We had a great time during this year's REcon Conference last week.  Now it is the time to sort out our impressions. First of all, thanks to all that attended our TitanEngine training and during the course of 3 days learned how to make unpackers with our engine. We covered coding of both static and dynamic unpackers and showed how to deal with the complex protection options that reverse engineers come across on a daily basis. In addition to training attendees, we also want to thank everyone who grabbed one of our TitanEngine T-shirts to show support for the project. You want one too? Click here...

We can, without any false flattering, call REcon our favorite small conference and promise to be back next year too! But that doesn't mean that everything went smoothly, as there were some problems with the air conditioning that flooded the conference twitter feed with AC related rants. The heat was so bad that the conference opening talk dedicated a good amount of time to it. Being slightly older than the average REcon attendee, Richard Thieme, made a parallel between Woodstock and the problems we had. He argued that Woodstock wasn't that great either but that over time it became a myth due to people, rain and mud and that the same can be said about the heat in Montreal which will probably make us say on some later REcon "remember the one when the AC was broken? That one was great!" Because indeed it was, and as the AC problems went away, everyone's will to commune ignited. And the people who  attend the conference on a regular basis are probably the best thing about the conference. Don't get us wrong, the trainings were great, the talks were awesome but it was the people who impressed us the most. And it is these great people that we will meet again in two weeks at BlackHat US. Until then...

Advanced Malware Deobfuscationby Jason Geffner & Scott Lambert

Overview:

Security researchers are facing a growing problem in the complexity of malicious executables. With an ever-increasing number of tools that malware authors use to compress and obfuscate executables, and the pressing urgency that analysts often face, it is vital for analysts to know the best methods to remove protections that they have never seen before.

Unpacking is the process of removing the compression and obfuscation applied by a “packer” (or “protector”) to a compiled and linked binary. This class will focus on teaching attendees the steps required to effectively deal with both known and previously unknown packing techniques.

This is a hands-on course. Attendees will work on real-world malware through a series of lab exercises designed to build their expertise in thwarting anti-debugging and anti-disassembling techniques.

Day One:

The first day will focus on understanding the problems presented by obfuscated malware and the steps required to effectively return the malware to an analyzable state. You will begin the day by learning the fundamentals of the Portable Executable (PE) file format. Then, through a series of lab exercises you will learn reliable methods for finding the Original Entry Point. With this knowledge in-hand, you will write software to construct a valid PE file on disk from the memory of a running process. You will complete this exercise by reconstructing the Import Table, effectively returning the executable to its pre-obfuscated state. With this virgin executable, you will apply static analysis techniques to determine the malware’s malicious capabilities.

The day will include a series of lab exercises focused on defeating anti-debugging tricks such as hardware/software breakpoint detection, generic/specific debugger detection, unpacker stub detection, Thread Local Storage callback functions, and more.

• PE File Format Essentials
• Fundamentals of Win32 Debugging
• Methods for Finding the Original Entry Point
• Manual and Assisted Import Table Reconstruction
• Overcoming Anti-Debugging Tricks
• User-Mode and Kernel-Mode Hooking and Code-Splicing

Day Two:

The second day will focus on how to unpack a heavily armored malware sample. You will learn about the concept of protected processes and how to decouple parent/child processes. Next, you will learn how API redirection utilizes stolen bytes. Then, you will master everything there is to know about Structured Exception Handling injection and redirection. Lastly, you will learn how chunked packing works, how to recognize it, and how to defeat it.

The day will end in a contest in which attendees will pit their wits against one another to analyze a heavily armored executable.

• Protected Processes
• Exception Injection and Redirection
• API Redirection
• Chunked Packing
• Utilizing TitanEngine from ReversingLabs as an Unpacking Framework

Who Should Attend:

This class is for skilled security analysts who wish to learn how to remove binary obfuscation from malware for analysis purposes. It is expected that attendees have a firm understanding of x86 assembly language and the Microsoft Windows API. Reverse engineering experience is desired, though not required.

What do i get:

• Hard copies of lecture slides and lab exercises.
• A CD containing links to all tools and reference materials used throughout the course.
• Solutions and written walkthroughs for all lab exercises.

