The dates and topics are subject to change, but this is the basic outline of the course. We may go faster or slower as needed. Details will be added as the course progresses. Homework assignments will be added as those are developed and assigned.
Spring 2021 semester
- 1/27/2021 Introduction
- Slides and my presentation of these slides.
- You will need to installl VirtualBox. Instructions for doing so are found here.
- The Windows 7 virtual machine we'll be using is in this OVA file. It's big, almost 19 gigs, and larger still when loaded into VirtualBox!
- Download the OVA file by clicking the above link. You will need to be connected via the UMBC VPN, or access Google Drive with your UMBC credentials.
- The download will take a while.
- Start VirtualBox. Select File->Import Applicance, and choose the OVA file you just downloaded. This, too, may take a few minutes.
- If you don't have enough disk space, i suggest you get an external drive, or a large USB key. The external drive will be much faster!
- Homework 1 has been made available. It will be due 5:30pm on Monday, February 8.
- The malware samples you will need are here. The password is "infected", without the quotes.
- The recordings for this session, and all other recordings for this semester, will be found here.
- 2/1/2021 Basic Static Analysis
- Virtual Machines
- Homework is to uploaded to Blackboard, a process we can demonstrate.
- These slides will be used today (and perhaps next time, too)
- Malware Research Group meets Fridays 4-5pm, starting this coming Friday, at this Google Meet link.
- The recordings for this session, and all other recordings for this semester, will be found here.
- 2/3/2021 Tools for Static Anaysis
- Basic Tools
- We demonstrated the upx utility to compress (
upx -1
orupx -9
) and decompress (upx -d
) files last week. - The recordings for this session, and all other recordings for this semester, will be found here.
- 2/8/2021 More on Packing and Unpacking
- Malware analysts should know C, assembly , but also Python
- the pefile module in Python can be used to make lots of useful tools.
- Other packers used in malware include ASPack, PECompact, Petite, Themida, RLPack, and NSIS.
- How can we tell if upx works as it should?
- compress something, uncompress, and see if the two objects match!
- lossy vs. lossless compression
- You may want to know how, and when, to use shared folders in VirtualBox. In Virtual Box, snapshots can be useful, and drag-and-drop can be useful, but shared folders can be problematic.
- Slides: Basic Dynamic Analysis VMs and Sandboxes
- Sandbox demo (Ben)
- Check out an example from VirusTotal:
- Cuckoo Sandbox is open souce. Lots of research projects become possible!
- Homework 2 has been released. The "infected" malware samples.
- The recordings for this session, and all other recordings for this semester, will be found here.
- 2/10/2021 Configuring Virtual Machines
- Want to know more about the internals of Linux?
- several Nutshell books are relevant
- maybe also this contribution on GitBook
- Wireshark
- Some instructions for how to properly set up FakeNet-NG, which will be needed for HW2.
- We will be using FakeNet and wireshark. The packages Apate-DNS and inetsim, discussed in the textbook, are no longer widely used.
- If your Windows box complains about being unlicensed...
- From that Windows 7 virtual machine,
- Download this file win_activate.bat to your Desktop
- Make sure you're connected to the campus VPN
- Right-click on the win_activate file, and select "Run as administrator"
- The campus site license server should take care of making your copy of Windows 7 look legitimate.
- The recordings for this session, and all other recordings for this semester, will be found here.
- 2/15/2021 Basic Dynamic Analysis
- More demos useful for Homework 2: Regshot, Process Monitor, Process Explorer, Autoruns
- using a certain malware specimen, namely IllusionBot_2007, available from TheZoo on Github
- Regshot: Persistence through services, WinLogon\Shell
Procexp: Strings different on disk / in memory, loaded DLLs in bottom pane - You might be interested in reading about how malware authors are using VirusTotal.
- Triage vs. in-depth analysis
- Optional topic: analyzing DLL files
- Running a DLL with rundll32.exe
- A DLL can be converted into an executable using a tool such as PE Explorer (Charles to demo if time permits)
- Running a DLL with rundll32.exe
- This tutorial is a good overview of Chapter 3 in PMA. Like Chapter 3, it's a bit out-of-date.
