SANS expanded the Reverse-Engineering Malware course (FOR610) to include a day's worth of capture-the flag malware analysis challenges. The challenges are built upon the NetWars tournament platform and are designed to reinforce the skills learned earlier in the course by experimenting with real-world malware. You can get a sneak peak at the new experience.
There are numerous ways of concealing sensitive data and code within malicious files and programs. Fortunately, attackers use one particular XOR-based technique very frequently, because offers sufficient protection and is simple to implement. Here's a look at several tools for deobfuscating XOR-encoded data during static malware analysis.
MASTIFF is an open source framework for automating static malware analysis. This tool, created by Tyler Hudak, determines the type of file that is being analyzed and then applies only the static analysis techniques that are appropriate for that file type. MASTIFF offers a useful way for performing triage on a large set of suspicious files.
This week in Case Leads we have a great new update to REMnux, two new tools for registry analysis and be sure to vote for the Forensic 4cast Awards right after you hop over to the new REM community on Stack Exchange.
If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it firstname.lastname@example.org.
- REMnux, the linux distro designed for malware reverse-engineering, has been updated to version 4 and it's now distributed as a VMware virtual appliance, a bootable ISO and as an OVA virtual appliance. An overview of the appliance installation was covered on this blog a couple of days ago, and SANS is hosting a webcast to go over what's new in
REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. Here is how to install the REMnux virtual appliance using common virtualization tools, such as VMware and VirtualBox, thanks to the Open Virtualization Format (OVF/OVA).