The dates and topics are subject to change, but this is the basic outline of the course. We may go faster or slower as needed. Details will be added as the course progresses. Homework assignments will be added as those are developed and assigned.
Many dates and details will be updated!
Spring 2022 semester
- 1/31/2022 Introduction
- Review of course syllabus, campus policies, and logistics
- Introduction
- You will need to installl VirtualBox. Instructions for doing so are found here.
- Users of M1 Macs Beware!
- We are making a Windows 7 virtual machine available for the class.
- Windows 7 (OVA, 21 gigs)
- We also have a malware analysis platform based on Windows 10, see below.
- Download the OVA file by clicking the above link. You will need to be connected via the UMBC VPN, or access Google Drive with your UMBC credentials.
- The download will take a while.
- Start VirtualBox. Select File->Import Applicance, and choose the OVA file you just downloaded. This, too, may take a few minutes.
- If you don't have enough disk space, we suggest you get an external drive.
- We note, to our disappointment, that M1 Macs don't yet support VirtualBox very well
- Maybe older versions work?
- As a stopgap, try using Azure
- Once you import this VM into Virtual Box, make sure you turn off automatic updates, and Windows Defender, right away! Discuss why.
- The recordings for this session, and all other recordings for this semester, will be found on Box.
- 2/2/2022 Basic Static Analysis
- Introducing the VM we use for malware analysis.
- These slides will be presented.
- Virtual Machines
- Importing an applicance into VBox.
- Windows 10 Stable (OVA, 10 gigs, UMBC only)
- We'll be demonstrating the use of Discord.
- The recordings for this session, and all other recordings for this semester, will be found on Box.
- 2/7/2022 Tools for Static Analysis
- Permissions to enroll have been issued. We plan to offer the course next year...
- Charles will discuss some of the notes under Basic Tools
- These slides will be used today (and perhaps next time, too)
- We will demonstrate the following, in this order, or maybe not:
- the Flare VM, including snapshots, clones, and OVA files
- Virtual Box screenshots
- how, and when, to use shared folders in VirtualBox. Drag-and-Drop can be useful, but shared folders can be problematic.
- the strings command on Flare, and floss if time permits
- Charles will discuss the PE HEaders, and use Detect it Easy to demonstrate.
- The slides will provide more information, but they can be perused off-line
- We will demonstrated the upx utility to compress (
upx -1orupx -9) and decompress (upx -d) files next time, if not tonight - We have made some virtual machines available:
- Homework 1 is now available, and will be due in a week.
- The file Lab1.docx is available for download. Edit this document as needed, with your answers to the homework questions.
- The file hw1.zip is available for download. The password for the zipped malware specimen(s) is "infected", without the quotes.
- We will discuss the homework in some detail...download the docx and zip files to your Flare VMs if you wish.
- We will demonstrate how to upload your work to Blackboard on Wednesday.
- Other instructions will be on the homework.
- The recordings for this session, and all other recordings for this semester, will be found on Box.
- The course BlackBoard site has been made public.
- 2/9/2022 Packing and Unpacking
- We will discuss and demonstrate packers, especially upx
- Demo upx in Flare
- Other packers used in malware include ASPack, PECompact, Petite, Themida, RLPack, and NSIS.
- How can we tell if upx works as it should?
- compress something, uncompress, and see if the two objects match!
- how can we do that?
- lossy vs. lossless compression
- The recordings for this session, and all other recordings for this semester, will be found on Box.
- 2/14/2022 Configuring Virtual Machines
- Homework 2 will be released no earlier than Feb 16.
- Malware analysts should know C, assembly , but also Python
- the pefile module in Python can be used to make lots of useful tools.
- Check out an example from VirusTotal
- Ben gave a good demo of this in Spring 2021, if you want to watch
- He mentions a site called MalwareBazaar
- See the Hybrid-Analysis site
- and the Nextron Systems site, which includes Thor
- Cuckoo Sandbox is open souce. Lots of research projects become possible!
- But I don't have much experience with Cuckoo :-(
- Want to know more about the internals of Linux?
- several Nutshell books are relevant
- maybe also this contribution on GitBook
- If your Windows box complains about being unlicensed...
- Download this file win_activate.bat to your Desktop
- Make sure you're connected to the campus VPN
- Right-click on the win_activate file, and select "Run as administrator"
- The campus site license server should take care of activating your copy of Windows.
- The recordings for this session, and all other recordings for this semester, will be found on Box.
