The dates and topics are subject to change, but this is the basic outline of the course. We may go faster or slower as needed. Details will be added as the course progresses. Homework assignments will be added as those are developed and assigned.

  1. 8/30/2012 Introduction
    • review syllabus
    • how big a problem?
    • example: Popular Mechanics article (pdf)
    • many papers and several books are available ( )
    • how the course works
    • bring your own laptop, do downloads before class if possible
    • static vs. dynamic analysis, each has its place
    • basic vs. advanced (or in-depth)
    • role of anti-virus (AV)
    • strengths and weaknesses of AV signatures
    • Internet-based AV such as https://www.virustotal.com/
  2. 9/4/2012 Installation of virtual machines
    • Andrew demonstrates Virtual Box
    • how to get a copy of Linux: many linux distros available at distrowatch
    • we recommend Ubunto 11.04: http://releases.ubuntu.com/natty/
    • installing Linux. We don't recommend upgrading to Ubuntu 11.10 or higher.
    • we do recommend making VM disk drives big, with dynamic allocation
    • how to get a copy of Windows XP
    • http://msdn02.e-academy.com/elms/Storefront/Home.aspx?campus=umbc_csee
    • Students can open a ticket at http://my.cs.umbc.edu/ to request a DreamSpark account. Access lasts for one year. Students are allowed to keep any software they download.
    • installing XP
    • make sure your virtual machines are ISOLATED from the network your laptop is on, although having the Internet connected to download software is handy. Download, do updates, and take a snapshot.
    • what if your computer is too slow to run VMs? it may need more memory, I suggest www.crucial.com, a company in which I have no financial interest.
  3. 9/6/2012 Handling malware incidents
    • Guest lecturer Dr. Rick Forno
    • you can ask Rick about the Cybersecurity program!
  4. 9/11/2012 Chapter 0,begin Chapter 1
    • here is a description of the software install demo that Andrew did last Tuesday
    • what is the AV industry (200+companies?) doing about malware?
    • look at Symantec and McAfee lab sites
    • Varieties of malware, varieties of analysis
    • Textbook has a good survey
    • By the way, the textbook seems to be available on-line using the Safari digital library
    • Demo moving a file to an (otherwise) isolated VM (in VMWare, drag-and-drop works fine) How is this done in Virtual Box? Shared Folders??
    • File signatures: MD5, SHA-1, SHA-2*, md5deep and WinMD5
    • Using md5deep, check the MD5 value for WinMD5Free.exe MD5, which should be 944a1e869969dd8a4b64ca5e6ebc209a
    • Using WinMD5, check the MD5 for c:\WINDOWS\system32\sol.exe, which should be 373e7a863a1a345c60edb9e20ec3231
    • What can we see in a binary? Demonstrate the strings command from a UNIX shell
    • We can use an ordinary editor like emacs in hexl-mode to look at an executable binary file, such as md5deep.exe
    • You can get emacs for Windows here
    • The PE header can tell us several things, and along with the strings command, we can tell if perhaps the file has been packed or obfuscated
    • Discuss packing and obfuscation from PMA
  5. 9/13/2012 More Chapter 1
    • Detecting obfuscated code is easier than you might suspect.
    • Reading assignment: “Using Entropy Analysis to Find Encrypted and Packed Malware.” IEEE Security & Privacy Magazine, 2007, pages 40-45.(pdf)
    • Demonstrate downloading this file via the UMBC Library.
    • A little more on Botnets: see the paper "Analysis of a Botnet Takeover"
      by Brett Stone-Gross, Marco Cova, Bob Gilbert, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna
    • Demonstrate packing of files using upx and sol.exe as an example. That file is 56,832 bytes before packing, but only (how many?) bytes after.
    • Demonstrate PEid
    • Demonstrate unpacking of files with the command upx -d. Does the old sol.exe look like the new one? How could we tell?
