Lecture/Lab Notes

The dates and topics are subject to change, but this is the basic outline of the course. We may go faster or slower as needed. Details will be added as the course progresses. Homework assignments will be added as those are developed and assigned.

Many dates and details will be updated!

Spring 2023 semester

1. 1/30/2023 Introduction
• Review of course syllabus, campus policies, and logistics
• Introduction
• You will need to installl VirtualBox. Instructions for doing so are found here.
• Users of M1 Macs Beware!
  • But I am told that a version of VirtualBox for M1 Macs is in beta.
• We are making a Windows 7 virtual machine available for the class.
  • Windows 7 (OVA, 18 gigs, UMBC only)
  • Download the OVA file by clicking the above link. You will need to be connected via the UMBC VPN, or access Box (or Google Drive, as the case may be) with your UMBC credentials. The download will take a while.
• Start VirtualBox. Select File->Import Applicance, and choose the OVA file you just downloaded. This, too, may take a few minutes.
• If you don't have enough disk space, we suggest you get an external drive.
• User "Student" password "infected"
• Once you import this VM into Virtual Box and boot it up, make sure you turn off automatic updates, and Windows Defender, right away! Discuss why.
  
• We also have a malware analysis platform based on Windows 10, see below.
  
  The recordings for this session, and all other recordings for this semester, will be found on Box.
  
  
2. 2/1/2023 Basic Static Analysis
• Introducing the VM we use for malware analysis.
• These Introduction slides will be presented.
• Virtual Machines
• Importing an applicance into VBox.
• Windows 10 Stable (OVA, 10 gigs, UMBC only)
  • User "Student" password "infected"
    
• If your Windows box complains about being unlicensed...
  • Download this file win_activate.bat to your Desktop
  • Make sure you're connected to the campus VPN
  • Right-click on the win_activate file, and select "Run as administrator"
  • The campus site license server should take care of activating your copy of Windows!
• We'll be demonstrating the use of VirtualBox.
  
  
3. 2/6/2023 Tools for Static Analysis
   • TAs may demonstrate the use of Discord
   • Charles will discuss some of the notes under Basic Tools
   • These slides on Basic Static Analysis will be used today (and perhaps next time, too)
   • We have made some virtual machines available:
     • Windows 10 Stable (OVA, 10 gigs, UMBC only)
     • Windows 10 Malware (OVA, 20 gigs, UMBC only)
     • Windows 7 Malware (OVA, 19 gigs, UMBC only)
     • User "Student" password "infected"
   • If your VM is running very slow, check the parallelization interface. I suggest "none". See the end of Section 2 in EMA, or visit this link
   • We will demonstrate the following, in this order, or maybe not:
     • the Flare VM, including snapshots, clones, and OVA files
     • Virtual Box snapshots, AND screenshots
     • how, and when, to use shared folders in VirtualBox. Drag-and-Drop can be useful, but shared folders can be problematic.
     • the strings command on Flare, and floss if time permits
   • Charles will discuss the PE HEaders, and use Detect it Easy to demonstrate.
   • The slides will provide more information, but they can be perused off-line
   • The course BlackBoard site should now be public.
     
     
4. 2/8/2023 Packing and Unpacking
• Homework 1 is now or will soon be available, and will be due in a week.
  • The file Homework1.docx will be available for download. Edit this document as needed, with your answers to the homework questions.
  • The file hw1.7z is available for download. The password for the zipped malware specimen(s) is "infected", without the quotes.
  • We will discuss the homework in some detail...download the docx and zip files to your Flare VMs if you wish.
  • Demonstrate the use of DiE, and strings
  • We will demonstrate how to upload your work to Blackboard. You will be uploading doc files, NOT pdf
  • Other instructions will be on the homework.
  