Course Length:

Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

Software Requirements:

Attendees must bring their own laptop with a 32-bit version of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 or Windows 7 installed inside of a virtual machine (such as Microsoft® Virtual PC 2007 or VMware Workstation). Prior to the first day of the course, attendees are expected to have the following software installed in a virtual machine:

• API Imports/Exports Viewer - Dependency Walker
• API Logger - Auto Debug Professional
• C++ Compiler - Microsoft® Visual C++ 2008 Express Edition
• Debugger - OllyDbg
• Disassembler - IDA Pro Demo
• Hex Editor - Hex Workshop
• IT Reconstructor / Memory Dumper - Import REConstructor
• Microsoft® Windows® SDK - Windows SDK for Windows Server 2008
• Packer Detector - PEiD
• Packer Detector - ExeInfo PE
• Packer Detector - AT4RE FastScanner
• PE Editor - LordPE
• Strings Dumper - BinText
• Unpacking Framework - TitanEngine

Trainers:

Jason Geffner joined Next Generation Security Software Ltd. in June of 2007 as a Principal Security Consultant. Jason focuses on performing security reviews of source code and designs, reverse engineering software protection methods and DRM protection methods, penetration testing web applications and network infrastructures, and developing automated security analysis tools.

Prior to joining NGS, Jason spent three years as a Reverse Engineer on Microsoft Corporation's Anti-Malware Team, where his work involved analyzing malware samples, deobfuscating binaries, and writing tools for analysis and automation. Jason was the Security Research & Response owner of the Windows Malicious Software Removal Tool (MSRT). He chose which new malware families for the MSRT to detect and clean each month based on his analysis of the telemetry and trends of the underground malware community. Jason authored tens of thousands of malware signatures and dozens of malware analyses based on static and dynamic analyses of obfuscated binaries. His work on the MSRT helped hundreds of millions of Windows users each month keep their computers safe and secure. While at Microsoft, Jason was recognized for his reverse engineering skills and for his efforts to drive awareness of reverse engineering practices throughout the company by being given the formal job title "Reverse Engineer"; Jason was the only Microsoft employee with this title.

Jason holds several patents in the fields of reverse engineering and network security. He is a Program Committee member of the Reverse Engineering Conference (REcon) and of the International Conference on Malicious and Unwanted Software, is a regular trainer at Black Hat and other industry conferences, is often credited in industry talks and publications, and has been actively reverse engineering and analyzing software protection methods since 1995.

Scott Lambert is a senior Security Researcher on the Microsoft Malware Protection Center (MMPC) team. Much of Scott's current research centers around binary reverse engineering frameworks that leverage a combination of both static and dynamic binary instrumentation, taint analysis and SMT solvers to aid in vulnerability analysis and signature development. In his spare time he supports the Microsoft Vulnerability Research (MSVR) program by developing proof of concept code execution exploits and serving as a technical expert on 3rd party vendor engagements.

Prior to joining Microsoft, Lambert developed, maintained and supported numerous computer security applications ranging from Vulnerability Assessment and Risk Management software to Network and Host-Based Intrusion Detection/Prevention Systems for companies such as L-3 Network Security, Veridian Information Solutions, Symantec Corporation and TippingPoint, a division of 3Com.

Learn how to analyze, unpack and code unpackers for software packers and protectors. Attendees will receive hands-on experience working with the ReversingLabs TitanEngine framework, designed for unpacker creation.

Instructors: Tomislav Pericin and Nicolas Brulez
Dates: 6-8 July 2010
Availability: 10 Seats

Day 1: Static file analysis and static unpacker coding

The focus of the first day is manual file unpacking and static file analysis. We go into deep format analysis to create both simple and more complex static unpackers.

We will focus on real-world protections you are likely to encounter on a day-to-day basis.

Day 2: Dynamic file analysis and dynamic unpacker coding

The second day will cover manual file unpacking and dynamic file analysis. We go into deep format analysis for creating simple and more complex dynamic unpackers. Special attention will be given to dynamic unpacker coding layout and the benefits of using TitanEngine to minimize the time it takes to create an unpacker.

Our focus will be on real world packers you are likely to encounter on a day-to-day basis. These packers top the charts in legitimate software compression, but are often used as malware envelopes.

Day 3: Advanced file analysis and coding complex unpackers

On day 3, we will cover the manual unpacking of complex file packing and protection systems. Special attention will be given to methods used to harden against format reverse engineering and prevent unpacking. We will describe common protection techniques utilized by both legitimate software protectors and those specifically designed for use in malware. We will then use information to show coding techniques needed for such complex dynamic unpackers and ways to counter all the tricks used to harden detection, analysis and unpacking.

Our focus will be on the real-world protections you are likely to encounter on a day-to-day basis.

More info here...