DeepSec 2018 Training: Malware Analysis Intro – Christian Wojner

Sanna/ September 28, 2018/ Conference, Security, Training

With malware (malicious software) featuring crypto-trojans (ransomware), banking-trojans, information- and credential-stealers, bot-nets of various specifications, and, last but not least, industry- or even state-driven cyber espionage, the analysis of this kind of software ıs becoming more and more important these days. With a naturally strong focus on Microsoft Windows based systems this entertaining first-contact workshop introduces you to one of the most demanding but nonetheless compelling fields in IT-Security. We asked Christian a few more questions about his talk.

Please tell us the main facts about your training.

This training is for every IT (Security) person who wants/needs to have their first encounter with the stunning field of malware analysis.

On the basis of an especially designed, exciting scenario blended with various technical detours packed into a 6-stages workshop, students will…

  • learn how easy it is to get infected by malicious software,
  • form a sense to assess what’s possible and what isn’t,
  • gain a comprehensive overview of the various malware categories and their according specifics,
  • learn about the individual phases of malware analysis and according tools including hands-on experience,
  • find out what malware analysts (are able to) do,
  • develop and hence understand typical strategic concepts and tactics in reverse engineering,
  • build a basic understanding of typical activities when dealing with cyber security incidents,
  • develop a realistic perspective regarding possibly upcoming malware incidents regarding their company,
  • learn a lot about the “hidden” gears under the hood of Microsoft Windows and modern operating systems in general and accordingly locate and fill gaps in their knowledge,
  • gather/train their abilities to deal with unforeseeable and even chaotic situations in a flexible and constructive manner thinking outside the box, and last but not least
  • build a stable foundation and therefore an ideal “trampoline” for next steps and further advancement in malware analysis.

How did you come up with it? Was there something like an initial spark that set your mind on creating this course?

I wanted to create a massively interactive beginners training, bundling the steps of malware analysis and the ones regarding the usually preceding incident response together. Something to start from, delivering useful knowledge for everyone that might get in touch with malware-driven incidents, especially if they are going to be a one-(wo)man-show. Beyond that, interested people can use it to get a basic overview and gut-feeling helping them to make their decision if the topic is worth to make a deeper dive into by visiting one of those “highly compressed information tsunamis”.

Why do you think this is an important topic?

Today’s cyber attacks targeting companies (apart from DOS) as well as cyber crime per se sooner or later introduce malicious or at least unwanted software. Executables aren’t mysterious things! Basic skills how to handle and analyze them will not only get one out of paralysis, but even enable them to learn about the core aspects and goals of the attack.

Is there something you want everybody to know – some good advice for our readers maybe?

Don’t be afraid of or stunned by executables (Portable Executable, PE file) in general! Think of them like MS Word or PDF documents – in terms of their basic nature that’s just what they are, with a special fetish of being bundled up with a certain amount of processable instructions (machine-code). Just like “normal documents” they have their master/core application that’s needed to initiate and process them, in terms of PE files it’s called “Loader”.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise/the topic of your training in particular?

To be honest, it’s Microsofts “Feature Update” approach that worries me a bit. These updates are not just tiny patches, but rather comparable to full service packs – twice a year now. In these terms we’ve already seen a bunch of unintended impacts especially on memory forensics tools like Volatility. Tools like the latter are algorithmically bound to kernel structures and their according fields and sizes. If such a structure changes chances are high that those tools will fail, at least to some extent. It’s hard for the community to keep up with those changes cause it takea a lot of effort. In the worst case the consequence is that one has to do memory forensics on a system that has just been updated, hence outdating their toolset, actually. In this case one would have to wait for an updated profile which can easily take multiple weeks. So, from that point of view, is it better for customers to have the latest updates installed, or not? I think we are going to see some murmurs and movements in this respect. In which direction? We’ll see.


Christian Wojner is one of the core team members of the national and governmental computer emergency response team (CERT) of Austria ( Austria). Apart from his classical IT security incident handling and response duties, he particularly specializes in computer forensics with a very strong focus on analysis and reverse engineering of (malicious) software on Microsoft Windows based systems. In this respect, Christian is the author of various technical articles and papers, frequently gives talks specifically focusing on malware analysis, and supports the IT security community with his contributions in terms of forensical software tools, a lot of them as part of forensics software compilations like SANS’ specialized Linux distributions for reverse engineering (REMnux) and computer forensics (SIFT). One of his most popular projects however, is ”ProcDOT“, which gave behaviour-based malware analysis a massive boost in terms of efficiency and simplicity due to its visual approach using animated, interactive behaviour graphs. Besides being featured in many articles, ProcDOT was the 2nd place winner of Russ McRee’s Toolsmith ”Tool of the Year Award“ in 2013.

Share this Post