Lenny Zeltser's Website

Comprehensive Review of SANS' Reverse-Engineering Malware Course

Fri, 6 Aug 2010 07:02:58 -0500

EthicalHacker.net published a comprehensive review by Justin Kallhoff of my 5-day Reverse-Engineering Malware (REM) course.

Combating Malware in the Enterprise: New 2-Day Course Debuts at Half-Price

Tue, 3 Aug 2010 06:18:28 -0500

The new 2-day Combating Malware in the Enterprise course, which I present at SANS Institute, teaches a practical approach to discovering and mitigating malware threats in an enterprise environment. I authored the first half of the course, building upon my anti-malware experience. My co-author is Jason Fossen, who has amassed incredible expertise securing Microsoft Windows-based environments. The course will debut in Las Vegas at half price; full price at DC.

Interview on SecuraBit Podcast

Fri, 23 Jul 2010 05:56:12 -0500

I joined the conversation on the SecuraBit Episode 61 podcast, discussing malware analysis techniques and the ways in which the REMnux distribution can assist.

REMnux: A Linux Distribution for Reverse-Engineering Malware

Thu, 15 Jul 2010 4:46:41 -0500

REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. I use REMnux in the malware analysis course I teach at SANS. REMnux is also available as a public download, and is now available as a Live CD image and as a VMware virtual appliance.

Interview on on the Ethical Hacker Network

Fri, 2 Jul 2010 20:16:18 -0500

I was interviewed by the Ethical Hacker Network's Jamy Klein on topics related to malware. The full interview is at the following link.

Discussing Malicious Document Analysis at PaulDotCom Podcast

Mon, 14 Jun 2010 7:36:12 -0500

I discussed the threat of malicious documents (Microsoft Office and Adobe PDF) and associated analysis techniques on the PaulDocCom podcast, Episode 200. The eposode was recorded in support of hackersforcharity.org. Download the recorded MP3 of the conversation.

Critical Log Review Checklist for Security Incidents

Mon, 8 Mar 2010 19:12:58 -0500

This cheat sheet presents a checklist for reviewing critical logs when responding to a security incident. It can also be used for routine log review. (Co-authored with Anton Chuvakin.)

5 Steps to Building a Malware Analysis Toolkit Using Free Tools

Sun, 7 Mar 2010 13:49:32 -0500

Examining the capabilities of malicious software allows your IT team to better assess the nature of a security incident, and may help prevent further infections. Here's how to set up a controlled malware analysis lab for free.

SANS Malware Course Now Covers Analysis of Malicious Documents and Memory Forensics

Fri, 19 Feb 2010 07:15:21 -0500

As the world of malware continues to evolve, so must the defenders' ability to understand the nature of the threat. Fortunately, the development of tools and techniques for reverse-engineering malicious software is not standing still. I'm excited about the opportunity to cover additional approaches to analyzing malware as part of the REM course expansion. The topics added to the course include analyzing malicious document files (Microsoft Office and Adobe PDF), as well as memory forensics.

Interview on InfoSec Daily Podcast

Fri, 15 Jan 2010 06:32:27 -0500

I joined the conversation on the InfoSec Daily Podcast, Episode 43. discussing malware threats and analysis trends.

Analyzing Malicious Documents Cheat Sheet

Thu, 19 Nov 2009 22:31:19 -0500

This cheat sheet outlines tips and tools for reverse-engineering malicious documents, such as Microsoft Office (DOC, XLS, PPT) and Adobe Acrobat (PDF) files.

What to Include in a Malware Analysis Report

Sat, 07 Nov 2009 13:05:58 -0500

This note summarizes my recommendations for what to include in the report that describes the results of the malware analysis process.

Free Online Tools for Looking Up Potentially Malicious Websites

Mon, 02 Nov 2009 21:01:22 -0500

Several organizations offer free on-line tools for looking up a potentially malicious website. Some of these tools provide historical information; others examine the URL in real time to identify threats. Here's a list of site tools.

Public Blocklists of Suspected Malicious IPs and URLs

Sun, 01 Nov 2009 19:12:55 -0500

Several organizations maintain and publish blocklists (a.k.a blacklists) of IP addresses and URLs of systems and networks suspected in malicious activities on-line. Here are the publicly-available lists.

Free Automated Malware Analysis Services

Fri, 30 Oct 2009 09:37:11 -0500

There are several free automated malware analysis services that can examine compiled Windows executales to save us time and provide a sense about the specimen's capabilities. Here's a listing of such free on-line tools.