- 2/16/2022 Basic Dynamic Analysis
- Homework 2 is to be released next Monday, February 21
- You may be interested in looking at https://www.secrepo.com/#
- Some instructions for how to properly set up FakeNet-NG, which will be needed for HW2.
- We will be using FakeNet and wireshark. The packages Apate-DNS and inetsim, discussed in the textbook, are no longer widely used.
- Wireshark demo
- The recordings for this session, and all other recordings for this semester, will be found here.
- 2/21/2022 Registry
- Homework 2 has been released. The malware specimen is here.
- We will use some class time to discuss Homework 2.
- The fakenet package can be download from here.
- More demos useful for Homework 2: Regshot, Process Monitor, Process Explorer
- perhaps using a certain malware specimen, namely IllusionBot_2007, available from TheZoo on Github
- Procexp: Strings different on disk / in memory, loaded DLLs in bottom pane
- Procmon: look at the resources various processes are using
- Regshot: Capture the registry, in case the registry gets borked by the malware, or the user :-)
- Persistence through services, WinLogon\Shell
- Persistence through services, WinLogon\Shell
- This tutorial is a good overview of Chapter 3 in PMA. Like Chapter 3, it's a bit out-of-date.
- You might be interested in reading about how malware authors are using VirusTotal.
- The recordings for this session, and all other recordings for this semester, will be found here.
- 2/23/2022 Assembler Language Review
- We spent a lot of time discussing Homework 2
- Optional topic: analyzing DLL files
- Running a DLL with rundll32.exe
- A DLL can be converted into an executable using a tool such as PE Explorer (Charles to demo if time permits)
- Running a DLL with rundll32.exe
- More about the Sysinternals Suite, as time permits
- The recordings for this session, and all other recordings for this semester, will be found here
- 2/28/2022 C code constructs
- It seems appropriate to discuss CISA
- Triage vs. in-depth analysis
- Go over Homework 1, tonight or next time. Most people have done quite well, with most scores 90% or higher.
- We will be reviewing concepts from x86 assembly with these slides
- Why do we care about assembly code?
- As examples of assembler code, I've heard good things about nasm, a popular
assembler
- you can download and run the installer for Windows at the nasm web site
- then add the installed directory to your path. You DO know how to add directories to your path, right?
- for Windows apps, you'll find it convenient to install Visual Studio, whether you use it as an IDE or not
- whenever you change your path, Windows 11 seems to require a reboot :-(
- subsequent use of cmd.exe will find the nasm.exe binary
- two versions of hello world console and window
- nasm is also available for Ubuntu
- sudo apt-get install nasm
- do we care about Windows vs. Linux? we sure do!
- extensive documentation is available
- the NASM tutorial
- architecture and opcode information from Intel
- Charles is aware of a series of tutorials on YouTube that may be useful for learning X86 assembly
- Some resources you might
want to look at.
- FireEye often runs interesting webinars. Such as this.
- The recordings for this session, and all other recordings for this semester, will be found here
- 3/2/2022
- Summary of PMA Chapter 6
- A simple C program that uses several control structures
(pma6.c) and the assembly listing (pma6.s) generated with gcc pma6.c
-Wa,-adhln -g
note: no space between Wa and -a - The -g flag causes a lot of useful information to appear in the .s file
- Take a look at this list of free online malware sandboxes!
- You don't have to keep your Ubuntu environment
current, but there are reasons to do so. Update manager
is very capable.
- It is often (but not always) good to have VirtualBox install guest additions as well as extensions.
- Charles will demonstrate IDA. The freeware version of IDA is available on the Flare VM we provide.
- FLIRT is a feature of IDA that helps with analysis of functions.
- The old freeware version of IDA, which would be needed if you want to use it on Windows XP, is available here. (UMBC only)
- The recordings for this session, and all other recordings for this semester, will be found here
- 3/7/2022 more on IDA
- The TAs and Dr. N. will be finishing the demo of IDA
- We may also do some of exercises 1-9 from the end of chapter 5 as a demo. (Chapter 5 in the printed book, Chapter 6 on Kindle)
- An easy introduction to IDA (YouTube, 35 minutes). Professor Steve, whom I do not know, seems to have created several useful videos of this type.
- You may be interested in this demo of IDA, with emphasis on its debugger (YouTube, 98 minutes). (CKN has not yet watched these.)
- A series of YouTubes that deal with Ghidra, in case you want to view before next week...
