If you are looking to get started with malware analysis, tune into the webcast series I recorded to illustrate key tools and techniques for examining malicious software:
Since the best way to learn malware analysis involves practice, I am happy to provide you with malware samples from each of these webcasts. Just send me an email after you’ve watched the webcast and confirm that you will be taking precautions to properly isolate your laboratory environment.
Over the years, the set of skills needed to analyze malware has been expanding. After all, software is becoming more sophisticated and powerful, regardless whether it is being used for benign or malicious purposes. The expertise needed to understand malicious programs has been growing in complexity to keep up with the threats.
My perspective on this progression is based on the reverse-engineering malware course I’ve been teaching at SANS Institute. Allow me to indulge in a brief retrospective on this course, which I launched over a decade ago and which was recently expanded.
Starting to Teach Malware Analysis
My first presentation on the topic of malware analysis was at the SANSFIRE conference in 2001 in Washington, DC, I think. That was one of my first professional speaking gigs. SANS was willing to give me a shot, thanks to Stephen Northcutt, but I wasn’t yet a part of the faculty. My 2.5-hour session promised to:
Discuss “tools and techniques useful for understanding inner workings of malware such as viruses, worms, and trojans. We describe an approach to setting up inexpensive and flexible lab environment using virtual workstation software such as VMWare, and demonstrate the process of reverse engineering a trojan using a range of system monitoring tools in conjunction with a disassembler and a debugger.”
I had 96 slides. Malware analysis knowledge wasn’t yet prevalent in the general community outside of antivirus companies, which were keeping their expertise close to the chest. Fortunately, there was only so much one needed to know to analyze mainstream samples of the day.
Worried that evening session attendees would have a hard time staying alert after a day’s full of classes, I handed out chocolate-covered coffee beans, which I got from McNulty’s shop in New York.
Expanding the Reverse-Engineering Course
A year later, I expanded the course to two evening sessions. It included 198 slides and hands-on labs. I was on the SANS faculty list! Slava Frid, who helped me with disassembly, was the TA. My lab included Windows NT and 2000 virtual machines. Some students had Windows 98 and ME. SoftICE was my favorite debugger. My concluding slide said:
That advice applies today, though one of the wonderful changes in the community from those days is a much larger set of forums and blogs focused on malware analysis techniques.
By 2004, the course was two-days long and covered additional reversing approaches and browser malware. In 2008 it expanded to four days, with Mike Murr contributing materials that dove into code-level analysis of compiled executables. Pedro Bueno, Jim Shewmaker and Bojan Zdrnja shared their insights on packers and obfuscators.
In 2010, the course expanded to 5 days, incorporating contributions by Jim Clausing and Bojan Zdrnja. The new materials covered malicious document analysis and memory forensics. I released the first version of REMnux, a Linux distro for assisting malware analysts with reverse-engineering malicious software.
Recent Course Expansion: Malware Analysis Tournament
The most recent development related to the course is the expansion from five to six days. Thanks to the efforts of Jake Williams, the students are now able to reinforce what they’ve learned and fine-tune their skills by spending a day solving practical capture-the-flag challenges. The challenges are built using the NetWars tournament platform. It’s a fun game. For more about this expansion, see Jake’s blog and tune into his recorded webcast for a sneak peek at the challenges.
It’s exciting to see the community of malware analysts increase as the corpus of our knowledge on this topic continues to expand. Thanks to all the individuals who have helped me grow as a part of this field and to everyone who takes the time to share their expertise with the community. There’s always more for us to learn, so keep at it.
In the field of IT in general and digital forensics in particular, you become obsolete the moment you stop learning. Here are several free recorded webcasts related to reverse-engineering and malware analysis that will help you keep your skills up to date:
Web browser makers are continuing to change how they display two visual elements that people have been taking for granted: the padlock that designates an HTTPS connection and the favicon that acts as the thumbnail of the website’s visual identity. These changes are aimed at helping to minimize the risk that a favicon that looks like a lock might instill a false sense of security.
Users of web browsers have gotten accustomed to looking for the padlock image as part of the URL to determine whether the connection is “secure.” The browsers have typically displayed the lock for HTTPS connections where the SSL certificate was properly validated. Most non-geeky people don’t know what aspect of security the lock is supposed to signify, but they have been trained to rely on it as a symbol of online safety.
