Last week, we conducted an experiment at @alperovitch — an intensive primer on Malware Analysis for non-technical students. Unlike beginner MA courses that give a light smattering of approachable tools and concepts, we’d walkthrough the analysis of a single sample end-to-end.

In order to keep myself intellectually honest, we plucked a malware sample I had never analyzed before– an Agent.BTZ sample– and started with initial triage -> light static analysis w HIEW -> deeper static analysis with IDA -> pinpoint debugging w x64dbg -> report writing.

We asked students to do an inordinate amount of prep for a weeklong course– reading a minimum 14 chapters of Sikorski's Practical Malware Analysis course, and a list of quick start references. And *surprisingly*, a majority of them did, making it possible to move quicker.

Despite prep, there's one seemingly insurmountable aspect of this subject w students of varying subject familiarity– every student was some combination of: don't know assembly, don't know how to code, not familiar w programming concepts, hadn't used any of these tools, etc.

That's where @openai ChatGPT stepped in as a teaching assistant able to sit next to each student and answer all 'stupid' questions that would derail the larger course. It was a first-attempt TA that helped students *refine* their questions more meaningfully.

Was it ever wrong? Absolutely! And it was amazing to see students recognize that, refine their prompts, and ask it and me better questions. To feel empowered to approach a difficult side-topic by having chatGPT write a python script or tell them how to run it and move on.

Fearmongering around AI (or outsised expectations of perfect outputs) cloud the recognition of this LLMs staggering utility: as an assistant able to quickly coalesce information (right or wrong) with extreme relevance for a more discerning intelligence (the user) to work with.

Thankfully, in a professional development course, there's little room for performative concerns like plagiarism– you're welcome to rob yourself but the point here is to learn how something is done and have a path forward to the largely esoteric practice of reverse engineering.

I'm staggered by the sincere engagement of our students. Even after 5-6 hours of instruction, I'd receive 11pm messages telling me they'd unobfuscated a string in the binary and wanted to understand how it might be used. They pushed themselves way past their comfort zone.

In the end, we went from some vague executable blog to seeing how an old Agent.BTZ sample would attempt to infect USBs, unobfuscate hidden strings, resolve APIs, establish persistence, and callout to a satellite hop point to reach a hidden command-and-control server.

This was a purely experimental endeavor in the hope of bolstering meaningful cybersecurity education. Some may choose to further engage malware analysis, many more will hopefully enter the larger policy discussions around this subject with a rare grasp of the subject at hand.

My sincere thanks to @ridt + @EllyRostoum + @alperovitch faculty for their support in enabling this first time course at every level. Also thank you to @HexRaysSA for educational access to IDA Pro, and @openai for inadvertently superpowering our educational experiment.

More here: https://alperovitch.sais.jhu.edu/five-days-in-class-with-chatgpt/