  
5. 2/13/2023 Configuring Virtual Machines
• Slides: Basic Dynamic Analysis VMs and Sandboxes
• Check out an example from VirusTotal
  • Ben gave a good demo of this in Spring 2021, if you want to watch
  • See the Hybrid-Analysis site
  • and the Nextron Systems site, which includes Thor
• Malware sandboxes such as any.run and malcore are very interesting!
• Homework 2 will be released no earlier than Feb 20.
• Malware analysts should know C, assembly , but also Python
  • the pefile module in Python can be used to make lots of useful tools.
• Want to know more about the internals of Linux?
  • several Nutshell books are relevant
  • maybe also this contribution on GitBook
  
  
6. 2/15/2023 Basic Dynamic Analysis
   • Homework 1 will be due at 5:30pm THURSDAY February 16
   • Present some slides on Hashing and Packing
   • We will discuss and demonstrate packers, especially upx
     • Demo upx in Flare
     • We will demonstrate the upx utility to compress (upx -1 or upx -9) and decompress (upx -d) files
     • Other packers used in malware include ASPack, PECompact, Petite, Themida, RLPack, and NSIS.
   • There are lots of packers out there! You might want to look at PyPackerDetect from Cylance.
   • How can we tell if upx works as it should?
     • compress something, uncompress, and see if the two objects match!
     • how can we do that?
     • lossy vs. lossless compression
   • Homework 2 is to be released next Monday
   • You may be interested in looking at https://www.secrepo.com/#
     
     
7. 2/20/2023 Registry
   • Homework 2 has been released. The malware specimen will be here.
   • We will use some class time to discuss Homework 2.
   • Some updated instructions for how to properly set up FakeNet-NG, which will be needed for HW2.
   • We will be using FakeNet and wireshark. The packages Apate-DNS and inetsim, discussed in the textbook, are no longer widely used.
   • The fakenet package can be download from here.
   • Wireshark demo
   • More demos useful for Homework 2: Regshot, Process Monitor, Process Explorer
     • perhaps using a certain malware specimen, namely IllusionBot_2007, available from TheZoo on Github
   • Procexp: Strings different on disk / in memory, loaded DLLs in bottom pane
   • Procmon: look at the resources various processes are using
   • Regshot: Capture the registry, in case the registry gets borked by the malware, or the user :-)
     • Persistence through services, WinLogon\Shell
       
   • This tutorial is a good overview of Chapter 3 in PMA. Like Chapter 3, it's a bit out-of-date.
   • Slides for Host-Based Dynamic Analysis and Network-Based Dynamic Analysis
   • You might be interested in reading about how malware authors are using VirusTotal.
     
     
8. 2/22/2023 Assembler Language Review
   
   • We may spend some time discussing Homework 2
   • Optional topic: analyzing DLL files
     
     • Running a DLL with rundll32.exe
       
     • A DLL can be converted into an executable using a tool such as PE Explorer (Charles to demo maybe)
   • More about the Sysinternals Suite, as time permits
   • Lots of resources for x86 assembly can be found online, including YouTube
   • The best reference is still the Intel Developer Manuals. Buy some paper and toner! It's more than 5000 pages.
   • Check out the MOVfuscator (github)
   • Charles presents these slides for X86 Assembly Language
     
     
9. 2/27/2023 C code constructs
   • Go over Homework 1, tonight or next time. Most people have done quite well, with most scores 90% or higher.
   • Charles presents slides on C Constructs in Assembly
   • Why do we care about assembly code?
   • As examples of assembler code, I've heard good things about nasm, a popular assembler
     • you can download and run the installer for Windows at the nasm web site
     • then add the installed directory to your path. You DO know how to add directories to your path, right?
     • for Windows apps, you'll find it convenient to install Visual Studio, whether you use it as an IDE or not
     • whenever you change your path, Windows 11 seems to require a reboot :-(
     • subsequent use of cmd.exe will find the nasm.exe binary
     • two versions of hello world console and window
       • Hello, World, for the console, for Linux
       • Hello, World, for the console, for Windows
       • another Windows example, assuming that Cygwin is installed
     • nasm is also available for Ubuntu
       • sudo apt-get install nasm
     • do we care about Windows vs. Linux? we sure do!
     • extensive documentation is available
     • the NASM tutorial
     • architecture and opcode information from Intel
   • It seems appropriate to discuss CISA
   • Triage vs. in-depth analysis
   • Charles is aware of a series of tutorials on YouTube that may be useful for learning X86 assembly
   • Some resources you might want to look at.
     • Mandiant offers lots of resources, such as their blog, for free!
     
