The dates and topics are subject to change, but this is the basic outline of the course. We may go faster or slower as needed. Details will be added as the course progresses. Homework assignments will be added as those are developed and assigned.

Spring 2020 semester -

  1. 1/27/2020 Introduction
  2. 1/29/2020 Virtual Machines
    • Homework 1
    • The homework assignment refers to this malware specimen, packed with 7zip.
    • Homework is to be emailed to RJ <joyce8@umbc.edu> no later than 11:59pm Thursday February 6.
    • Malware Research Group meets Fridays 2-3pm, ITE 366, starting Friday January 31!
    • Slides: Basic Static Analysis (these slides will be used today and next time, too)
  3. 2/3/2020 Basic Tools
  4. 2/5/2020 More on Packing and Unpacking
    • Start with a packing demo
    • The UMBC Cyberdefense Team, aka the Cyberdawgs, will be meeting after this class, on Wednesdays through the semester! The location is ITE 237.
    • Homework 1 is due before midnight tomorrow!
    • Slides: VMs and Sandboxes
  5. 2/10/2020 Configuring Virtual Machines
  6. 2/12/2020 Basic Dynamic Analysis
    • Demos useful for Homework 2
    • I can recommend an article on how malware authors are using VirusTotal.
    • Triage vs. in-depth analysis
    • Running a DLL with rundll32.exe
    • A DLL can be converted into an executable using PEid
    • This tutorial is a good overview of Chapter 3 in PMA.
  7. 2/17/2020 Registry
    • RJ will continue to demo basic dynamic analysis tool, including Wireshark.
    • We used some class time for Homework 2
    • Some resources you might want to look at.
    • Use control panels and so forth to set up an internal network as described on page 57.
    • Use sudo apt-get update followed by sudo apt-get install pure-ftpd to get an ftp server for Ubuntu.
  8. 2/19/2020 Assembler Language Review
    • Anna will be reviewing concepts from x86 assembly slides
    • Homework 3
    • An introduction to x64 assembly from Intel
    • I've heard good things about nasm, a popular assembler for Windows
      • nasm is also available for Ubuntu: sudo apt-get install nasm
      • extensive documentation is available
      • more NASM examples
      • when running nasm with gcc on cygwin, it REALLY helps to have the necessary libraries, whatever they are. Building cygwin with a full install of the development tools is enough
    • Are people aware of food insecurity as an issue on college campuses? Charles wants to discuss this a bit.
    • Demonstrate searching for papers in the UMBC Library and elsewhere using the Research Port, and also the Subject Guide and related Tutorials
    • Look at Norman Sandbox
  9. 2/24/2020 more dynamic analysis
    • summary of PMA Chapter 6
    • A simple C program that uses several control structures (pma6.c) and the assembly listing (pma6.s) generated with gcc pma6.c -Wa,-adhln -g
      note: no space between Wa and -a
    • The -g flag causes a lot of useful information to appear in the .s file
    • Example: Lab 6-1 (from the end of Chapter 6)
    • One way to monitor network traffic is netcat (this link seems to be a version for XP). Note that netcat runs from the command line. Is there a GUI version?
    • Sandboxes have their limitations! Such as?
    • From this Four Day Course on Reverse Engineering offered by Kaspersky, I became aware of
      • The PE Editor LordPE, which hasn't been updated lately but apparently still has its fans.
      • The Hex Editor Hiew
      • An Import Fixer, Universal Import Fixer 1.2
    • From the Reverse Engineering reddit,
    • What if somebody gives you a USB stick? Do you just plug it in your PC? Not a good idea!
      • VMWare Player may be better for looking at USB devices than VirtualBox, since if a setting allows, it will connect to USB devices right away, without the host OS seeing
    • Take a look at this list of free online malware sandboxes!
    • The Cuckoo Sandbox mentioned in PMA is available for download. You'll want to install it on Linux, preferably a box dedicated to that.
    • This BlackHat talk and associated white paper has lots of information about Cuckoo
    • An online malware sandbox based on Cuckoo is available at http://www.malwr.com, and visualize the results using https://www.malwareviz.com/
    • You don't have to keep your Ubuntu environment current, but there are reasons to do so. Update manager is very capable.
    • It often (but not always) good to have Virtual Box install guest additions as well as extensions.
  10. 2/26/2020
    • RJ demonstrates IDA. The freeware version of IDA is available on the Flare VM we provide.
    • FLIRT is a feature of IDA that helps with analysis of functions.
    • The old freeware version of IDA, which runs on Windows XP, is available here. (UMBC only)
    • We may do some of exercises 1-9 from the end of chapter 5 as a demo.
