Using Responder Professional for Malware Analysis - Two Day Training

Overview

This class is aimed at Information security professionals and incident responders, not traditional reverse engineers. Students DO NOT need any prior experience in software reverse engineering. This two day class will cover useful techniques and methods for incident response in the field when machines are suspected of intrusion with stealthy malware. The class is heavily exercise based and covers both kernel-mode and user-mode rootkit infections. The purpose of the class is to give students the ability to preserve physical RAM for analysis, identify rootkit behaviors, and then perform reverse engineering of captured rootkits in order to evaluate the specific threats, including but not limited to:

  • what files on the filesystem are involved in the attack?
  • which registry keys are being used?
  • does the rootkit survive reboot, and if so, by what means?
  • does the rootkit steal anything?
  • does the rootkit allow remote access?
  • does the backdoor use encryption? If so, where is the decryption routine?
  • can the rootkit be used to launch secondary attacks into the network?
The goal is to give students the ability to learn these key facts about a rootkit within only a few minutes or hours after the specimen is obtained. Presented are reverse engineering techniques designed to be easy to learn and quick to use. Students do not need to be experts at reverse engineering. Even advanced malware techniques, such as packing, can be overcome by straightforward and easy to understand methods. Much of the material, once understood, can be incorporated into automated assessment scripts.

Specific training will be given on the following scenarios:
  • Extraction of kernel mode rootkits from live system memory
  • Reconstruction of PE formatted executable images from live memory
  • Imaging physical RAM of a suspected computer
  • Overview of Windows OS data structures and what they mean
  • Recovering open file handles and registry keys from a captured RAM image
  • Detecting interrupt table hooks and SSDT hooks from a physical memory image
  • Following memory pointers
  • Translating physical addresses to virtual addresses, and why this is important
  • Capturing a live memory image of the malware after unpacking has occurred
  • Examining NDIS chains to find backdoor TCP/IP stacks
In addition, dynamic analysis of captured rootkits will be covered using a quarantined VMWare lab-image in combination with advanced debugging tools. The dynamic exercises will focus on the following scenarios:
  • Trace data packets in memory to determine location of decryption routine
  • Data-sampling, searching, and dataflow tracing
  • Efficient use of breakpoints to catch behavior at the OS level and trace back into the
malware
  • Capturing the launch of a secondary process
  • Capturing file and registry key access
  • Shunting the deletion of temporary files so that secondary specimens can be captured
  • Capturing DLL injection and thread injection
  • Detecting multi-threaded data hand-off points
  • The concept of a control-flow orbit
  • Reconstructing the send/recv orbit of the malware backdoor
  • Detecting usage of common protocols, such as SMTP, POP3, and IRC
In addition to hands-on understanding, students will be exposed to scripting tools that can be customized to speed up the assessment. The class will complete the training by covering not only reverse engineering techniques, but efficient methods to organize the found data and evidence, and how to construct a report. This includes how to organize found data into layers, graphing for reports, bookmarking and comments, and automated scripting. Students will also be given a crash course on developing and customizing a report-generation script that allows the automated construction of a report in RTF format (Microsoft Word compatible). This rounds out the training and offers a complete end-to-end methodology.