     
10. 3/1/2023
• Summary of PMA Chapter 6
  
• A simple C program that uses several control structures (pma6.c) and the assembly listing (pma6.s) generated with gcc pma6.c -Wa,-adhln -g
  note: no space between Wa and -a
• The -g flag causes a lot of useful information to appear in the .s file
• Take a look at this list of free online malware sandboxes!
• You don't have to keep your Ubuntu environment current, but there are reasons to do so. Update manager is very capable.
  • It is often (but not always) good to have VirtualBox install guest additions as well as extensions.
  
  
11. 3/6/2023 welcome IDA
    • Charles will demonstrate IDA. The freeware version of IDA is available on the Flare VM we provide.
    • FLIRT is a feature of IDA that helps with analysis of functions.
    • The old freeware version of IDA, which would be needed if you want to use it on Windows XP, is available here. (UMBC only)
      
    • We may also do some of exercises 1-9 from the end of chapter 5 as a demo. (Chapter 5 in the printed book, Chapter 6 on Kindle)
    • An easy introduction to IDA (YouTube, 35 minutes). Professor Steve, whom I do not know, seems to have created several useful videos of this type.
    • You may be interested in this demo of IDA, with emphasis on its debugger (YouTube, 98 minutes). (CKN has not yet watched these.)
    • A series of YouTubes that deal with Ghidra, in case you want to view before next week...
      • Lesson 1 Introduction
      • Lesson 2 UI
      • Lesson 3 Windows Tools Part 1
      • Lesson 3 Windows Tools Part 2
      • Lesson 3 Windows Tools Part 3
      • Lesson 3 Windows Tools Part 4
      • Lesson 4 Exploit "Phoenix"
      • Lesson 5 Structures
      
      
12. 3/8/2023 more with Ghidra
    • We are releasing Homework 3 today. The malware specimen. A new version was posted at 4:45pm today.
    • We will spend much of this session demonstrating IDA and Ghidra.
    • The questions from PMA that we used for the IDA demo. (Needs myUMBC creds.)
    • Midterm exam is scheduled for March 29, and will be due April 3.
      
      
13. 3/13/2023 still more Ghidra
    • The class will be remote this week! Dr. N. will be teaching from home, but people are still welcome to gather in ILSB if they wish.
    • Dr. N. may have been too hard on ChatGPT last week! The notion of a "thunk" did originate in programming language design, to refer to an expression, to which a value would be assigned at runtime. Pointers to functions that are loaded at run-time, as opposed to load-time, would qualify. Lazy evaluation of expressions, common in functional languages such as Haskell, might result in use of thunks as well. The concept originated with the Algol language, which used call-by-name, rather than call-by-value etc. Your textbook from CMSC 331 will explain it.
    • More on IDA, Ghidra, and the homework.
    • Malware and the Windows API (pdf)
    • Here is a malware example, as a password-protected zipfile (zip) with password "malware" without the quotes
    • As practice for the midterm. answer these questions: (1) what is the length and SHA-256 hash for this binary? (easy) (2) what, if anything, raises your suspicions in the IMPORTS table? (somewhat easy) (3) using IDA or the disassembler of your choice, what is it that makes this file malicious? what function does something bad? there may be several good answers to this question. we can then discuss in class.
    • The recordings for this session, and all other recordings for this semester, will be found here. There are two parts to today's class, Part 1 IDA, Part 2 Ghidra.
      
      
14. 3/15/2023 Using Decompilers
    • The class will be remote this week! Dr. N. will be teaching from home, but people are still welcome to gather in ILSB if they wish.
    • looking at many of Ghidra's features, including variable and function renaming, and decompilation
    • The NSA Codebreaker Challenge: In-Person Information Session
      Get ready for the NSA Codebreaker Challenge 2023!
      Thursday, March 16, 2023 · 5 - 6:30 PM
      The Commons : 331
      
      UMBC is a top performing institution in the NSA Codebreaker Challenge. 
      This session will introduce and prepare students for the next NSA Codebreaker Challenge to be released in August 2023.

      We encourage you to stop by this in-person session to hear the latest details directly from NSA representatives!