- Lesson 1 Introduction
- Lesson 2 UI
- Lesson 3 Windows Tools Part 1
- Lesson 3 Windows Tools Part 2
- Lesson 3 Windows Tools Part 3
- Lesson 3 Windows Tools Part 4
- Lesson 4 Exploit "Phoenix"
- Lesson 5 Structures
- The recordings for this session, and all other recordings for this semester, will be found here
- 3/9/2022 more with Ghidra
- We plan to officially release Homework 3 next week. It may already be available.
- After class, TA Henry will be presenting an Introduction to Reverse Engineering (RE) for the Wednesday night Cyberdawg meeting.
- The slides are still under construction
- You do know about the CyberDawgs, don't you?
- The TAs will spend much of this session demonstrating Ghidra.
- Midterm exam is scheduled for March 30, and will be due April 4.
- The recordings for this session, and all other recordings for this semester, will be found here
- 3/14/2022 still more Ghidra
- We have released Homework 3
- More on IDA, Ghidra, and the homework.
- Malware and the Windows API (ppt) (pdf)
- A recent talk about Ghidra
- Here is a malware example, as a password-protected zipfile (zip) with password "malware" without the quotes
- As practice for the midterm. answer these questions: (1) what is the length and SHA-256 hash for this binary? (easy) (2) what, if anything, raises your suspicions in the IMPORTS table? (somewhat easy) (3) using IDA or the disassembler of your choice, what is it that makes this file malicious? what function does something bad? there may be several good answers to this question. we can then discuss in class.
- The recordings for this session, and all other recordings for this semester, will be found here. There are two parts to today's class, Part 1 IDA, Part 2 Ghidra.
- 3/16/2022 Using Decompilers
- looking at many of Ghidra's features, including variable and function renaming, and decompilation
- No office hours for TAs or Dr. N. next week, but we'll be in email contact.
- Robert "RJ" Joyce will be speaking tonight at 7pm on the subject of Honeypots
- WebEx
- Discord
- Spring 2022 Presentations and Recordings, including Henry's from last week
- The recordings for this session, and all other recordings for this semester, will be found here
- Spring Break! No class on March 21 or March 23, 2022. Enjoy!
- 3/28/2022 Chapter 8
- Homework 3 is due today
- Does Ghidra complain about JDK? Download the latest version of the Java Development kit (currently JDK-11-0-14) and install it. It will put some files in c:/Program Files/Java, and Ghidra will find it there.
- Go over the current plans for the midterm, to be released Wednesday afternoon, due Monday of next week.
- Finish slides from the previous session Malware and the Windows API (ppt) (pdf)
- Following Malware Execution - inspired by PMA (ppt, pdf)
- We may or may not present this material on
- This online tool may be an alternative to IDA and Ghidra.
- Another alternative to IDA is radare. It can be used in visual mode, or through the command line. Its documentation is extensive, and the price is right.
- Alternatives to IDA exist, such as Hopper for OS X and Linux.
- Covert malware - inspired by PMA (ppt, pdf)
- The recordings for this session, and all other recordings for this semester, will be found here
- 3/30/2022 Exam and Project
- The EXAM was released shortly after 5pm today, Wednesday, in
take-home format. Due by 5:30pm next Monday, April 4.
- The midterm exam includes links to the malware specimens.
- Feel free to start working on it, or just read through it. We can address your questions during class time.
- Submit your completed exam through BlackBoard, as with the homework assignments.
- Last year's midterm may still be available.
- The UMBC-license Windows 10 OVA file has been updated, so Ghidra should run.
- No new material is planned for this class session
- The recordings for this session, and all other recordings for this semester, will be found here
- The EXAM was released shortly after 5pm today, Wednesday, in
take-home format. Due by 5:30pm next Monday, April 4.
- 4/4/2022 more Chapter 8.
- The midterm exam is due by 5:30pm.
- Peter Drucker's article "Managing Oneself" appeared in the January, 2005 issue of Harvard Business Review.
- The paper is not being assigned as part of this course, but if you as an authorized UMBC library patron and wish to read it, here it is.
- The link is supposed to work from a UMBC IP address only.
- Finish slides on Malware Execution
- The recordings for this session, and all other recordings for this semester, will be found here
- 4/6/2022 More on Immunity
- Demonstrate use of ImmDbg
- Go over Exercise 9-02 from PMA.
- For a detailed introduction to Immunity, see Nardella's paper from SANS Institute.
- The SANS Institute has a reading room, which includes lots of interesting papers related to malware.
- RJ recommends Attributes of Malicious Files
- The recordings for this session, and all other recordings for this semester, will be found here
- Demonstrate use of ImmDbg
- 4/11/2022 Malware Behavior
- Finish demo of Immunity Debugger.