    • Demonstrate Dependency Walker
    • Discuss Table 1-1 in PMA, Common DLLs
    • Discuss Table 1-4 in PMA, Sections of a PE File
    • The Portable Executable File Format is described in detail at this Wikipedia article which refers to
    • this spec from Microsoft
    • and this PE poster
    • and this article which describes the smallest possible PE file.
    • Assign Lab 1-1 from pg. 27 of PMA
  6. 9/18/2012 Finish Chapter 2
    • Using PEView. You can use this exe file
    • Using Resource Hacker
    • You might find it useful to download and run setup.exe from www.cygwin.org, which gives you a working UNIX-like environment on Windows. Chews up some disk space, though.
    • In class exercise: analysis of Lab01-04.exe
    • Do people know about MSDN?
    • Begin Chapter 3
    • compare and contrast virtual machines: from Linux Journal, a VM Shootout
    • snapshots can be useful, and drag-and-drop can be useful, but shared folders can be problematic
    • PMA likes VMWare, and mentions its Record and Replay features
    • paper topics: other VM choices
    • paper topics: can VMs be escaped?
    • Send your PAPER TOPICS to me by Tuesday of next week (9/25/2012)
    • Paper topics should be sent by ordinary text email. Include a paragraph describing the topic, and list at least two references that you'll use to get started.
    • If your topic is work-related, that might still be okay, but talk to me before you spend a lot of time on it.
  7. 9/20/2012 finish Chapter 3 and start Chapter 4
    • introduce QEMU
    • Some resources you might want to look at.
    • Another malware course mentions PEBrowsePro
    • Dynamic analysis is a second step
    • Look at Norman Sandbox
    • Look at GFI Sandbox and analysis of Lab03-04.exe (pdf) (html)
    • Does everybody know what a mutex is?
    • Sandboxes have their limitations! Such as?
    • Process Monitor v3.03
    • Process Explorer v15.22
    • registry snapshots using regshot
    • what is the registry, anyway?
    • Assign Lab 3-1 and Lab 3-3 as exercises, due Thursday 9/27
  8. 9/25/2102 finish Chapter 4
    • Let's do Lab 3-2 (page 61) as an in-class exercise!
    • Running a DLL with rundll32.exe
    • Turn a DLL into an executable using PEid
    • The Mandiant tool ApateDNS requires .NET 3.5, which you can get here
    • One way to monitor network traffic is netcat (this link seems to be a version for XP). Note that netcat runs from the command line.
    • Demonstrate Wireshark
    • For those who are interested, a recruiting event in the UC Ballroom is in progress
  9. 9/27/2012 begin Chapter 5
    • Keep your Ubuntu environment current! Update manager is very capable, but
    • Use sudo apt-get install dkms to get dynamic kernel modules
    • Tell Virtual Box to install guest additions
    • Use sudo apt-get install wireshark to get wireshark for Ubuntu
    • It seems good to have two network connections: WiredInternet, and WiredIsolated. Each will have its own TCP/IP settings.
    • finish Lab 3-2
    • start a review of X86 assembly language
    • I've heard good things about nasm, a popular assembler for Windows
    • nasm is also available for Ubuntu: sudo apt-get install nasm
    • emacs is also available for Ubuntu: sudo apt-get install emacs
    • ubuntu will already have gcc
    • extensive documentation is available
    • Paul Carter's PC assembly page
    • more NASM examples
    • with respect to UNIX-like functionality under Windows, MinGW is an alternative to Cygwin
    • see if you can get a simple assembler example running under both Windows and Linux. We'll discuss this more next week!
  10. 10/2/2012
    • let's read a paper by Kruegel from the 2004 USENIX Security Symposium, for discussion on Thursday and next Tuesday
    • when running nasm with gcc on cygwin, it REALLY helps to have the necessary libraries, whatever they are. Building cygwin with a full install of the development tools is enough.
