Spring 2023

Prof. Charles Nicholas
410-455-2594
nicholas@umbc.edu <----- email is a much better way to reach me!
ITE 356
Office hours: MW 2:30-4pm, or by appointment my WebEx room

If you want to "visit" me during office hours, do send a quick email to confirm availability. You are welcome to ask for an appointment. Due to the variety of meetings I atttend, office hours may vary. Feel free to send email to confirm.

The teaching assistants and their office hours are as follows. Office hours will be conducted over Discord. Days and times will be announced soon, and are subject to change.

TA Sai Madhav Kolluri nd92132@umbc.edu M-Th 4:15-5:15pm Discord
Grader Raguvir S. nv25812@umbc.edu W and Th 2-3pm, F 1-3pm Discord (or ITE 366)
UTF Natolya Barber natolyb1@umbc.edu M 2-3pm, F 11-1pm Discord (or ITE 366)
UTF Kevin Chen kchen6@umbc.edu W and Th, 10-11:30pm Discord (or ITE 366)

Spring 2023 Lecture Notes.

The Spring 2022 Notes are still available. Recordings from class sessions are included!

A much condensed version of this course can be presented as a half-day tutorial. The most recent such tutorial was presented in 2021.

A short book with recent developments in this are, Encountering Malware Analysis (or EMA) is in draft form on Overleaf.

Course information

Syllabus

Introduction to static and dynamic malware analysis. Basic and advanced tools are presented, both host- and web-based. Utilities to provide summary information, as well as disassemblers and debuggers, are discussed in detail. Emphasis is on analysis of realistic malware specimens from the texttbook, or found in the wild. Homeworks and exams consist of preparation of malware analysis reports isuch as those used in industry.

Prerequisite: CMSC 313 Compuer Organization or equivalent. Students are expected to have a solid grasp of programming in assembler as well as a high-level language such as C. Knowledge of operating systems and networks will be useful but is not required.

Academic Integrity

Academic integrity is an important value at UMBC. By enrolling in this course, each student assumes the responsibilities of an active participant in UMBC’s scholarly community in which everyone’s academic work and behavior are held to the highest standards of honesty. Cheating, fabrication, plagiarism, and helping others to commit these acts are all forms of academic dishonesty, and they are wrong. Academic misconduct could result in disciplinary action that may include, but is not limited to, suspension or dismissal.

UMBC's policy on academic integrity can be found here. In this class, students are expected to do their own work. Teamwork is not allowed unless explicitly permitted for a given assignment. Plagiarism may result in a grade of zero on that entire assignment, and a second incidence may result in a failing grade in the course.

A recent addition to this class's policy: For this class, if you use ChatGPT (or similar chatbots or AI-based text generation tools), you must describe exactly how you used it, including providing the prompt, original generation, and your edits. This applies to prose and code. Not disclosing is an academic integrity violation. If you do disclose, your answer may receive anywhere from 0 to full credit, depending on the extent of substantive edits, achievement of learning outcomes, and overall circumvention of those outcomes. Use of AI/automatic tools for grammatical assistance (such as spell-checkers or Grammarly) or small-scale predictive text (e.g., next word prediction, tab completion) is okay. Provided the use of these tools does not change the substance of your work, use of these tools may, but is not required, to be disclosed. This policy will apply to homeworks as well as exams.

Overview

 

Textbook(s):

cover of Practical Malware
            Analysis

Practical Malware Analysis
Sikorski and Honig
ISBN 978-1-59327-290-6
Publisher: no starch press
this book is Required
(electronic and paper versions are available, student may purchase format of their choice)
(zipfile of labs for UMBC only. Use right click and "save link as" to download this password-protected zipfile. The password is 'malware' without the quotes.)

This book is available for the Kindle. This book is the best available for the beginning malware analyst, in my opinion, but it focuses on Windows XP. However, this book is still useful because the tools and techniques are still relevant for newer versions of Windows, and indeed for malware on other systems.

The following books are not required, but may be helpful:

Malware Analyst's Cookbook and DVD
Ligh, Adair, Harstein and Richard
Publisher: Wiley
(save link as tarfile of DVD for UMBC only)

Reversing: Secrets of Reverse Engineering
Eldad Eilam
Publisher: Wiley
this book is not required, but it may be helpful

Windows Internals, Part 1 and Part 2
Russinovich, Solomon and Ionescu
Sixth edition
Publisher: Microsoft Press

Be careful when dowloading "free" copies of these books! Use VirusTotal to examine any PDFs you get. Additional books, varying in quality, can be found on Wikibooks and other places.

Objectives:

We explore both static and dynamic malware analysis. Although malware takes many forms, we focus on executable binaries. We will cover object file formats, and the use of tools such as debuggers, virtual machines, and disassemblers. Obfuscation and packing schemes will be discussed, along with various issues related to Windows internals.

Students will acquire knowledge of relevant system internals, and experience in using various malware analysis tools. Students will also acquire insight into emerging tends in malware design, including efforts to deter analysis.

This will be a "hands on" course, and students are encouraged to have their laptops handy for every class session.

Approximate Schedule:

We will be following the textbook, Practical Malware Analysis, closely. In general, we will cover a chapter per week. The course notes are under almost continuous construction. I will be revising some details through the semester!

Course Policies

Grading

We will have a mid-term exam and a comprehensive final examination. Both will be take-home. There will be roughly one homework/programming assignment every two weeks. Regular class attendance is expected. The final exam will be optional for those choosing to accept the grade they've earned, on a pro rata basis, up to that point.

