Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: GIAC

SANS FOR610: Reverse Engineering Malware – Course Review


What follows is a review of the SANS FOR610: reverse engineering malware class taken at the SANS Prague 2013 event. What follows are rough notes, feelings and impressions from the class as it was taking place… Take it as you will, and I hope it proves useful for you in evaluating the class.

Note: Prior to the class I’d never done reverse engineering of malware… however I have done limited exploit dev and other tasks that dovetail well with some of the concepts.


Day 1 started off slowly walking through some simple malware using some behavioral and code analysis, before moving into the setup of our lab environments. Although the first half of the day was a little slow (and instructor led, so no hands-on), it brought everybody up to speed on what we’d be doing in the coming days and helped to lay the foundation for some of the more fun topics I’m sure are headed our way in the later part of the class. After a quick bite to eat we moved into the first hands-on section of the class.

The afternoon was spent slowly walking through the step by step process of performing a behavioral analysis of brbbot in our labs. The pace for the hands-on was a little slower than I’d have liked, but the step by step methodology helped really push home the process required. It was also nice to see procDOT (from the Austrian CERT team) mentioned as well, as an easy way to perform some of the steps.

The day finished off by walking through debugging brbbot in OllyDBG to perform code analysis and dive into some of the malware’s inner workings. Again that walk-through with the class was slow-paced with a few students struggling. With a class like this it’s hard to find a suitable pace to ensure everyone can follow along. That said, even though I’ve never done malware reversing before day 1 seemed slower than it really needed to be in a lot of places.

Day 2

As is standard with most SANS classes, we kicked-off day 2 with a quick recap of the topics covered in day 1 of the class, finishing off the day 1 material with a brief discussion of what should be included in a malware analysis report.

Diving into the real day 2 content we starting looking at commonly seen packers and how to deal with them. Aside from the simple UPX cases (which are apparently more common than I thought in malware) we looked at dumping the unpacked code from memory using a number of tools. Unfortunately we didn’t dive more into the process and how to do it without the tool. I know this isn’t a simple process, but I’ve always been more of the “do it the hard way and learn, before you use the point and click tool” guy. Still you can’t have everything, and the walk-through on doing the same kind of dump using OllyDbg and the OllyDump plugin was an interesting diversion.

After a quick bite to eat we ventured into some patching of executables using OllyDbg (in particular patching to avoid debugger checks). Moving away from Windows executables, we began looking at analyzing browser-based malware.

After going through the standard JavaScript de-obfuscation techniques (as well as some debugging of JavaScript with Firebug) we moved on to a brief (possibly too brief) look at Java based malware. To finish up the final hour we dove into SWF decompilation and static analysis of some older Flash malware. The tools and techniques covered were not that different from what we’d already covered. Seems that the debugging of SWF files is still trickier than it should be (at least without the aid of costly and specialist Flash debuggers). There’s just too many ways to trick the tools into misunderstanding the code, and an area that needs a lot more research.

Day 3

No reversing class would be complete without some serious time spent crawling around in assembly. The morning was filled with the usual fare, compilers, linkers, commonly seen assembly codes and the like. Nothing that most wouldn’t have already seen and read if they were interested in this area of security. Where I think the topics really made things clear was breaking down recursion and jumps and looking at the raw C and compiled assembly versions (or one possible assembly version). It really helped to show that you can tell if the original code was a loop or an If Else. Probably nothing earth shattering for most, but I found it interesting to go down to the level. We also covered jump logic extensively looking at the way the registers are used to store the results used for common jumps. Good stuff to know if you’re reversing unknown code.

The afternoon covered some anti-disassembling examples that malware authors use to cause headaches for people reversing their work, before moving into the final real topic of the day, user-mode rootkits. The afternoon session seemed to be a little rushed, maybe due to some delays earlier on in the day. Day 3 certainly tries to cram in more than previous days have and it showed at the end with a few sections covered in a little less detail than I’d have liked. Pity really, as I’d rather a few day 1 or 2 topics were given short shrift and replaced with more time to really dig in and look at sniffers, keyloggers and the like in Olly/IDA. Overall though, the best day so far… very good stuff!

Day 4

After a sleepless night (gotta love hotels) we dove into self defending malware and started to look at some of the more commonly seen anti-debugging techniques used by modern malware. Kicking things off we manually walked through a malware sample using SEH to fool analysts, and a simple packer to prevent easy analysis of the real malware. The same was interesting in the way it used multiple techniques to fool people trying to understand the executable, but was pretty simple to bypass the protections given a few minutes and a few hints on how it works. The SEH trick was an interesting one and not one that I’d thought of before (I’m not a malware analyst after all).