- We recommend that you join Dr. Edward Raff's talk at noon on Wednesday.
- We might use some class time for Homework 2
- The recordings for this session, and all other recordings for this semester, will be found here.
- More demos useful for Homework 2: Regshot, Process Monitor, Process Explorer, Autoruns
- 2/17/2021 Registry
- 2/22/2021 Assembler Language Review
- We will be reviewing concepts from x86 assembly with these slides
- Homework 3 has been released. It's just a Word document, no malware specimens this time.
- watch the due dates! don't do last year's assignment by mistake!
- An introduction to x64 assembly from Intel
- As examples of assembler code, I've heard good things about nasm, a popular
assembler for Windows
- nasm is also available for Ubuntu: sudo apt-get install nasm
- extensive documentation is available
- the NASM tutorial
- Charles is aware of a series of tutorials on YouTube that may be useful for learning X86 assembly on Linux.
- The recordings for this session, and all other recordings for this semester, will be found here
- 2/24/2021 C code constructs
- summary of PMA Chapter 6
- A simple C program that uses several control structures
(pma6.c) and the assembly listing (pma6.s) generated with gcc pma6.c
-Wa,-adhln -g
note: no space between Wa and -a - The -g flag causes a lot of useful information to appear in the .s file
- What if somebody gives you a USB stick? Do you just plug it in your PC? Not a good idea!
- VMWare Player may be better for looking at USB devices than VirtualBox, since if a setting allows, it will connect to USB devices right away, without the host OS seeing
- Take a look at this list of free online malware sandboxes!
- The Cuckoo Sandbox mentioned in PMA is available for download. You'll want to install it on Linux, preferably a box (or at least a VM) dedicated to that.
- This BlackHat talk and associated white paper has lots of information about Cuckoo
- An online malware sandbox based on Cuckoo is available at http://www.malwr.com, and visualize the results using https://www.malwareviz.com/
- You don't have to keep your Ubuntu environment
current, but there are reasons to do so. Update manager
is very capable.
- It is often (but not always) good to have Virtual Box install guest additions as well as extensions.
- If time permits, demonstrate searching for papers in the UMBC
Library and elsewhere using the Research Port and related Tutorials
- Google Scholar and Microsoft Academic Partner
- ACM and IEEE Digital Libraries
- The recordings for this session, and all other recordings for this semester, will be found here
- summary of PMA Chapter 6
- 3/1/2021
- Any questions about Homework 3?
- RJ will demonstrate IDA. The freeware version of IDA is available on the Flare VM we provide.
- Example: Lab 6-1 (from the end of Chapter 6)
- FLIRT is a feature of IDA that helps with analysis of functions.
- The old freeware version of IDA, which would be needed if you want to use it on Windows XP, is available here. (UMBC only)
- We may also do some of exercises 1-9 from the end of chapter 5 as a demo.
- Homework 3 was revised yet again this morning, and the homework is due at 5:30pm on Monday, March 8.
- Extra credit (five points) will be awarded to assignments turned in by Friday at 5:30pm.
- Blackboard has already been updated to show the new due date of March 8.
- The recordings for this session, and all other recordings for this semester, will be found here
- 3/3/2021 more on IDA
- RJ will be finishing the demo of IDA
- A series of YouTubes that deal with Ghidra, in case you want to view before next week...
- Lesson 1 Introduction
- Lesson 2 UI
- Lesson 3 Windows Tools Part 1
- Lesson 3 Windows Tools Part 2
- Lesson 3 Windows Tools Part 3
- Lesson 3 Windows Tools Part 4
- Lesson 4 Exploit "Phoenix"
- Lesson 5 Structures
- The recordings for this session, and all other recordings for this semester, will be found here
- 3/8/2021 more with Ghidra
- We plan to officially release Homework 4 today. It may already be available here. With malware.
- RJ spent almost this whole session demonstrating Ghidra.