For those taking the final, points will be allocated as followed: 15% midterm, 20% final, quizzes/homework/programming assignments 65%.

For those opting out of the final, points will be allocated in the same proportion according to the formula 18.75% midterm, 81.25% quizzes/homework/programming assignments.

 

Accessibility and Disability Accommodations, Guidance and Resources

Accommodations for students with disabilities are provided for all students with a qualified disability under the Americans with Disabilities Act (ADA & ADAAA) and Section 504 of the Rehabilitation Act who request and are eligible for accommodations. The Office of Student Disability Services (SDS) is the UMBC department designated to coordinate accommodations that creates equal access for students when barriers to participation exist in University courses, programs, or activities.

If you have a documented disability and need to request academic accommodations in your courses, please refer to the SDS website at sds.umbc.edu for registration information and office procedures. If you would like to help ADA students, I understand that the SDS office hires students for this purpose...

SDS email: disAbility@umbc.edu

SDS phone: (410) 455-2459

If you will be using SDS approved accommodations in this class, please contact Dr. Nicholas to discuss implementation of the accommodations. During remote instruction requirements due to COVID, communication and flexibility will be essential for success.

Sexual Assault, Sexual Harassment, and Gender Based Violence and Discrimination

UMBC’s Policy on Sexual Misconduct, Sexual Harassment and Gender Discrimination and Federal Title IX law prohibit discrimination and harassment on the basis of sex, sexual orientation, and gender identity in University programs and activities. Any student who is impacted by sexual harassment, sexual assault, domestic violence, dating violence, stalking, sexual exploitation, gender discrimination, pregnancy discrimination, gender-based harassment or retaliation should contact the University’s Title IX Coordinator to make a report and/or access support and resources:

Mikhel A. Kushner, Title IX Coordinator (she/they)
410-455-1250 (direct line), kushner@umbc.edu

You can access support and resources even if you do not want to take any further action. You will not be forced to file a formal complaint or police report. Please be aware that the University may take action on its own if essential to protect the safety of the community.

If you are interested in or thinking about making a report, please see the Online Reporting/Referral Form. Please note that, while University options to respond may be limited, there is an anonymous reporting option via the online form and every effort will be made to address concerns reported anonymously.

Notice that Faculty are Responsible Employees with Mandatory Reporting Obligations:

All faculty members are considered Responsible Employees, per UMBC’s Policy on Sexual Misconduct, Sexual Harassment, and Gender Discrimination. Faculty are therefore required to report possible violations of the Policy to the Title IX Coordinator, even if a student discloses something they experienced before attending UMBC.

While faculty members want encourage you to share information related to your life experiences through discussion and written work, students should understand that faculty are required to report past and present sexual assault, domestic and interpersonal violence, stalking, and gender discrimination that is shared with them to the Title IX Coordinator so that the University can inform students of their rights, resources and support.

If you need to speak with someone in confidence, who does not have an obligation to report to the Title IX Coordinator, UMBC has a number of Confidential Resources available to support you: 

Other Resources:

Child Abuse and Neglect: Please note that Maryland law and UMBC policy require that the faculty report all disclosures or suspicions of child abuse or neglect to the Department of Social Services and/or the police.

Pregnancy

UMBC’s Policy on Sexual Misconduct, Sexual Harassment and Gender Discrimination expressly prohibits all forms of Discrimination and Harassment on the basis of sex, including pregnancy. Resources for pregnant students are available through the University’s Office of Equity and Inclusion.  Pregnant and parenting students are encouraged to contact the Title IX Coordinator to discuss plans and assure ongoing access to their academic program with respect to a leave of absence or return following leave related to pregnancy, delivery, or the early months of parenting.

In addition, students who are pregnant may be entitled to accommodations under the ADA through the Student Disability Service Office, and/or under Title IX through the Office of Equity and Inclusion.

Retriever Essentials

Retriever Essentials is a faculty, staff, and student-led partnership that addresses food insecurity in the UMBC community. Free pre-assembled bags of non-perishable food items and personal care products can be anonymously picked up 24/7 at the Campus Police Station or at one of our Food Zones. You can also order a personalized bag by filling out this form, or email us at retrieveressentials@umbc.edu about our meal swipe program.

Religious Observances and Accommodations

UMBC Policy provides that students should not be penalized because of observances of their religious beliefs, students shall be given an opportunity, whenever feasible, to make up within a reasonable time any academic assignment that is missed due to individual participation in religious observances. It is the responsibility of the student to inform the instructor of any intended absences for religious observances in advance, and as early as possible.  For questions or guidance or to request an accommodation, please contact the Office of Equity and Inclusion at oei@umbc.edu.

Hate, Bias, Discrimination and Harassment

UMBC values safety, cultural and ethnic diversity, social responsibility, lifelong learning, equity, and civic engagement.

Consistent with these principles, UMBC Policy prohibits discrimination and harassment in its educational programs and activities or with respect to employment terms and conditions based on race, creed, color, religion, sex, gender, pregnancy, ancestry, age, gender identity or expression, national origin, veterans status, marital status, sexual orientation, physical or mental disability, or genetic information.

Students (and faculty and staff) who experience discrimination, harassment, hate or bias or who have such matters reported to them should use the online reporting/referral form to report discrimination, hate or bias incidents; reporting may be anonymous.

Resources

A collection of malware analysis resources, such as web sites, downloads, and so forth. Suggestions are welcome!

Reading List

Malware analysis is an active area of pure and applied research, and papers are appearing all the time. Students should know how to use the UMBC Library research port and other facilities to get copies of papers they want. I suggest this reading list. Again, suggestions for improving this list are welcome.