    • example: assembling a simple assembly program
    • example: compiling an equivalent C program
    • compare the listings and the binaries
    • for great fun, check out map.honeycloud.net
    • Assignment: Make sure you can get an assembler program to assemble using nasm and link with gcc. Record using the script command, or a screen shot, and email to me by next Tuesday 10/9. Some class time is spent on this exercise.
  11. 10/4/2012 Chapter 6
    • We'll be talking about the first part of Kruegel2004.
    • Please get a copy of the freeware version of IDA Pro
    • We'll get a taste of using IDA Pro, by doing exercises 1-9 from the end of Chapter 6.
    • Assignment: Exercises 10-17 from the end of chapter 6. Due by midnight Thursday October 11.
  12. 10/9/2012 more IDA Pro
    • Andrew will demonstrate more IDA Pro
    • An IDA Pro Cheat Sheet (pdf)
    • Here is a Hello World example (exe)
    • Here is a malware example, as a password-protected zipfile (zip)
  13. 10/11/2012 still more IDA Pro
    • Using exercises from end of Chapter 6
  14. 10/16/2012 Chapter 7
    • a simple C program that uses several control structures (pma6.c) and the assembly listing (pma6.s) generated with gcc pma6.c -Wa,-adhln -g
      no space between Wa and -a
    • the -g flag causes a lot of useful information to appear in the .s file
    • let's compare IDA disassembly with what gcc generates
    • Example: Lab 6-1 (from the end of Chapter 7)
    • Assignment: Due midnight, Tuesday 10/23, Lab 6-2 and 6-3
  15. 10/18/2012 Chapter 8
    • Windows API Chapter 8 notes
    • which functions are likely to be of interest to malware writers?
    • an article about this course appeared yesterday in the Retriever Weekly
  16. 10/23/2012 more Chapter 8
    • DLLs, threads, mutexes, services
    • maybe find some papers on obfuscation
  17. 10/25/2012 Chapter 9
  18. 10/30/2012 Chapter 10
    • using Ollydbg, demo by Andrew, Charles on the phone
    • but UMBC is closed due to Hurricane Sandy :-(
  19. 11/1/2012 More Chapter 10
    • Ollydbg demo by Andrew, Charles on the phone from CIKM'12
    • EXAM will be released today, in take-home format. You'll have a couple of malware specimens to analyze. Due by 5:30pm Tuesday 11/6.
    • The exam is now available.
    • EXAM UPDATE for those who don't already have C++ installed, or are getting some error message related to it, the file MSCVR100 is available. Save this file in the same directory as the malware specimen, under the name msvcr100d.dll. Here's a zipfile with the same content.
  20. 11/6/2012 Chapter 18
    • FYI, I get daily news alerts from the cyberwire
    • packers and unpacking can't wait until the end of the course
    • Chapter 18 notes
  21. 11/8/2012 more Chapter 18 (not really)
    • Guest Speaker: Ms. Patti Chandler from DOD
    • Questions for Patti
  22. 11/13/2012 more Chapter 18
    • return the exams
    • more on Chapter 18, including a peek at tuts4you.com
    • we want to cover kernel debugging, but there will be short delay
  23. 11/15/2012 Chapter 12
  24. 11/20/2012
  25. 11/22/2012 Thanksgiving Day
  26. 11/27 Chapter 14
    • Just for fun, a report from crowdstrike on a Linux rootkit. Contains a working sample!
    • Cover Chapter 14
  27. 11/29 Chapter 15
  28. 12/4 Anti-debugging
  29. 12/6 Shellcode
    • Cover Chapter 20, Shellcode Analysis
    • Begin take-home final. Same format as midterm
    • Exams must be emailed to me and Andrew by 8pm on 12/13
  30. 12/11 Review and discuss final exam as appropriate
    • Term papers need to be emailed to me by midnight 12/11.
  31. 12/13 Final Exam
    • final exam is due, by email to me and Andrew, at 8pm