- Homework 4 to be released. The malware sample.
- Chapter 12 notes
- As time permits, finish slides on Covert Malware.
- The recordings for this session, and all other recordings for this semester, will be found here
- 4/13/2022 Encoding Data
- Chapter 14 notes
- Go over midterm exam
- The recordings for this session, and all other recordings for this semester, will be found here
- 4/18/2022 Anti-Disassembly
- Chapter 16, Anti-Disassembly
- The recordings for this session, and all other recordings for this semester, will be found here
- 4/20/2022 Anti-Debugging
- Chapter 17, Anti-Debugging
- dealing with packed malware
- a special report from Mandiant (pdf, 95 pages)
- more from Peter Drucker
- interested in a Ph.D. degree? take a look at this PhD Survival Guide
- The recordings for this session, and all other recordings for this semester, will be found here
- 4/25/2022 more on packing and unpacking
- Chapter 18 notes
- demo on packing and unpacking
- Homework 5 has been released. The malware for Homework 5.
- You will need ImpRec and OllyDumpEx.
- The recordings for this session, and all other recordings for this semester, will be found here
- 4/27/2022 Unpacking Binaries
- 5/2/2022 YARA
- Chapter 15 notes Network Indicators
- The Daphne Harrison Lecture with Freeman Hrabowski is to take place at 6pm. It will be streamed on the UMBC YouTube channel
- Course evaluations are coming! Watch your email.
- The FINAL will be OPTIONAL. Let me know by May 11 if you want to take it.
- For your information, the malware corpus we used last year us found here (7z) UMBC IPs only, usual password.
- To follow along, you'll need to
Download the YARA source code:
wget https://github.com/VirusTotal/yara/archive/v3.7.0.tar.gz - Follow the installation instructions from this guide:
http://yara.readthedocs.io/en/v3.7.0/gettingstarted.html - Handy YARA rules overview:
http://yara.readthedocs.io/en/v3.7.0/writingrules.html - Sorokin's paper on structural entropy (pdf)
- It is important for you to be on the CSEE email lists. Instructions are here.
- Remember to fill out the student evaluations! For this class and others you're taking. Thanks!
- The recordings for this session, and all other recordings for this semester, will be found here
- 5/4/2022 Ongoing Research Topics
- Henry will be talking about Yara today
- Outgoing UMBC President Dr. Freeman Hrabowski was featured in Spike Lee's 1997 documentary "Four Little Girls" YouTube
- The YARA Homework and the associated data have been released.
- Charles will be speaking to the CyberDawgs this evening at 7:10pm WebEx
- The recordings for this session, and all other recordings for this semester, will be found here
- 5/9/2022 Malware on UNIX
- Henry continued his YARA demo
- The Student Evaluation of Educational Quality (SEEQ) is a standardized course evaluation instrument used to provide measures of an instructor’s teaching effectiveness. The results of this questionnaire will be used by promotion and tenure committees as part of the instructor’s evaluation. The Direct Instructor Feedback Forms (DIFFs) were designed to provide feedback to instructors and they are not intended for use by promotion and tenure committees. The responses to the SEEQ and the DIFFs will be kept confidential and will not be distributed until final grades are in.
- The recordings for this session, and all other recordings for this semester, will be found here
- 5/11/2022 Wrapping Up
- You should now have access to all your grades up to and including HW 5.
- Discuss final exam as appropriate
- Charles may talk about Exploit Kits! Beware of Exploit Kits!
- The topic of Linux malware should not be ignored, but that's what we're going to do.
- Nor have we talked much about malware on the Mac. Much of the information related to Mac malware is old, unfortunately
- But I can recommend this recent report from Malwarebytes.
- Chapter 20, Shellcode Analysis, which we won't get to explore in a homework, but you should be aware of it.
- Please fill out the SEEQs, thanks!
- The recordings for this session, and all other recordings for this semester, will be found here
- 5/16/2022 Final Exam Preview
- This is the last day of class!
- The final exam is optional! But if you want to take it, it will be released Monday, May 23, at 6pm, in accordance with the UMBC Final Exam Schedule
- Check here in order to find last year's final exam and its malware.
- After the semester ends, I may end up putting items of interest here. Such as:
- This report from BlackBerry on RATS
- Maddies Stone has Android Malware material on YouTube
- The recordings for this session, and all other recordings for this semester, will be found here
- Dino says, "Enjoy your summer!"