Webmasters can specify favicons as tiny images that web browsers have displayed in the URL bar to reinforce the site’s digital identity. Unfortunately, computer attackers can display favicons that look like padlocks, fooling victims into thinking that they were using an SSL-encrypted and authenticated connection. One tool that can automate such an attack is sslstrip, and this category of attacks is described in the Black Hat presentation by the tool’s author.
Microsoft’s Internet Explorer (v9) displays both the padlock and favicon in the URL bar. The favicon is on the left of the URL and—assuming the connection is using HTTPS with a valid certificate—the padlock is on the right:
A malicious webmaster or an attacker who can interfere with the web session may be able to display a padlock favicon even for HTTP or an invalid HTTPS connection, fooling the victim into thinking that the connection is “secure.” The distinction of where the trustworthy lock should exist in Internet Explorer (to the right of the URL, not to the left) is likely to be lost on most people.
Google Chrome doesn’t display the favicon as part of the URL, showing it only in on tabs and bookmarks. Chrome displays the lock icon in the URL bar (in several variations) for connections that use HTTPS.
Because Chrome doesn’t display the favicon on the URL bar, this browser’s users are being conditioned to place greater trust in the padlock image displayed next to the URL. This is good.
Mozilla’s Firefox stopped displaying the padlock icon for HTTPS connections starting in version 4 of the browser, phasing it out in favor of the Site Identity Button. The current production (v12) and beta (v13) releases of Firefox still display the favicon the browser’s URL bar and on the tab:
In this setup, a website that doesn’t use HTTPS display a favicon that looks like a padlock in the URL bar, fooling the victims who associate the lock with safety into thinking that the connection is “secure.”
To help address this risk, the current nightly build of Firefox (v14) no longer displays the favicon in the URL, showing it only on tabs, bookmarks and Awesome bar suggestions, according to Firefox developer Jared Wein. This version of Firefox adds the padlock to the Site Identity Button, while preventing webmasters from placing a false lock icon in the URL bar:
The approach to eliminating the favicon from the URL bar and displaying the padlock there for valid HTTPS connections is consistent with the behavior of Google Chrome. It’s encouraging to see the two browsers using compatible visual approaches that are designed to minimize user confusion.
Fortunately, the behavior of Opera is consistent with how Firefox and Chrome display locks and favicons. Opera displays favicons on tabs and bookmarks, while displaying the padlock on the URL bar for appropriate HTTPS connections:
Unfortunately, Safari displays the padlock and favicon on the URL bar, as well as on tabs and bookmarks in a manner consistent with Internet Explorer. In other words, the favicon is displayed to the left of the URL and the lock, when appropriate, is shown to the right of the URL.
There’s room for continuing to improve the visual indications that browsers present to users for making security-related decisions. Internet Explorer and Safari appear behind times in their treatment of favicons, because they display these images in the URL bar. In the meantime, individuals who educate non-technical people in web safety practices should consider how to best explain the various security indicators in the URL bar. None of these are easy undertakings.
Hand-picked related articles:
I enjoy presenting at information security conferences and events. It gives me a chance to share ideas, receive feedback and learn from other members of the infosec community. Here are a few upcoming events where I will be speaking on topics related to security careers, malicious software and social media security:
For my thoughts regarding participating in security events like these, please see:
What type of activities can turn information security professionals into experts at their craft? A classic paper titled The Role of Deliberate Practice in the Acquisition of Expert Performance by Ericsson, Krampe, and Tesch-Romer outlines a framework for figuring this out. Though the paper focuses on musicians, its findings apply to other domains, including security.
Years of Experience is Not Enough
Common wisdom holds that to become an expert, one needs to practice the skill for a certain number of years. However, we cannot assume that extended experience automatically leads to improved performance. According to the study, achieving improvement requires a deliberate effort to improve.
The researchers observed the strongest performance improvement among individuals who were instructed by teachers and coaches “to engage in practice activities that maximize improvement.” To accomplish this,
"The teacher designs practice activities that the individual can engage in between meetings with the teacher. We call these practice activities deliberate practice and distinguish them from other activities, such as playful interaction, paid work, and observation of others, that individuals can pursue in the domain."
