When I saw Lenny Zeltser was teaching the SANS FOR610 course “Reverse-Engineering Malware” in Prague this year I dashed to my boss’s office to beg him for approval to attend. The topic is not only very relevant to our work here at i-Force/Cyberforce but was going to be taught by one of the topic’s spiritual leaders , so to speak. I haven’t come across another analyst that doesn’t use Remnux, the linux distribution created and maintained by Mr.Zeltser. I have a Remnux cheat sheet on my desk at all times. So I jumped at the chance to be present. It’s like having the opportunity of being trained in using the Force by Yoda himself and not having to go to the Dagobah system but him popping over to your side of the galaxy.
This was my third SANS course (I’m a 408-508 alumnus) so I knew what to expect : a warm welcome , a nice classroom in an upscale hotel , great food at lunch, snacks at breaktime and more importantly : “education by firehose”. I heard good things about Prague and DFIR and Prague are a good combination. They love their beer over there. At the end of day 1
I returned to my hotel room ecstatic : I had chosen the right course. I followed along perfectly with the hands-on labs. I even let loose malware on my system and was able to analyze what the malware does. Okay, they are basically holding your hand on Day 1 while you do this, but it was a wonderful introduction to what was possible.
Day 2 – on the other hand- was something else entirely. Day 2 introduced us to the world of assembler and assembly language and by the time it was over I was starting to question my career choices. I went through a few existential crises along the way. I went from “what the hell am I doing here” and “hmm, maybe I CAN do this” , to “I got this. Maybe.” Day 2 was rough. I have to add that I am not a programmer. I come from a sysadmin background and while I am able to script a few things, I haven’t written a full-blown program ever in my life. Day 2 was also written by Jake Williams, whose knowledge might even be deeper than Lenny Zeltser’s on this particular topic. And this shows in the course materials. He presumes you know how CPU registers work, which of course I don’t. Day 2 is a shock. It violently yanks you back to earth. I don’t know if it’s by design but once again: i had a rough time.
To my horror, Day 3 was called “In-Depth Malware Analysis”. So Day 2 wasn’t in-depth ? On this day we looked at packed malware, intercepting network connections and interacting with malicious websites. Another day that left my head reeling.
On Day 4 : our malware samples started to fight back. I failed to mention that at the beginning of the course we got 2 virtual machines : A Windows Workstation chuck full of all kinds of tools preinstalled and a Remnux distro. These two environments were configured in such a way they were able to interact with each other exclusively. This is a good thing because we also got a nice collection of malicious software. Very nasty stuff in some cases that tries really hard to make your life miserable. Especially on day 4 we saw malware locking us out of our machines and other samples trying to do their very best to escape our attention.
Day 5 then focused on PDF and Office-based Malware and we applied some memory forensics as well. If there’s one criticism I would direct at the course content is that you could easily make 2 days out of this 5th day. The information was once again very densely packed. You do get your money’s worth, that’s for sure. But at the end of day 5 the feeling is one of being completely and utterly overwhelmed.
That is where day 6 comes in . On Day 6 a NetWars type tournament is run in the classroom where you get to apply the knowledge that you thought you hadn’t retained. It starts out with some easy questions and then gradually opens up and forces you to actively analyze malware samples and answer questions about it. We got 6 hours, the scoreboard was projected on the screen in front of the class and the battle started. I ended up smack in the middle of the pack. Strangely enough, this day eradicated all the self-doubt I had in my mind. I could actually do this. The questions guided me towards the answers, but I had retained a lot more than I thought I had. In other SANS course the challenges are in a group context and require some presentation skills as well. Here you battle on your own against your colleagues. The fact that a lot of people didn’t bother to go to lunch and wanted to score as many points as possible illustrates a lot I think.
Lenny Zeltser’s knowledge about the topic is extremely deep and you can tell he is passionate about it. So passionate we had to remind him that it was way past lunchtime (he simply forgot). I really like his teaching style. He likes to add a lot of mostly self-deprecating and extremely subtle humor along the way. What was strange is that almost nobody in my class picked up on this. You could see two or three people chuckling at a certain remark that left me smiling for minutes.
Overall , as a non-coder, I thought the course was excellently balanced. From an easy day 1 to a very hard second day and then a few days to ‘flesh out’ the knowledge, with day 6 tying things together. You can tell that this course is the result of continuous improvement. It was a fantastic experience: from being teached by the very best, to meeting colleagues from other countries and companies.
Small disclaimer : I am not paid by SANS to write this. I was so happy about the course that it reads a bit like an advert. That was not intentional. They can send me money if they want 🙂 Anyway, a warm recommendation from us !
@coaxcopy on the Twitter