      Click HERE for more information on the most recent challenge!
      
    • You can also attend this session to learn more about career opporunities at NSA!
    • Spring Break! No class on March 20 or March 22, 2023. Enjoy!
      
      
15. 3/27/2023 Chapter 8
    • Dr. N. found a short graphic novel about Talos and its recent threat hunting work.
    • Go over the current plans for the midterm, to be released Wednesday afternoon, due Monday of next week.
    • Finish slides from the previous session Malware and the Windows API (ppt) (pdf)
    • We may or may not present this material on
      • This online tool may be an alternative to IDA and Ghidra.
      • Another alternative to IDA is radare. It can be used in visual mode, or through the command line. Its documentation is extensive, and the price is right.
      • Alternatives to IDA exist, such as Hopper for OS X and Linux.
        
        
16. 3/29/2023 Exam and Project
    • The EXAM has been released. Due by 5:30pm next WEDNESDAY, April 5.
      • Feel free to start working on it, or just read through it. We can address your questions during class time.
      • Submit your completed exam through BlackBoard, as with the homework assignments.
      • Last year's midterm may still be available.
    • No new material is planned for this class session
    • An UPDATE for the exam was posted at about 4PM. Use the new version of the exam and malware. The due date for the exam is now Wednesday April 5!
    • Those who turn in the midterm by the original due date of 5:30pm Monday will receive 10 points in extra credit on the exam!
      
      
17. 4/3/2023 more Chapter 8.
    • Went over Homework 3
    • Discuss this report from Mandiant on APT43.
    • Following Malware Execution - inspired by PMA (pdf)
      • For more about DllMain and lots of other stuff, see Microsoft Learn
    • Peter Drucker's article "Managing Oneself" appeared in the January, 2005 issue of Harvard Business Review.
      • The paper is not being assigned as part of this course, but if you as an authorized UMBC library patron and wish to read it, here it is.
      • The link is supposed to work from a UMBC IP address only.
    • Finish slides on Malware Execution
      
      
18. 4/5/2023 More on Immunity and x96
    • The midterm exam is due by 5:30pm.
    • For those who want to learn more about debuggers, and/or the Rust programming language, we recommend a series of blog posts starting here.
    • The SANS Institute has a reading room, which includes lots of interesting papers related to malware.
      • RJ recommends Attributes of Malicious Files
      
      
19. 4/10/2023 Malware Behavior
    • Demo of Immunity Debugger on ftp.exe
      • For a detailed introduction to Immunity, see Nardella's paper from SANS Institute.
      • I have become a fan of x96! (By x96 we refer to both x64 and x32 debuggers)
    • Demo of x96 Debugger on ftp.exe.
    • Covert malware - inspired by PMA (pdf)
    • Chapter 12 notes
      
      
20. 4/12/2023 Encoding Data
    • Homework 4 has been released. The malware for Homework 4.
    • Homework 4 will be due Friday, April 19, 5:30pm
    • Finish up some material from recent class sessions
      
      
21. 4/17/2023 More about Debugging
    • Raguvir wll demonstrate use of x96 by going over Exercise 9-02 from PMA. The questions refer to the file Lab09-02.exe
      1. What strings do you see statically in the binary?
      2. What happens when you run this binary?
      3. How can you get this sample to run its malicious payload?
      4. What is happening at 0x00401133?
      5. What arguments are being passed to subroutine 0x00401089?
    • Chapter 14 notes
    • Homework 4 will be due Friday, April 19, 5:30pm
      
      
22. 4/19/2023 Anti-Debugging
    • Homework 4 will be due Friday, April 19, 5:30pm
    • Go over midterm exam
    • Chapter 16, Anti-Disassembly
    • a special report from Mandiant (pdf, 95 pages)
    • more from Peter Drucker
      
      
23. 4/24/2023 more on packing and unpacking
    
    • Chapter 17, Anti-Debugging
    • Homework 5 will be released next week.
      
      
24. 4/26/2023 Unpacking Binaries
    • How are you doing, as the semester winds down?
      • Help is available for those who are struggling.
      • From the Maryland Department of Health: Help us spread the word about the new crisis and suicide lifeline, 988. If you or someone you know is in crisis, dial 988.
        