What to Include in a Malware Analysis Report

Wed, 30 Sep 2009 11:58:12 -0500

In my SANS Institute course, I teach security and systems professionals how to reverse-engineer malicious software. This note summarizes my recommendations for what to include in the report that describes the results of the malware analysis process.

Webcast: Malware Threats and Defenses That Work

Sun, 20 Sep 2009 19:14:02 -0500

Malicious software is an integral and dangerous component of many breaches. Despite the general acknowledgement of the problem, malware thrives in the Internet ecosystem, affecting organizations large and small. In this free webcast, I will survey key characteristics of today's malware, exemplified by recent bots, trojans, and browser scripts. I will also discuss methods for fighting malware threats that stand a chance of being effective, offering my perspective on practical defensive controls. Listen to the recorded webcast and download slides with full speaker notes.

Security Architecture for Internet Applications

Thu, 18 Jun 2009 18:24:46 -0500

This two-page cheat sheet offers tips for the initial design and review of an Internet application's security architecture.

Podcast: Security Risks and Mitigation Suggestions of Social Networking Sites

Wed, 10 Jun 2009 21:25:13 -0500

In this podcast interview, I discuss the risks that social networking sites introduce to enterprises. I also suggest a few mitigation strategies. What are drop-by-drop data leaks about? Tune in to find out.

Troubleshooting Human Communications

Tue, 02 Jun 2009 07:15:21 -0500

This one-page cheat sheet offers communication tips for technologists, engineers, and information workers.

A Discussion on the PaulDotCom Webcast: Episode 150

Mon, 4 May 2009 22:30:10 -0500

I joined the conversation on the PaulDotCom webcast, Expisode 150, talking about the need for a more pragmatic approach to information security and also dicussing malware trends.

5 Security Assessment Steps for Mid-Sized Firms

Mon, 4 May 2009 22:22:51 -0500

Budget, time and staff limitations require companies to be selective about information security spending. This article presents key steps that outline what to look for.

3 Steps to Improving Your Data Safeguards

Mon, 4 May 2009 22:03:11 -0500

Protecting data in dynamic and diverse environments is a formidable challenge. This article explains how to better safeguard data with the help of data inventory, sharing practices, and leak detection.

How to Be Heard in IT Security and Business.

Thu, 16 Apr 2009 16:22:15 -0500

How to make your message, request, or proposal heard by the people whos support you require? Read my 10 tips with recommendations to capturing the individuals' attention.

A Malware Discussion on the McAfee AudioPasitics Webcast

Wed, 15 Apr 2009 09:12:22 -0500

I had the pleasure of contributing to the McAfee AudioParasitics webcast, where we discussed malware trends, attacker's motivations, Internet scams, and related Internet security topics.

A Free Introduction to Malware Analysis - Recorded Webcast

Tue, 03 Mar 2009 07:14:12 -0500

In this free 1-hour webcast (recorded), I outline the process for reverse-engineering malicious software. I cover both behavioral and code analysis phases, to make this topic accessible even to individuals with a limited exposure to programming concepts. You'll learn the fundamentals and associated tools to get started with malware analysis. The password for the webcast is "preview".

I am on Twitter as lennyzeltser

Tue, 13 Jan 2009 07:22:59 -0500

If you are interested keeping a closer tab on my activities, you are welcome to follow me on Twitter.

Information Security Assessment RFP Cheat Sheet

Wed, 07 Jan 2009 21:54:34 -0500

This cheat sheet offers tips for planning, issuing and reviewing Request for Proposal (RFP) documents for information security assessments. It aims at helping organizations receive security RFP responses best suited for their requirements.

Security Assessment Tips: Where the Risks Are

Mon, 01 Dec 2008 17:27:22 -0500

This article describes the various types of information security assessments, and offers tips for deciding which assessment is right for your situation.

Network DDoS Incident Response Cheat Sheet

Mon, 01 Dec 2008 08:11:12 -0500

This cheat sheet offers tips for battling a network distributed denial-of-service (DDoS) attack on your infrastructure. I compiled and co-authored this one-page reference based upon the insights offered by several contributors.

Malware Analyst - Job Description

Mon, 10 Nov 2008 07:11:19 -0500

What does the job of a malware analyst entail? If you're looking to get into this field, or if you're looking for ideas that can help you succeed there, read on. You might also find this page useful if you are creating a job description for hiring such a person.

