networking protocols and Wireshark filtering is recommended but not required

• Threat operation analysts seeking to have a better understanding of malware
• Incident responders who need to quickly address a system security breach
• Forensic investigators who need to identify malicious software
• Individuals who have experimented with malware analysis and want to expand their malware analysis techniques and methodologies