    • Chapter 18 notes
    • dealing with packed malware
    • Last year, Sophie did a demo of tail jump finding in packed files. See the recording, and this tutorial (PDF)
    • Chapter 15 notes Network Indicators
    • interested in grad school? take a look at this PhD Survival Guide
    • President Sheares-Ashby is to be inaugurated tomorrow! The ceremony will be streamed live for those who cannot attend in person. You can find the link to stream the ceremony here. 
      
      
25. 5/1/2023 YARA
    • Course evaluations are coming! Watch your email.
    • The FINAL will be OPTIONAL. Let me know by May 10 if you want to take it.
      • For your information, the malware corpus we used last year us found here (7z) UMBC IPs only, usual password.
        
    • Some slides on YARA
    • Reading the YARA documentation is a good way to learn about Yara!
      • Includes the installation instructions
      • and a handy YARA rules overview
        
        
26. 5/3/2023 Ongoing Research Topics
    • It is important for you to be on the CSEE email lists. Instructions are here.
    • Remember to fill out the student evaluations! For this class and others you're taking. Thanks!
    • We will be talking about YARA today
    • The YARA homework and the associated data have been released.
    • Sorokin's paper on structural entropy (pdf)
      
      
27. 5/8/2023 Malware on UNIX
    • More about Homework 5. Is anybody interested in trying YaraDbg?
    • Check out the latest on DarkReading.com
    • Wondering what your final grade might be? Take a look at this projection spreadsheet!
    • I'm impressed by this Gitbook entitled Reverse Engineering For Everyone!
    • Charles may talk about Exploit Kits!
      • Are EKs still a problem? Maybe so!
      • (2023) https://www.bleepingcomputer.com/news/security/rig-exploit-kit-still-infects-enterprise-users-via-internet-explorer/
      • (2023) https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/exploits-malware?view=o365-worldwide
      • (2022) https://www.crowdstrike.com/cybersecurity-101/attack-types/exploit-kits/
      • (2020) https://www.avira.com/en/blog/capesand-the-revival-of-exploit-kits
    • Check out this list of Awesome Malware Techniques
    • The Student Evaluation of Educational Quality (SEEQ) is a standardized course evaluation instrument used to provide measures of an instructor’s teaching effectiveness.  The results of this questionnaire will be used by promotion and tenure committees as part of the instructor’s evaluation. The Direct Instructor Feedback Forms (DIFFs) were designed to provide feedback to instructors and they are not intended for use by promotion and tenure committees. The responses to the SEEQ and the DIFFs will be kept confidential and will not be distributed until final grades are in.
      
      
28. 5/10/2023 Wrapping Up
    • Dr. Nicholas is not feeling well, and will be teaching from home. Class today will be VERY short.
    • The deadline for extra credit on Homework 5 is extended until midnight tonight.
    • Discuss final exam as appropriate
    • The topic of Linux malware should not be ignored, but that's what we're going to do.
    • Nor have we talked much about malware on the Mac. Much of the information related to Mac malware is old, unfortunately
    • But I can recommend this recent report from Malwarebytes.
    • Chapter 20, Shellcode Analysis, which we won't get to explore in a homework, but you should be aware of it.
    • Please fill out the SEEQs, thanks!
      
      
29. 5/15/2023 Final Exam Preview
    • This is the last day of class!
    • The final exam is optional! But if you want to take it, it will be released Monday, May 22, at 6pm, or some other date in accordance with the UMBC Final Exam Schedule
    • Check here in order to find last year's final exam and malware.
    • After the semester ends, I may end up putting items of interest here. Such as:
      • This report from BlackBerry on RATS
      • Malcat is a hexadecimal editor and disassembler for malware analysis
    • Maddies Stone has Android Malware material on YouTube
      • Android App Reverse Engineering Live! from April 24, 2020 (youtube)
      • Android App Reverse Engineering Live! from May 19, 2020 (youtube)

• May 17, 2023, the final exam has been released. If you have already informed me of your wish to take the final, and have not received it, let me know!
  

• Dino says, "Enjoy your summer!"
  
  
•