- Midterm exam is scheduled for March 24, and will be due March 29.
- The recordings for this session, and all other recordings for this semester, will be found here
- 3/10/2021 still more Ghidra
- More on Ghidra homework.
- Malware and the Windows API (ppt) (pdf)
- Here is a malware example, as a password-protected zipfile (zip) with password "malware" without the quotes
- As practice for the midterm. answer these questions: (1) what is the length and SHA-256 hash for this binary? (easy) (2) what, if anything, raises your suspicions in the IMPORTS table? (somewhat easy) (3) using IDA or the disassembler of your choice, what is it that makes this file malicious? what function does something bad? there may be several good answers to this question. we can then discuss in class.
- 3/15/2021 and 3/17/2021
- Spring Break! No class on March 15 or March 17. Enjoy!
- Spring Break! No class on March 15 or March 17. Enjoy!
- 3/22/2021 Chapter 8
- Homework 4 due today
- Finish slides from the previous session Malware and the Windows API (ppt) (pdf)
- Following Malware Execution - inspired by PMA (ppt, pdf)
- We may or may not present this material on
- This online tool may be an alternative to IDA and Ghidra.
- Another alternative to IDA is radare. It can be used in visual mode, or through the command line. Its documentation is extensive, and the price is right.
- Alternatives to IDA exist, such as Hopper for OS X and Linux.
- Covert malware - inspired by PMA (ppt, pdf)
- The recordings for this session, and all other recordings for this semester, will be found here.
- 3/24/2021 Exam and Project
- EXAM to be released as of 4:30pm today, Wednesday, in
take-home format. Due by 5:30pm Monday, March 29.
- The exam and the 7z file with the malware specimens.
- Feel free to start working on it, or just read through it. We can address your questions during class time.
- Submit your completed exam through BlackBoard, as with the homework assignments.
- Last year's midterm exam is available. The malware specimen is here (midterm2019.7z) and the usual password.
- An exam from a previous year is still available. You will need these files: Midterm1.7z and Midterm2.7z
- No new material is planned for this class session
- The recordings for this session, and all other recordings for this semester, will be found here.
- EXAM to be released as of 4:30pm today, Wednesday, in
take-home format. Due by 5:30pm Monday, March 29.
- 3/29/2021 more Chapter 8.
- Peter Drucker's article "Managing Oneself" appeared in the January, 2005 issue of Harvard Business Review.
- The paper is not being assigned as part of this course, but if you as an authorized UMBC library patron and wish to read it, here it is.
- The link is supposed to work from a UMBC IP address only.
- Finish slides on Malware Execution
- The recording of this session, and all other recordings for this semester, will be found here.
- Peter Drucker's article "Managing Oneself" appeared in the January, 2005 issue of Harvard Business Review.
- 3/31/2021 More on Immunity
- Homework 5 to be released. The malware sample is here.
- Demonstrate use of ImmDbg
- Go over Exercise 9-02 from PMA.
- For programming in C and related languages on Windows, I prefer code::blocks, which is available open-source, for both Windows and UNIX.
- For a detailed introduction to Immunity, see Nardella's paper from SANS Institute.
- The SANS Institute has a reading room, which includes lots of interesting papers related to malware.
- RJ recommends Attributes of Malicious Files
- 4/5/2021 Malware Behavior
- Chapter 12 notes
- Finish demo of Immunity Debugger - Q&A, and comments, on the recorded demos.
- Go over midterm exam
- As time permits, finish slides on Covert Malware.
- 4/7/2021 Encoding Data
- 4/12/2021 Anti-Disassembly
- Chapter 16, Anti-Disassembly
- 4/14/2021 Anti-Debugging
- Chapter 17, Anti-Debugging
- dealing with packed malware
- RJ demo on packing and unpacking
- Homework 6 has been released. The malware for Homework 6.
- You will need ImpRec and OllyDumpEx.
