Course Details:
Number of Days: 4
Attendance: In-Person
Course Description:
This fast-paced 4-day course will make students familiar with reverse engineering Linux malware, starting off with a dense walk through of Linux OS internals and Linux binary analysis techniques, before jumping right in with common Linux malware. Quickly we'll work our way to advanced samples, targeted malware, Linux software protection techniques and packers. We will cover Go malware, Rust, and C++ samples, and explore recent rootkits targeting Linux.
Students will walk away with a deep understanding of Linux binary analysis techniques and knowledge of the Linux threat landscape, being able to dissect advanced Linux malware in their day to day operation.
Course Outline:
Day 1
Familiarization with analysis environment using introduction malware
Linux specific reverse engineering concepts, Linux OS internals and ELF file format Compiling, linking, loading, process executionPractice learned skills on a selection of DDoS bots, bitcoin miners, and ransomware, the Linux most-wanted
This day includes Conti ransomware, Gafgyt DDoS bot, and a rootkit installer
Day 2
Dynamic analysis of malicious software on Linux, tool internals and techniques
C++ reverse engineering with Linux malware examples from real world attacks
Go and Rust reverse engineering of Linux malware
This day includes the SSHDInjector backdoor, Ezuri memory loader, Brickstorm malware, Lockbit, Luna and Blackcat ransomware
Day 3
Linux analysis evasion tricks, packers, process injection techniques
Hands on unpacking and evasive sample analysis
Linux rootkits and eBPF based malware such as Diamorphine, Syslogk, and Symbiote
Other malware treated includes BPFdoor and the VMProtect packer
Day 4
Targeted Linux malware samples, cases like Turla, Cloudsnooper, and AcidRain
Advanced analysis automation techniques using eBPF and Frida
Closing lab with a choice of Linux malware, from commodity to targeted
Prerequisites:
Prior knowledge of x86-64 reverse engineering basic or intermediate is required. I will do my best to meet students where they are at regardless. Environment to be set up before the class is required. A laptop with x86-64 chip, minimum of 50GB of free disk space, VirtualBox virtualization software and permissions to install software on the system is required.
Target audience:
Reverse engineers of any level with interest in malware, beginners will need to take my free online 8h preparation class
Malware analysts with the desire to increase the depth of their knowledge
Software developers and security practitioners with a good systems internals foundation and keen interest in modern day malware attacks
About the Instructor: Marion Marschalek
Marion Marschalek is an independent security consultant and trainer with her consulting company Hack & Cheese. Prior to that she held senior positions at AWS and Intel, and different roles in the threat detection industry, as a malware reverse engineer and incident responder. Marschalek is a frequent speaker at major security conferences, including Black Hat, Defcon, HITB, RSA, and SyScan, among others. She used to teach reverse engineering classes at University of Applied Sciences St. Poelten, from where she graduated in 2011 with a Master's Degree in Information Security. In 2015 she started a hacker bootcamp for women titled BlackHoodie, which over the years established itself as a global initiative to attract more diverse talent to the security industry. In her spare time she enjoys long distance running.