The afternoon continued on from the morning session dealing with more anti-debugging tricks used commonly by packers and malware writers (including timing based RDTSC and TLS Callback techniques, amongst others). Some of these techniques are probably well-known and documented amongst analysts, but as I’ve said before, as a non-malware analyst the techniques were new to me and made for an interesting afternoon in OllyDbg and shellcode.

finishing off the theme of malware that fights back, we moved into some web-based malware and JavaScript obfuscation techniques.

Day 5

Despite only 1.5 hours sleep (don’t ask…) day 5 started quickly diving into malicious Office and PDF documents. After covering the basics, we moved into some quick analysis of malicious samples using a range of tools and scripts. As expected, the PDF section of the class was a relative what’s what of Didier Stevens research. Some of it is things I’ve already read or seen based on Didier’s wonderful training and workshops. Still, there were some interesting extensions to this using tools like shellcode2exe to create a debuggable PE in order to walk through injected shellcode in a more controllable way. I particularly liked the technique of using libemu’s sctest to create an overview of what the shellcode is doing. Something that will definitely come in handy…

Moving away from malicious files we focused on the uses of memory forensics and how malware analysis can be performed on forensic images. As expected, volatility played a big part of the afternoon, using it to check connections, find hidden processes and dump out the unpacked malware from memory into a PE file to be analysed in the normal way. Using some of the more run modules in volatility we looked at detection of kernel and user-level rootkits and how to extract information from memory dumps that help us as malware analysts understand what malware is doing on a system.

Day 6

CTF style challenges to reinforce the material covered in days 1-5… I won’t go further into this, but the experience was a good one for sure! I managed to hover around 10th position before having to head off early to catch a train. Not stellar, but for a first time malware analyst, I guess it could have been worse 😉


The pace of the class was a common theme for me throughout the first half of the week, but quickly picked up pace midway through day 3. There’s a number of reasons for this, and it was hard to tell if the class was just paced for a more beginner crowd (disclaimer: I’ve never done malware reversing, but I’ve used a majority of the tools before for various other tasks/purposes), or if the pace was effected by a few people in the class that seemed to get lost pretty easily. I won’t launch into a tirade here about people doing technical classes and not having the chops for it, so consider the issue of pace discussed 😉

The tips/tricks and general processes for working with malware were very clearly discussed and worked very well during the course. How they work in real life with modern malware that wanted to stop you at every turn is to be seen. Although we covered some of the more common methods used by malware to cause problems for analysts, there’s no way you can cover them all. Things like that can only be learnt from experience and expose to different techniques and methods after all. The processes helped me quite a lot with a few debugger questions I had. Not just when it comes to malware, but also for more offense-based reversing (thick clients etc…)

The class is very tools based. This isn’t necessarily a bad thing, as most of what we do on a day-to-day basis is tools based… but the first half in particular lacked a certain amount of “rolling up your sleeves and getting into the dirt” that I personally like to see from classes like this. Although it’s a hard way to learn, I find that learning the hard way before you just load a tool makes you respect and understand the issue and the solution. This was dealt with better in the final days with much more hands on stuff. Also, as much as people like to say the day 6 CTF style challenge is a wasted day, I found that some parts of it helped bring back points I’d forgotten from the earlier parts of the class. This really helped reinforce things for me.

Overall the class was good for a beginner just looking to get a grounding in the topic. That said however the pace made it feel like the class could have achieved so much more in the first 2 days in particular. Missing were more automated and scriptable debugging of malware. Things like pydbg, vdb/vivisect and a number of other script based debuggers would have been nice to cover, even if only in passing. A number of the examples really fell into the category of easily scriptable, and it would have been nice to get some hands on with that stuff.

I think the class really came into its own in the later days… much more focused, technical and designed to really stimulate your thinking.

SANS SEC401 – Security Essentials

Everybody should have a good foundation to build from. After all, there’s no point in building a tower of knowledge, just to find that the foundations can’t hold it up. SANS Security Essentials is a great course to provide that foundation.

One of the things I love to hear from students after teaching Security 401 is “I have worked in security for many years and after taking this course I realized how much I did not know.” With the latest version of Security Essentials and the Bootcamp, we have really captured the critical aspects of security and enhanced those topics with examples to drive home the key points. After attending Security 401, I am confident you will walk away with solutions to problems you have had for a while plus solutions to problems you did not even know you had.
– Eric Cole

Dr. Eric Cole on YouTube — Introducing Security Essentials

This class covers a lot of ground. I know the average SANS class is packed with juicy knowledge and tasty technical goodness, but the 401 class really crams it in. 11-12 Hours a day, and 6 days long. It’s not any easy task to take in everything, but Dr. Eric Cole is a great instructor, and really helps make things clear. As you’d expect from a class of this type, the content is wide-spreading and not as in-depth as some of the other SANS courses. Then again, this is what you’d expects from a course of this type. There’s no point in building a good foundation in 3 areas of the security landscape and skipping the rest. The 401 class covers the areas you need to know about without going too in-depth in any one thing. There’s plenty here for you to think about and it certainly gives you an idea of where your weak points are, and how to fill them in.

