Tutorial title: Learning Reverse Engineering: A Highly Immersive Approach Time: 2 full days (2 X 6 hr) Abstract: Reverse engineering involves deep analysis of the code, structure, and functionality of software using both static and dynamic methods. This tutorial will provide attendees with a solid foundation on which to build additional skills in reverse engineering. Reverse engineering skills are crucial in understanding modern malicious software and this understanding, in turn, is necessary in order to craft solutions to recover from and prevent attacks. Reverse engineering is also useful for creating interoperable software, for verifying that software patches function as promised, and for the simple joy of understanding at a deep level how software works. This tutorial provides an immersive experience in reverse engineering malware, covering a range of malware examples, from "historical" (e.g., DOS boot sector viruses) through modern malware. The tutorial is modeled on experiences in teaching full-semester, highly-immersive, hands-on, reverse engineering concepts to undergraduate and graduate students. The tutorial is intended to appeal to both researchers who are curious about reverse engineering and academics who intend to develop courses in reverse engineering. Naturally, a two-day session provides insufficient time for "mastering" reverse enginering, but the tutorial provides a firm foundation on which to build additional skills for practice or instruction. Static and dynamic analysis tools, including IDA Pro, OllyDbg, and HBGary's Responder are demonstrated in the tutorial and detailed walkthroughs of malware source code consume the bulk of the time. This tutorial is not taught passively and you won't simply see hundreds of Powerpoint slides. Prerequisites: Basic knowledge of assembler and systems concepts. Attendees should be either currently comfortable with reading assembler or recall a time in which they were comfortable. The tutorial format will include time for attendees, in groups, to tackle analysis of malware code samples (in hard copy) followed by a detailed walkthrough by the instructors. Any rust on your assembler skills will be quickly sanded away. Attendees should also possess basic knowledge of systems, including compilation, linking, debuggers, concepts associated with executable file formats, etc. The course will NOT cover legal issues associated with reverse engineering. Textbooks: No textbooks are required, but the motivated attendee may wish to review the following books before attending the course, in addition to a text on Intel assembler: o The IDA Pro Book (Eagle, No Starch Press) o Reversing (Eilam, Wiley) o The Art of Computer Virus Research and Defense (Szor, Symantec Press) Outline: Reverse Engineering Tutorial ---------------------------- I. Introduction A. Course Overview B. Instructor Background C. Course Goals and Disclaimer II. Reverse Engineering Background (3 hours) A. Why Learn / Teach Reverse Engineering? B. Overview of Historical and Current-generation Malware 1. Viruses, Worms, Trojans 2. Infection / Propagation strategies 3. Polymorphic / Metamorphic Malware C. Tools for Static and Dynamic Analyis 1. Examination of Executable File Formats 2. Disassemblers 3. Debuggers 4. Tools for Live Analysis a. Registry Monitoring b. Filesystem Monitoring c. System Call Tracing D. Brief Refresher on Intel Assembler (w/ handouts / cheat sheets) E. PE/COFF Executable File Format Internals (w/ handouts) III. First Immersion: Virus # 1 (3 hours) A. Essential OS Internals (w/ handouts / cheat sheets) B. IN TEAMS: Attendees Tackle Analysis of Source Code w/ Help of Instructors C. Detailed, Line-by-Line Analysis by Instructors IV. Second Immersion: Virus # 2 (2.5 hours) A. Essential OS Internals (w/ handouts / cheat sheets) B. IN TEAMS: Attendees Tackle Analysis of Source Code w/ Help of Instructors C. Detailed, Line-by-Line Analysis by Instructors V. Final Immersion: Virus # 3 (2.5 hours) A. Essential OS Internals (w/ handouts / cheat sheets) B. IN TEAMS: Attendees Tackle Analysis of Source Code w/ Help of Instructors C. Detailed, Line-by-Line Analysis by Instructors VI. Advanced Reverse Engineering: What You Need to Learn to Tackle Modern Malware (1 hour) A. Encrypted/packed executables B. Anti-debugging/anti-emulation techniques C. Code obfuscation VII. Summary/Wrap up About the instructors: Dr. Frank Adelstein is the technical director of computer security at ATC-NY, in Ithaca, NY and provides oversight and guidance to projects at ATC-NY relating to computer security. His areas of expertise include digital forensics, intrusion detection, networking, and wireless systems. He has co-authored a book on mobile and pervasive computing. He received his GIAC Certified Forensic Analyst certification in 2004. Dr. Adelstein is the vice-chair of the Digital Forensics Research Workshop (DFRWS). He has been the principal investigator on projects that created two commercial products: P2P Marshal, a popular forensic tool to detect and anaylze peer-to-peer use; and OnLine Digital Forensic Suite, a tool that gatheres volatile data from running systems in a non-disruptive way. He has given tutorials at a number of conferences. Dr. Golden G. Richard III is Professor of Computer Science at the University of New Orleans, where he developed the Information Assurance curriculum. He is also co-founder of Digital Forensics Solutions, LLC, a private firm specializing in digital forensics investigations and security analysis. He teaches courses in reverse engineering, digital forensics, computer security, and operating systems internals at the University of New Orleans. He is a member of the United States Secret Service Taskforce on Electronic Crime and a member of the ACM, IEEE Computer Society, the American Academy of Forensics Sciences (AAFS)and USENIX. Author contact information: Dr. Frank Adelstein ATC-NY 33 Thornwood Drive, Suite 500 Ithaca, NY 14850 fadelstein@atc-nycorp.com 607-266-7104 (voice) 607-257-1972 (fax) Dr. Golden G. Richard III Dept. of Computer Science University of New Orleans, Lakefront Campus New Orleans, LA 70148 golden@cs.uno.edu 504-957-5814 (voice) 507-280-3947 (fax)