Initial Security Incident Questionnaire for Responders

Wed, 05 Nov 2008 07:15:51 -0500

This cheat sheet offers tips for assisting incident handlers in assessing the situation when responding to a qualified incident by asking the right questions. It builds upon the incident survey cheat sheet I published earlier.

Security Incident Survey Cheat Sheet for Server Administrators

Sun, 02 Nov 2008 16:28:07 -0500

This cheat sheet captures tips for examining a suspect server to decide whether to escalate for formal incident response. It covers the general approach, and outlines commands for Windows and Unix using built-in tools. One-sheet version for printing and editing is included.

Reverse-Engineering Cheat Sheet

Mon, 18 Aug 2008 10:08:22 -0500

I created a one-page cheat sheet of shortcuts and tips for reverse-engineering malware. It covers the general malware analysis process, as well as useful tips for OllyDbg, IDA Pro, and other tools. An editable version of this file is also available, if you'd like to customize the cheat sheet for your own needs. My reverse-engineering malware course explores these, and other useful techniques.

Webcast on Penetration Testing Beyond Front-Line Exploits

Fri, 18 Jul 2008 16:55:12 -0500

In this free one-hour webcast, I discuss tools and techniques for going beyond the basic exploits-focused penetration testing methodology. To attend it live, tune in on August 5 at 1:00 PM EDT. An archived version of the webcast will be available.

Webcast on the State of Malware in 2008

Thu, 12 Jun 2008 11:45:11 -0500

In this free one-hour webcast, I examine the characteristics of today's malware, exemplified by recently-seen bots, downloaders, keyloggers, and malicious scripts.An archived version of the webcast is available, complete with audio and presentation slides.

Stopping Malware on its Tracks

Sat, 7 Jun 2008 16:07:12 -0500

This article presents recommendations for addressing the risks associated with modern malware. Stopping malware requires an approach grounded in awareness and control. The article includes a link to my related webcast on protecting users from web-based threats.

Testing for Client-Side Vulnerabilities

Thu, 1 May 2008 11:40:15 -0500

When searching for low-hanging fruit, attackers are paying closer attention to client-side vulnerabilities on internal workstations. So should you, when performing security assessments. This article describes how to test for client-side vulnerabilities during a security assessment.

Social Engineering During Security Assessments

Wed, 19 Mar 2008 22:36:16 -0400

Rare is the case when a determined penetration tester or attacker fails to trick his targets into releasing sensitive information. This article explains how to incorporate social engineering testing into information security assessments.

Malware Course Interview on the PaulDotCom webcast.

Sun, 27 Jan 2008 21:49:15 -0500

PaulDotCom interviewed SEC602 course co-authors during its January 24, 2008, webcast. We discussed key procedures for malware analysis, malware trends, and the expansion of the Reverse-Engineering Malware course. MP3 of the webcast is now available.

Announcing the expansion of the Reverse-Engineering Malware course.

Fri, 28 Dec 2007 11:58:21 -0500

Announcing the expansion of the Reverse-Engineering Malware course. Here's the full announcement.

Emerging Information Security Threats

Sun, 10 Jun 2007 11:12:15 -0500

This article reviews the emerging threats landscape of information security, including targeted attacks, client-side infections, advanced malware, bots, and browser malware. It was originally published in May 2007 issue of Information Security magazine.

Penetration Testing with Confidence - SANS Webcast

Sat, 21 Apr 2007 12:57:21 -0500

In this SANS webcast I present 10 key issues you need to address for a successful penetration test.

Certification Magazine Article on Defending Endpoints

Tue, 23 Jan 2007 08:18:22 -0500

The reporter interviewed me for this article on protecting organizations against endpoint threats.

Malware Analysis Shortcuts - SANS Webcast

Sun, 14 Jan 2007 11:28:13 -0500

In this SANS' Ask The Expert webcast I review several techniques and free tools for speeding-up the analysis of malicious software.

A Practical Routine for Reviewing Security Logs

Sun, 29 Oct 2006 12:29:30 -0500

This article presents several tips for establishing a practical routine for reviewing information security logs.

Situational Awareness for Infosec Professionals

Mon, 4 Sep 2006 11:01:32 -0500

This article, published in Information Security Magazine, describes an approach to ensuring a project's success by becoming attuned to the organization's dynamics.

Browser Threat Landscape

Mon, 4 Sep 2006 00:42:32 -0500

This webcast, presented at SANS Institute, examines the nature of threats that target the Web browser, reviewing three major categories of browser-oriented attacks.

