Spring 2020

Prof. Charles Nicholas
ITE 356
Office hours: MW 2:30-4pm, or by appointment. Due to the variety of meetings I atttend, office hours may vary. Feel free to call or send email to confirm.

The teaching assistants and their office hours are:

Robert Joyce joyce8@umbc.edu TTh 2:30-3:45 ITE 366 WebEx
Anna Staats astaats1@umbc.edu M 2-4:15 ITE 366 WebEx

Spring 2020 Lecture Topics

The Spring 2019 Schedule is available. For UMBC users only.

A much condensed version of this course can be presented as a half-day tutorial. The most recent such tutorial was presented at CIKM 2017 in Singapore.

Course information

Monday and Wednesday 5:30-6:45pm
the room is ENG 231


Introduction to static and dynamic malware analysis. Basic and advanced tools are presented, both host- and web-based. Utilities to provide summary information, as well as disassemblers and debuggers, are discussed in detail. Emphasis is on analysis of realistic malware specimens from the texttbook, or found in the wild. Homeworks and exams consist of preparation of malware analysis reports isuch as those used in industry. Prerequisite is CMSC 313 or equivalent. Students are expected to have a solid grasp of programming in assembler as well as a high-level language such as C. Knowledge of operating systems and networks will be useful but is not required.





cover of Practical Malware

Practical Malware Analysis
Sikorski and Honig
ISBN 978-1-59327-290-6
Publisher: no starch press
this book is Required
(electronic and paper versions are available, student may purchase format of their choice)
(zipfile of labs for UMBC only. Use right click and "save link as" to download this password-protected zipfile. The password is 'malware' without the quotes.)

This book is available for the Kindle. This book is the best available for the beginning malware analyst, in my opinion, but it focuses on Windows XP. However, this book is still useful because the tools and techniques are still relevant for newer versions of Windows, and indeed for malware on other systems.

The following books are not required, but may be helpful:

Malware Analyst's Cookbook and DVD
Ligh, Adair, Harstein and Richard
Publisher: Wiley
(save link as tarfile of DVD for UMBC only)

Reversing: Secrets of Reverse Engineering
Eldad Eilam
Publisher: Wiley
this book is not required, but it may be helpful

Windows Internals, Part 1 and Part 2
Russinovich, Solomon and Ionescu
Sixth edition
Publisher: Microsoft Press

Be careful when dowloading "free" copies of these books! Use VirusTotal to examine any PDFs you get. Additional books, varying in quality, can be found on Wikibooks and other places.


We explore both static and dynamic malware analysis. Although malware takes many forms, we focus on executable binaries. We will cover object file formats, and the use of tools such as debuggers, virtual machines, and disassemblers. Obfuscation and packing schemes will be discussed, along with various issues related to Windows internals.

Students will acquire knowledge of relevant system internals, and experience in using various malware analysis tools. Students will also acquire insight into emerging tends in malware design, including efforts to deter analysis.

This will be a "hands on" course, and students are encouraged to bring their laptops to every class session.

Approximate Schedule:

We will be following the textbook, Practical Malware Analysis, closely. In general, we will cover a chapter per week.

The topics for class sessions here. The course notes are under almost continuous construction. Don't rely on what you see, I can revise at any time!

Course Policies


We will have a mid-term exam and a comprehensive final examination. Both will be take-home. There will be roughly one homework/programming assignment every two weeks. One or more of the homeworks may involve reading articles or papers and writing short essays. Regular class attendance is expected. In-class quizzes will be given from time to time, with appropriate notice given.

Points will be allocated as followed: 15% midterm, 20% final, quizzes/homework/programming assignments 65%.


Title IX

As an instructor, I am considered a Responsible Employee, per UMBC’s Policy on Prohibited Sexual Misconduct, Interpersonal Violence, and Other Related Misconduct (located at http://humanrelations.umbc.edu/sexual-misconduct/umbc-resource-page-for-sexual-misconduct-and-other-related-misconduct/). While my goal is for you to be able to share information related to your life experiences through discussion and written work, I want to be transparent that as a Responsible Employee I am required to report disclosures of sexual assault, domestic violence, relationship violence, stalking, and/or gender-based harassment to the University’s Title IX Coordinator.

As an instructor, I also have a mandatory obligation to report disclosures of or suspected instances of child abuse or neglect (www.usmh.usmd.edu/regents/bylaws/SectionVI/VI150.pdf).

The purpose of these reporting requirements is for the University to inform you of options, supports and resources; you will not be forced to file a report with the police. Further, you are able to receive supports and resources, even if you choose to not want any action taken. Please note that in certain situations, based on the nature of the disclosure, the University may need to take action.

If you need to speak with someone in confidence about an incident, UMBC has the following Confidential Resources available to support you:
The Counseling Center: 410-455-2472
University Health Services: 410-455-2542
(After-hours counseling and care available by calling campus police at 410-455-5555)


Abuse of Resources

Abuse of the knowledge or experience you gain in this course may subject you to discipline under UMBC policy and/or criminal prosecution. Do not expect your status as a student to protect you if you break the law! Hacking into campus computers (other than systems approved for such a purpose) is a violation of UMBC policy, and may result in disciplinary action possibly including expulsion, in addition to possible criminal charges.

Academic Honesty

Academic dishonesty of any kind will be handled in accordance with University policy.

"By enrolling in this course, each student assumes the responsibilities of an active participant in UMBC's scholarly community, in which everyone's academic work and behavior are held to the highest standards of honesty. Cheating, fabrication, plagiarism, and helping others to commit these acts are all forms of academic dishonesty, and they are wrong. Academic misconduct could result in disciplinary action that may include, but is not limited to, suspension or dismissal. To read the full Student Academic Conduct Policy, consult the UMBC Student Handbook, the Faculty Handbook, or the UMBC Policies section of the UMBC Directory." [Statement adopted by UMBC's Undergraduate Council and Provost's Office.]



A collection of malware analysis resources, such as web sites, downloads, and so forth. Suggestions are welcome!

Reading List

Malware analysis is an active area of pure and applied research, and papers are appearing all the time. Students should know how to use the UMBC Library research port and other facilities to get copies of papers they want. I suggest this reading list. Again, suggestions for improving this list are welcome.