Day 1 – Networking Concepts

It’s hard to protect your network without knowing whats really going on on the wire. The first day of the 401 class was dedicated to understanding the fundamentals of networking, from the cable up. The information covered is just enough to really understand whats going on, without having to be a packet-monkey, or expert in routing protocols. Sure, there’s some exercises on decoding IP/TCP headers with pen and paper, but nothing that complex. As long as you can add up that is. It’s not rocket science after all 😉 Day 1 concluded with some virtualization and physical security modules. It was nice to see the physical security aspects covered where so many classes tend to skip over the topic.

Day 2 – Defense In-Depth

I’m a big fan of defense in-depth, and always try to drum it into clients when testing systems. After all, a single piece of equipment that stops all attacks is only good until you can find a bypass for it. When that happens, you’re completely exposed, unless you’re layering your defenses. Eric covered a lot of ground here in day 2. Malware, worms and trojans, alongside policy, password security and web-application attacks and defense. Again there’s just enough here to understand the basics without confusing people who’ve started the class with a clean slate. If you’re an old hand, there’s still information here to be had. Even though I’ve been through the 560, 542 and 709 classes, there still points that make me sit up and pay attention. Nobody knows everything after all.

Day 3 – Internet Security Technologies

Day 3 kicked off with discussion of attacks and hardening of systems. Coverage of IDS/IPS/HIDS and some great hints and tips about maximizing your firewall protection and layout. Even though most people know what a firewall does and how it works, people rarely consider the pros and cons of multiple firewalls, positioning and using packet, stateful and proxy filters to maximize the protection without overloading the systems. Discussion of signature based protections vs. Anomaly analysis (including the method of using clipping levels to improve identification of possibly suspicious traffic/behaviour). To give the students a hands-on experience with IDS, a short module on Snort (including writing a simple Snort rule) is included as the 3rd day draws to a close.

Day 4 – Secure Communications

After finishing up the risk analysis module from Day 3, we moved quickly into one of the sections of the class I was really looking forward to, encryption. Eric took the class from basics of cryptography (ROT-13, Caesar Cipher) through to a surprisingly easy to understand diagram on how Diffie-Hellmen Key Exchange really works. There was good coverage of data protection in-transit, at rest and the key points of key management issues. Moving away from cryptography toward mobile and wireless, we covered a range of different connection solutions. In particular, Bluetooth, 802.11, and ZigBee were covered in-depth. It was good to see the newer technologies such as ZigBee discussed even in the essentials class. To bring it home for day 4 we talked about VoIP and the increasing convergence of technology within the enterprise.

Day 5 – Windows Security

As with the other days, we kicked off day 4 with the final module of the previous day. In this case we talked about OPSEC (Operations Security). OPSEC is taking a step back from the technical and making sure that the appropriate risks are being addresses. It’s all about the Big Picture and protection of company information. Tracking and finding your companies weaknesses can also give you an idea where your competitors may have fallen short. To kickoff the Windows section of the class, we covered the basics of Windows Access Controls, patching and hot fixes, as well as the all important backup/restore of critical data. Of course no Windows security class would be complete without the extensive coverage of access permissions, rights and controls.

To tie in with the previous cryptography discussions we talked about EFS and Bitlocker and the pros/cons of using TPM (with USB token, PIN) to enforce boot integrity. Naturally we spent time looking at the technical side of security policies (GPOs, Security templates, …) and the issue of dealing with extensive security policies in large-scale Windows environments.  Finishing up we covered automation when it comes to securing and maintaining security of systems. It’s interesting to see Microsoft’s move to more command line based solutions. Give it another 10 -15 years and it’ll be just as good as Linux at the command line 😉

Day 6 – Linux Security

Kicking things off for the last day, Eric went over the key differences and histories that make Linux and Windows such polar opposites. As you can imagine, a large part of the time today was spent discussing the intricacies of the*nix permissions system (including SUID, GUID and sticky bits). It was interesting to cover the usage of groups and the ability to assign passwords to specific groups using gpasswd. It was also good to get a quick overview of how PAM fits into the overall Linux authentication and user account management. pam_cracklib and pam_unix are something I’ll definitely be looking at more in the future. Finally I really get the permission system used in Linux. All it takes sometimes, is a simple down to earth explanation.