In other words, activities in which a professional engages could be mere busy work if they are not structured in a manner that reinforces the right skills.
The researchers also emphasized the need for the practitioners to “receive immediate informative feedback and knowledge of results of their performance. … When these conditions are met, practice improves accuracy and speed of performance on cognitive, perceptual, and motor tasks.”
Implications for Information Security Professionals
First, as you progress in your career as an information security professional, consider what skills you need to acquire. Understanding one or more infosec domain is critical. Yet, depth of knowledge in IT is not enough. You also need to master communication skills and learn how to deal with internal corporate politics and influence others.
Then, consider what project opportunities at work and at your own time are available to you for developing the kind of skills match the market’s demands and your interests. Work on those projects—not all in once, but according to a reasonable time line. But remember that, as the research I outlined above shows, you probably won’t succeed on your own.
Take steps to make sure that your practice is deliberate and includes feedback. What this entails depends upon your personality, learning style and the opportunities available to you; it probably involves a combination of these options:
As you invest thought and effort into developing your information security skills, consider whether the structure of your practice is “deliberate” and how it benefits from the guidance that research has shown to maximize improvement.
Security professionals lack virtualization knowledge and best practice models for server virtualization security. Until they gain this knowledge, they won’t buy security tools. Time to teach the market how to fish.
Much information that we consume to improve our understanding of the world and to refine professional skills occurs in solitude. This includes reading books, articles and blogs, as well as listening to podcasts, tuning into webcasts and watching instructional videos.
And yet, there’s something special about learning together with others: feeding off the energy of other participants, learning from peers, sharing your insights and the feeling of solidarity from being part of a shared experience. If members of the group are encouraged to exchange ideas, they will influence the learning process in unpredictable, but often beneficial ways.
To paraphrase Llewellyn Hinkes Jones, who said this in a different context:
"The shared experience of listening with others is not unlike the cultural rituals of communal eating." Knowledge may not have the primal necessity of food, but it is something people commonly ingest together.
So I thought I’d write this brief note to encourage people to participate in events that bring professionals together, be it an informal reception at work, a local meet-up or a formal training event. We have much to teach each other. We have much to learn from each other.
If you’re interested in getting into malware analysis, take a look at my recent blog posting on the SANS Forensics Blog: How to Get Started With Malware Analysis. It outlines the articles and webcasts I published on this topic and recommends a few good books and web forums.
In addition to the resources I listed in that blog posting, here are a few x86 assembly language tutorials and books available for free on-line:
Knowing assembly will help you reverse-engineer malicious code. However, most of the books on assembly are designed to teach you how to write in assembly. That’s a good skill to have, but analyze malware it’s sufficient to know how to read assembly. So don’t let assembly overwhelm you—you can get started by knowing just a few key assembly constructs.
Why am I talking about malware analysis? I’ve been teaching security professionals to analyze malware since 2002. My reverse-engineering malware course acts as a springboard for individuals looking to excel in this discipline, but not everyone has a training budget.
The challenges of dealing with malware seem to be escalating. While there are some good references for protecting a single system, the skills for combating malware at the enterprise scale are hard to come by. That’s why I collaborated with Jason Fossen to create a 2-day course titled SEC569: Combating Malware in the Enterprise for SANS Institute.
Jason is an expert in Windows security in the enterprise environment and teaches the SEC505: Securing Windows course at SANS. I’ve been focusing on malware issues, and teach the FOR610: Reverse-Engineering Malware course.
The Focus of the Combating Malware Course
The new course teaches a practical approach to discovering and mitigating malware threats in an enterprise environment. It’s more focused than SEC505 and is not as technical as FOR610. If you have a general security, systems or networking background and need to understand malware threats and defenses in the context of enterprise environments, then new is for you.
Help Spread the Word, Please
Launching a new course is a bit like launching a start-up: the biggest initial challenge is to let people know about it. So, if you know a person who will benefit from knowing how to discover malware and harden IT infrastructure against infections, could you let them know about the course?
Details about the new course are on CombatingMalware.com.