Introduction to malware reverse engineering presented at AUScert 2009

by Andrew Collins, Matthew Brunckhorst,

Summary : One Day practical tutorial teaching participants the basic skills involved in reverse engineering malware or unidentified binary files. The tutorial will cover four key areas:
Malware behaviour profiling – Setup of a test environment and monitoring of the execution of an unknown binary. The practical work will involve setting up a test environment, observing and analysing the behaviour of a modified malware binary (the binary will be modified so as to not infect, propagate or communicate outside of the local network).
Introduction to Assembly – Overview of Assembly language (Intel) and common high-level programming structures as they appear in Assembly.
Reverse Engineering – Disassembly, analysis and modification of a binary file. The practical work will involve analysing the Microsoft Minesweeper game binary file, identifying where key game decision point are and modification of the original binary to make it impossible to lose the game.
Malware Reverse Engineering – Profiling, disassembly and analysis of a modified malware binary file. The practical work will involve setting up an profiling environment, identifying the malware behaviour, identifying the binary packing scheme followed by the extraction, disassembly and analysis of the binary.