I will be mentoring SANS 610: Malware Analysis in San Antonio starting Nov 3rd.
The class covers both behavioral and code analysis to provide a more rounded approach to malware reverse engineering.
The first half of the class shows students how examine a program's behavioral patterns and assembly code, and study techniques for bypassing common code obfuscation mechanisms. The course also takes a look at analyzing browser-based malware.
in the second half, the class will focus on static code analysis, learning to examine malicious code to understand its flow by identifying key logic structures and patterns, looking at examples of bots, rootkits, key loggers, and so on. The class will teach how to analyze self-defending malware through unpacking techniques and bypassing code-protection mechanisms and how to bypass obfuscation techniques employed by browser-based malicious scripts.
For more information or to register... SANS 610
Thursday, August 27, 2009
Tuesday, August 25, 2009
laws of technology
network word has put together a list of "Unwritten Rules of Technology" Basically the Murphy's Laws of the tech world
some of my favorites:
--If you close the PC case with screws before testing, it won't work; If you test before closing, it will.
-- If it's broken and you call tech support, it will fix itself while you're on hold.
-- When entering "Captcha" verification codes on a Web site, you'll always type in the numeral 1 when the site wants a lowercase L, and a capital O when the site wants the number 0. (And vice versa!!)
anyone who has worked with computers has lived through a good numbers of these -- more than once!
some of my favorites:
--If you close the PC case with screws before testing, it won't work; If you test before closing, it will.
-- If it's broken and you call tech support, it will fix itself while you're on hold.
-- When entering "Captcha" verification codes on a Web site, you'll always type in the numeral 1 when the site wants a lowercase L, and a capital O when the site wants the number 0. (And vice versa!!)
anyone who has worked with computers has lived through a good numbers of these -- more than once!
Thursday, August 20, 2009
programs infecting programs...
A new(ish) virus running around out there self-injects itself into the source code of any Delphi program it finds on a system. It compiles itself into the code and then goes off in its new carrier program to infect others.
Sophos has recieve over 3000 unique files with the virus which means it probably isn't all that new -- and probably infected some major software houses. Some of the infected files have been malicious code themselves -- meaning the malware author(s) were infected themselves!
Other than spreading itself around, the virus doesn't do anything else -- but the possibilty of a truly malicious virus using the same technique to spread is there.
Most AV scanners are detecting this now -- so as usual, make sure your antivirus is up to date :)
Sophos has recieve over 3000 unique files with the virus which means it probably isn't all that new -- and probably infected some major software houses. Some of the infected files have been malicious code themselves -- meaning the malware author(s) were infected themselves!
Other than spreading itself around, the virus doesn't do anything else -- but the possibilty of a truly malicious virus using the same technique to spread is there.
Most AV scanners are detecting this now -- so as usual, make sure your antivirus is up to date :)
Sunday, August 2, 2009
BlackHat
I survived yet another BlackHat conference in Vegas. I thought the con was really good this year -- some improvements made the entire experience much better.
Instead of vendors lining (and cloggin) the hallways, all the booths were in a ballroom. Lots more room to walk around and talk to people, and so much easier to move from one talk to the next. Great move! The also moved lunch inside (previous years it was downstairs out through the pool and in a tent). Much better to just use another room in the conference area.
I saw a lot of really cool talks -- building a darknet (private network) using a browser, using some memory analysis tools to find what commands were performed with a common exploit tools, and some new things to make reverse engineering easier.
It was great to see the people I used to work with, and those people who I only get to see at conferences. No DefCon for me this year (baby Ezri trumps a conference!) but the 2 days of BlackHat wore me out enough that it was probably a good year to cut short my Vegas trip.
Now on to a week of vacation, then back to reality!
Instead of vendors lining (and cloggin) the hallways, all the booths were in a ballroom. Lots more room to walk around and talk to people, and so much easier to move from one talk to the next. Great move! The also moved lunch inside (previous years it was downstairs out through the pool and in a tent). Much better to just use another room in the conference area.
I saw a lot of really cool talks -- building a darknet (private network) using a browser, using some memory analysis tools to find what commands were performed with a common exploit tools, and some new things to make reverse engineering easier.
It was great to see the people I used to work with, and those people who I only get to see at conferences. No DefCon for me this year (baby Ezri trumps a conference!) but the 2 days of BlackHat wore me out enough that it was probably a good year to cut short my Vegas trip.
Now on to a week of vacation, then back to reality!
Subscribe to:
Posts (Atom)