SANS EU Malware in Memory
Written by Peter Silberman
Next Monday, April 18th, I’ll be presenting at SANS EU Forensic Summit. I’m really impressed with the line up of this SANS EU conference. It has a very eclectic mix of people talking. Ero Carrera will be dicussing malware analysis. While Ero isn’t a forenscitar, his insight into malware is pretty expansive, and his exposure to advanced malware is also pretty impressive. It will be a great talk.
Matthieu Suiche of MoonSols is also presenting. His presentation is always fun and very informative. There are a lot of other talks going on that run the gamut from traditional forensics to legal discussions. It should be a great conference.
I’ll be doing a 2 1/2hr presentation/training at 7pm. This hybrid presentation/training is actually taken directly from the Advanced Memory Forensics in Incident Response class that Jamie Butler and I teach at Blackhat. We will go over malware in memory, why checking for malware in memory is important, what you can look for, generic malware behaviors, etc. All attendees will be given a boot camp in how to use and get the most out of Audit Viewer, Memoryze and how to write Malware Rating Index (MRI) rules. They’ll also be given new copies of Audit Viewer and Memoryze (x64 support anyone?. Heck, if I stop traveling so much, we might even have support for Windows 7 32-bit or 64-bit, but I am not going to promise Jamie’s time.)
We will then spend the rest of the class, hopefully an hour or more, examining case studies. The case studies are designed to mimic real world incidents from mass malware infection, to insider threats and targeted attacks. Our case studies involve answering specific questions about an incident. Sometimes, especially when MRI is enabled, we’ll set time limits just to keep it sporting. It should be a lot of fun, and hopefully everyone will learn something new. I’m certainly looking forward to teaching it.
I’ll also be on a panel on Tuesday answering the question: “Discuss new ways to find malware on a machine? Which technique is the best?”
Tags: incident response summit, memory forensics training, SANS
Recent Posts
- DLL Search Order Hijacking Revisited
- Find Evil and Solve Crime, Part 1: Focus
- Reversing Malware Command and Control: From Sockets to COM
- The Challenges to Remediating from the APT
- Stuxnet Memory Analysis and IOC creation
Follow us on Twitter
- Mandiant: Register for the State of the Hack: Stop the hype, save a kitten webinar 9/23 2PM EDT / M will be joined by @joshcorman http://bit.ly/c08atu
- Mandiant: RT @taosecurity Thanks to Kevin Mandia for inviting me to his IR Dream Team panel #MIRcon http://bit.ly/9S1XnS 12-13 Oct in NoVA
- Mandiant: M's @nickharbour revisits DLL Search Order Hijacking to propose his solution to the problem http://bit.ly/ctmxM7