<!– Uncomment below if you want to have the automatic next meeting template appear –> <!– name=Malware Friday |dayoffset=27 –> Malware Friday is an event open to anyone who wishes to learn more about reverse-engineering as well as dissecting, understanding and de-fanging malware. It occurs on the last Friday of every month unless otherwise noted.
To participate in the malware analysis part of Malware Fridays, you need to meet the following pre-requisites:
Optional things to know:
To meet these pre-requisites, it's recommended you check out the links provided at the end of this article..
To participate in the learning half of Malware Friday, all you need is to bring yourself and a brain. Preferably you're going to want to bring something to take notes with, but other than that all you need is to take a seat and listen.
The first hour is dedicated to the basics of reverse-engineering and assembly. This is for those who wish to participate in the actual reverse-engineering and dissection of a given piece of nastiness but don't quite have the skills and knowledge. Since this event attracts such a wide audience with an immense interest in learning, this is necessary to bring everyone up to speed. During this hour, the following topics will be covered in an interactive lecture format:
After this hour, the real fun begins with the sample of the month, provided by Vyrus, frank^2, or anyone else who has a sample they wish to share for analysis. Once everyone has the sample, an open forum for discussion begins as people take apart the binary and learn what it does, most likely with KiLLeR TuNeZ playing in the background. We don't stop until we either get bored of reversing for the night or until the botnet gets taken over.
There are a plethora of tools at your disposal to dissect and understand what's going on in a given binary. This is a rudimentary list of the basics you may need when going about your business.
VMware Player is a free virtual machine host from VMware. For some reason, even though it's free, it requires you to register and enter a product key. I think they're just trying to give crackers something to do.
VirtualBox is another free virtual machine host made by Sun Microsystems. Even though it's tainted by this fact, the benefit of VirtualBox is that it's free and multi-platform.
Parallels Desktop is a virtual machine for OS X, but it unfortunately costs money. It's a dang good virtual machine, though– it comes with snapshot management and has support for a surprisingly plentiful set of operating systems.
In this context, a “debugger” is any program that allows you to look at a compiled binary at the assembly level and step through it. Debuggers are literally intended to do what they're named to do– find bugs– but they're very useful for reverse-engineering in general.
OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg is a shareware, but you can download and use it for free.
OllyDBG is considered the de-facto debugger in almost everyone's toolkit. It's got a whole lot of information to give you– information on threads, data sections and more are all available to you as soon as you run the binary. Plus, with a robust plugin framework, OllyDBG is extended by the reverse-engineering community with features such as PE-header manipulation and anti-anti-debugging.
IDA Pro is a Windows or Linux hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all.
IDA Pro is considered the non-free analog to OllyDBG. It costs a shitload of money. And you can't buy it by yourself– they're really, really strict about who can buy from them. Many suspect that Hex-Rays truly hates money. IDA is quite possibly the best static code analysis tool there is, though, with a robust graph view and the ability to directly annotate the assembly you're trying to understand. There's so much more to IDA than just that– ask around the space for someone who knows the tool to get a good understanding of just how powerful this thing is.