I’ve recently had the pleasure to attend SANS FOR610 course on reversing malware. Online reviews I’ve read were far and apart so I didn’t know what to expect.
SANS FOR610 is a zero-to-hero course on reverse-engineering malware. The course throws students into the deep-end by presenting real malware made by real attackers and teaches each student how to understand and analyze the malware with industry-standard tools.
On the sixth day, students would get to participate in a CTF event using the skills they learned. The CTF contains around 120 questions about 50 or so different pieces of malware, ranging from binaries to PDFs to office documents and even a couple of virtual memory dumps here and there.
I can safely say that I never thought I could answer critical questions regarding any piece of malware that I just encountered two minutes ago with skills I learned less than a week ago as I did on the CTF day. The teaching of Jake Williams and the course author, Lenny Zeltser, were nothing less than superb.
The course had around 30 people. You can see from the name badges that most already were coming from either a system administration or security background. Regardless, the instructor made it very, very clear that only basic linux knowledge was required (If you know what’s a
grep and can use bash for more than two minutes, you’re good).
The instructor was Mr. Jake Williams, a renouned security giant who actively teaches over seven other SANS courses. My knowledge of Mr. Williams was minimal prior to SANS, but that tells more of my ignorance rather than his obscurity.
Mr. Williams would present the material, maybe tell an anecdotal story regarding a piece of malware similiar to the one being presented, and then proceed with dissecting that speciman with the methodical and careful hand of a master. It was truly a wonder to see the man at work.
The course authors sent very clear instructions regarding machine setup prior to the course start. I really appreciated this since it didn’t waste anybody’s time on a setup anyone with basic experience can do by themselves.
Each day was seperated into a topic by itself. Topics ranged from static analysis, dynamic analysis, code analysis, malicious PDFs and office docs, memory forensics, code injections (a favourite of Mr. Williams, it seems) and even an entire day on self-defending malware. No stone was left unturned.
The first day went by pretty fast. I was on a natural high!! I truly felt amazed and taken by the amount of information we received in one day (Static and behavioural analysis). I’ve done some reversing in the past, mainly related to ELF binaries. I’ve also read Practical Malware Analysis cover-to-cover and tried to work with most of the labs, but even then, I was amazed at how much ground was covered in the span of one day. Most importantly, the info wasn’t bombarded at you and the instructor didn’t read the slides from a projector: you’re actually expected to do the work (Wow!).
Here’s how the days went: - Each day had a bunch of numbered labs. All the course material were given in paper format to each student so they can follow the instructor with their versions. - Instructor would present a concept and demo the lab on the projector. - He’d give a ten or so minutes and each student is expected to redo the lab on his own machine.
Many students had questions (I think most came from yours truly :) ) and the instructor and his Technical Assistant were not shy to come over to each student’s machine and help him/her click their way out of trouble. They really made it really hard for a student to be left in the dark.
Highly, highly recommend the course to anyone interested in reversing. I think it was a great experience to me, professionally and personally. I think the best takeaway was the deep dive on Day One. We were dealing with live, locked and loaded malware and understanding its techniques and intricasies without any fluff business. From what I understood, the authors have been teaching this course for over 15 years. I am also very happy and thankful to receive my GREM certification with a score of 94%!!