Beyond Vulnerability Assessment: 10 Questions

Sun, 21 May 2006 11:23:45 -0500

This presentation, prepared for ISSA, explores common information security risks that organization face, and suggests 10 questions worth asking when establishing a robust IT security program.

Penguins of Patagonia Video

Wed, 18 Jan 2006 21:18:06 -0500

This 1-minute video of Magellan Penguins records my observations from a visit to Argentina's Patagonia region.

Inside Network Perimeter Security

Thu, 3 Nov 2005 23:17:44 -0500

This book, which I produced and co-authored, is a practical guide to designing, deploying, and maintaining network defenses.

About Me

Mon, 6 Jun 2005 23:42:37 -0500

If you are interested in learning a bit more about me, this page is for you. Here I list some autobiographical facts and outline a several of my projects and accomplishments. After all, activity suggests a life filled with purpose.

Malware: Fighting Malicious Code

Mon, 3 Nov 2003 23:17:11 -0500

I contributed a few chapters to this Ed Skoudis' book, which focuses on defending against the threat of malicious code.

Presentations and Speaking Engagements

Wed, 3 Nov 2004 23:16:53 -0500

Organizations periodically invite me to present to them on topics related to IT risk management and security in business. Here are some of my recent presentations.

Trends and Dynamics of the Endpoint Security Industry

Fri, 3 Jun 2005 23:16:09 -0500

This paper examines trends and dynamics of the endpoint security industry, and evaluates the performance of market leaders such as Symantec in the context of these factors.

Firewall Deployment for Multitier Applications

Fri, 5 Apr 2002 23:15:51 -0500

This article explores the use of multiple firewalls for protecting resources according to business requirements of multitier applications.

The World-Wide Web: Origins and Beyond

Wed, 1 Nov 1995 23:15:31 -0500

This often-cited article discusses the history and the structure of the Web, and offers a peak at the future of information sharing.

The Evolution of Malicious Agents

Fri, 3 Nov 2000 23:15:07 -0500

This article examines the evolution of malicious agents by analyzing popular viruses, worms, and trojans, and detailing the possibility of a new breed of malicious software.

Information Security Search

Thu, 3 Nov 2005 23:02:03 -0500

Save time when researching security issues by focusing on specific sites of interests.

The Early History of Radio Broadcasting

Fri, 3 Mar 1995 23:14:41 -0500

This paper explores early radio broadcasting efforts by the United States and the Soviet Union.

Education and the Internet

Fri, 3 May 1996 23:23:41 -0500

This paper examines views of American Founders on education, and applies them to the Internet's role as a catalyst for improving the American education system.

Intrusion Detection Analysis: A Case Study

Sat, 3 Jun 2000 23:13:36 -0500

This paper provides a detailed analysis of several anomalous network events, and illustrates the techniques for examining alerts and logs generated by a network intrusion detection system.

Auditing UNIX Systems: A Case Study

Sat, 3 Nov 2001 23:13:19 -0500

This report presents results of a detailed information security audit of UNIX systems that belong to a fictitious company. It illustrates an approach to performing such an examination.

Network Perimeter Defense Architecture: A Case Study

Sun, 3 Dec 2000 23:12:59 -0500

This paper documents a comprehensive architecture for defending network resources of a fictitious company. It illustrates an approach to setting up a strong security perimeter.

Reverse-Engineering Malware Paper

Sat, 3 Nov 2001 23:12:39 -0500

This paper defines a framework for using easily-accessible tools and a dual-phased approach to examine malware such as viruses, worms, and trojans.

High-Five Calvin

Sun, 3 Apr 2005 23:11:24 -0500

Slap a high five to the infamous Calvin, just because you have nothing better to do.

Life's Inspirations

Sun, 3 Apr 2005 23:08:54 -0500

"Lying in bed listening to the rain outside." "Laughing for no reason at all." Take a look at what folks submitted to me over the years, and see what inspires people of the world.

The Poetry Corner

Sat, 2 Apr 2005 23:08:13 -0500

When feeling particularly inspired, I write short verse. Curious about the results? Take a look.

The Humor Collection

Fri, 1 Apr 2005 22:57:49 -0500

I've assembled a few humorous lists circulating on the Internet, such as "The Canonical List of Answering Machine Messages" and "More Than Fifty Ways to Get Rid of Blind Dates."