- interested in a Ph.D. degree? take a look at this PhD Survival Guide
- 4/19/2021 more on packing and unpacking
- Chapter 18 notes
- Charles will ask people how they're doing? With online classes, and so forth
- The OllyDumpEx plugin
- The ImportREC plugin
- Sorokin's paper on structural entropy (pdf)
- 4/21/2021 even more
- 4/26/2021 YARA
- Chapter 15 notes Network Indicators
- Course evaluations are coming! Watch your email.
- The FINAL will be OPTIONAL. Let me know by May 12 if you want to take it.
- RJ will be talking about Yara on Wednesday.
- For your information, the malware corpus we used last year us found here (7z) UMBC IPs only, usual password.
- To follow along, you'll need to
Download the YARA source code:
wget https://github.com/VirusTotal/yara/archive/v3.7.0.tar.gz
- Follow the installation instructions from this guide:
http://yara.readthedocs.io/en/v3.7.0/gettingstarted.html - Handy YARA rules overview:
http://yara.readthedocs.io/en/v3.7.0/writingrules.html
- 4/28/2021 More on YARA
- The YARA Homework and the associated data have been released.
- A longish demo of YARA
- It is important for you to be on the CSEE email lists. Instructions are here.
- Remember to fill out the student evaluations! For this class and others you're taking. Thanks!
- The recording of this session, and all other recordings for this semester, will be found here.
- 5/3/2021 Ongoing Research Topics
- Charles will talk about Exploit Kits!
- Beware of Exploit Kits!
- Excerpts from a talk I gave at "the agency" a few years ago, including this 3-d graph!
- and a much older report from Trend Micro
- The recording of this session, and all other recordings for this semester, will be found here.
- Charles will talk about Exploit Kits!
- 5/5/2021 Malware on UNIX
- Christopher Gardner from FireEye will be our GUEST SPEAKER. His topic, in recognition of the day, is "Beating the Malware Pinata". His slides.
- The Student Evaluation of Educational Quality (SEEQ) is a standardized course evaluation instrument used to provide measures of an instructor’s teaching effectiveness. The results of this questionnaire will be used by promotion and tenure committees as part of the instructor’s evaluation. The Direct Instructor Feedback Forms (DIFFs) were designed to provide feedback to instructors and they are not intended for use by promotion and tenure committees. The responses to the SEEQ and the DIFFs will be kept confidential and will not be distributed until final grades are in.
- There may still be time to register for Dawg CTF this weekend!
- The recording of this session, and all other recordings for this semester, will be found here.
- 5/10/2021 Wrapping Up
- You should now have access to all your grades up to and including HW 6.
- The topic of Linux malware should not be ignored, but that's what we're going to do.
- Nor have we talked much about malware on the Mac. Much of the information related to Mac malware is old, but I can recommend:
- the 2021 State of Malware report from Malwarebytes. Some discussion of Mac malware begins on page 33.
- Chapter 20, Shellcode Analysis, which we won't get to explore in a homework, but you should be aware of it.
- Discuss final exam as appropriate
- Tomorrow is the last day to fill out the on-line course evaluations, which are accessible through an email sent to you, and over Blackboard. Please fill these out, thanks!
- The recording of this session, and all other recordings for this semester, will be found here.
- 5/12/2021
- This is the last day of class!
- Henry Budris will be talking about the binary bomb featured in last weekend's Dawg CTF.
- Here is last year's final exam and its malware
- Let us know by FRIDAY if you want to take the final.
- RJ and I will be presenting a short talk on this course at the upcoming MTEM 2021 conference. Comments on this poster are welcome. The poster is a DRAFT, and is not for distribution.
- The recording of this session, and all other recordings for this semester, will be found here.
- 5/17 /2021 Final Exam
- The final exam is optional! But if you want to take it, it will be released tonight, in accord with the published final exam schedule.
- Check here in order to find the final exam and its malware. ...Good luck!
- After the semester ends, I may end up putting items of interest here. Such as:
- This report from BlackBerry on RATS
- Maddies Stone has Android Malware material on YouTube
- Enjoy your summer!