Jumping from permissions, we did a quick overview of the boot processes, run-levels and services. It’s great to hear little tips and tricks from people who work with this stuff on a daily basis. Things like the RC scripts. Newer systems (anything in the last 5 years) can handle 2 startup files with the same number (i.e. S08service and S08service2). Older systems would only run 1 of the services, and ignore the other. Certainly an important note when working on older *nix systems.

In the logging and monitoring section we covered a number of interesting log files. Of special interest to me (as a penetration tester), was the /var/run/btmp log file. If this file is present on a system, it contains information on failed logon attempts, with the attempted password listed in plaintext. Obviously this could be a great source of information if a user mis-types their password. At the very least, it’s a starting point for a brute-force of that account. At best, you have the users password and can start guessing what they mis-typed. As you’d expect a range of logging and centralised log management was discussed. After all, no talk on *nix logging would be complete without mentioning SYSLOG and SYSLOG-NG.

Winding up the class we touched on *nix patch management and enhancing the security of Linux. As you’d expect, we spent some time discussing APT and RPM based patching solutions, before moving into IPTables, TripWire and Bastille Linux.

It’s been an exhausting 6 days… but I feel like I’ve filled in a few gaps in my knowledge. I’ve especially enjoyed working with Dr Eric Cole and hearing about his take on various topics. Eric has a lot of knowledge to bring to the table, and I hope to attend another of his classes in the future.


There’s far too much information crammed into this class to really write about every topic covered. Then again, that’s not the point of this review. I’ve covered the key points we discussed, and hope it gives a good overview for people looking at taking this class in the future. I would say however, that SANS updates the classes on a regular basis. So your mileage may vary 😉

I stand by my earlier comments that the security essentials class gives a good foundation. However, I would append a small note. If you’re already an experienced InfoSec person, then there will be times when you’re required to review things you already know. This isn’t a bad thing, as there’s always a few points that are worth reviewing, or described from a different standpoint. When looking purely at the content of the course and the method/style of delivery, I would highly recommend this class as the place to start when it comes to moving into InfoSec. The broad level of knowledge is both theoretical and technical, yet not too in-depth too get sidetracked into a single topic for too long. If you’re already working in InfoSec, then checkout the assessment test below to see what your level of knowledge is.

If you want to test yourself and see where the gaps in your knowledge are, you can use the SANS Security Essentials assessment Test to see how you score.


GWAPT_SilverAfter almost a year I’ve finally managed to take the GWAPT (Web Application Penetration Tester) exam, just in time to head to SANS London and the Security Essentials class. I have mixed feelings on the exam. Even though I passed with a good mark (96.67%), the 5 that I got wrong were (in my opinion) a little questionable. Still, I’m sure I’ll hit the holy grail (100%) sooner or later 😉 It will just take time, and patience.

For a little history on this, I first attended the 4-day version of the SEC-542 back in December last year. The course was good, and I wrote about the contents on the blog (day-1, day-2 ,day-3. day-4). The 6-day version of the class has incorporated a number of welcome additions and helps the course really grow. I always felt that the 4-day version lacked a certain something, and the new version really fills the gaps with new sections on Flash, WebServices (WSDL, UDDI, SOAP…) and nice coverage of Python, JavaScript and PHP for Penetration Testers. The last day is also now a Capture the Flag event which will really help to solidify the knowledge and let people get a hands-on approach to testing.

I can’t finish this post without saying a little something about the OnDemand program. The new OnDemand system is certainly a step in the right direction. As SEC-542 is one of the first on the BETA OnDemand it lacks the additional links that will come with maturity. I think that the OnDemand option of training has become more of an option than previously. The support you get is also great, especially as Kevin is very approachable. If all else fails you can shoot me an email and I’ll see if I can help. Hopefully this will be the class I’ll be Mentoring in Vienna next year (given the chance).

Overall I’d give the class 95/100 –> There’s room for some additional coverage of things like JBoss, Coldfusion and Tomcat. Still you can’t fit everything into 6 days 😉 I can’t wait for SEC-642, for some advanced WebApp fu.

GWAPT Certified Professionals –> LISTING

GWAPT Exam Coverage –> Coverage

Hakin9 01/2009

hakin9_logoWell, sometime while I was in London it seems the new Hakin9 magazine hit the shelves. Somewhere in there is an article I wrote a few months back on security training. I hope it helps people that are looking at the options. Maybe I’ll revisit the topic in another 12 months to look at the OSCP and a few of the more specific SANS courses.

Overall I’m happy with the article, although somewhere between proof reading and print “C|EH” turned into “CIEH” it seems. Still, I hope that everything else is ok. Let me know your thoughts…. constructive criticism is always welcomed.