  11. 3/2/2020 more on assembler, IDA, and Ghidra
    • Charles is aware of a series of tutorials on YouTube that may be useful for learning Linux assembly
  12. 3/4/2020 more with Ghidra
    • Disassembly is sometimes required. This online tool may be an alternative to IDA.
    • Heard about the Shellshock bug? So have I. My friend Steve Bagley has some thoughts. See also this post to Hack Like a Pro.
    • Another alternative to IDA is radare. It can be used in visual mode, or through the command line. Its documentation is extensive, and the price is right.
    • If you want to learn more about Radare...tutorial on RE for 64-bit
    • Alternatives to IDA exist, such as Hopper for OS X and Linux.
    • If you're not too worried about running XP, see this example of how to hack XP.
    • I like Dr. Fu's site.
  13. 3/9/2020 still more IDA Pro
    • Let's open this lab in IDA and see what we can see.
    • An IDA Pro Cheat Sheet (pdf)
    • Here is a Hello World example (exe)
    • Here is a malware example, as a password-protected zipfile (zip) with password "malware" without the quotes
    • As practice for the midterm. answer these questions: (1) what is the length and SHA-256 hash for this binary? (easy) (2) what, if anything, raises your suspicions in the IMPORTS table? (somewhat easy) (3) using IDA or the disassembler of your choice, what is it that makes this file malicious? what function does something bad? there may be several good answers to this question. we can then discuss in class.
    • The midterm exam has been scheduled for late March, exact date TBD.
  14. 3/11/2020 Control Structures in Malware
  15. 3/23/2020 Chapter 8
    • RJ will be doing an in-depth demo. The specimen is here.
  16. 3/25/2020 Exam and Project???
    • EXAM will be released on Wednesday, TBD in take-home format. Due by 5pm the following Monday.
    • An exam from a previous year is still available. You will need these files: Midterm1.7z and Midterm2.7z
    • Slides based on Chapter 7 of PMA.
    • Peter Drucker's article "Managing Oneself" appeared in the January, 2005 issue of Harvard Business Review. The paper is not being assigned as part of this course, but if you as an authorized UMBC library patron and wish to read it, here it is. The link is supposed to work from a UMBC IP address only.
  17. 4/1/2019 more Chapter 8
    • More on upcoming exam.
    • Demonstrated use of ImmDbg
  18. 4/3/2019 Midterm
    • The midterm exam has been released. You'll be analyzing this specimen, password is "infected" without the quotes.
    • Email your completed exam to RJ <joyce8@umbc.edu>. We prefer PDF, and we might impose a one point penalty for Word submissions.
    • No new material is planned for this class session
  19. 4/8/2019 More on ImmDbg
    • Midterm will be due by 5pm today!
    • Finish demo of Immunity Debugger
  20. 4/10/2019 More on malware behavior
    • Demo Lab 9-2
  21. 4/15/2019 Chapter 18
  22. 4/17/2019 more on malware behavior
    • covert malware launching
  23. 4/22/2019 more on packing and unpacking
  24. 4/24/2019 even more
  25. 4/29/2019 YARA
  26. 5/1/2019 Chapters 12-13
    • More on YARA
    • Release the YARA Homework. The docx file, and the malware specimen 7z.
    • Representing malware specimens in a compact, semantics-preserving form pdf
    • Exploiting the rich header (from Shmoocon 2019)
    • DIscuss the questions for RB
  27. 5/6/2019 TBD
    • Special Guest! Our speaker is Dr. Robert Brandon!
    • For a Question and Answer session:
      • is your organization hiring?
      • what is your average day like?
      • what is your home lab like?
      • are there (free or commercial) ML tools that malware analysts should know about?
      • what skills are useful but not taught in CS courses?
      • are any Hollywood versions of hacking accurate?
  28. 5/8/2019 Malware on UNIX
    • Josh covers memory forensics using Volatility
    • Just for fun, a report from crowdstrike on a Linux rootkit. Contains a working sample!
      • haven't talked too much about Linux malware, have we?
    • The Student Evaluation of Educational Quality (SEEQ) is a standardized course evaluation instrument used to provide measures of an instructor’s teaching effectiveness.  The results of this questionnaire will be used by promotion and tenure committees as part of the instructor’s evaluation. The Direct Instructor Feedback Forms (DIFFs) were designed to provide feedback to instructors and they are not intended for use by promotion and tenure committees. The responses to the SEEQ and the DIFFs will be kept confidential and will not be distributed until final grades are in.
  29. 5/13/2019 Wrapping Up
    • This is the last day of class!
    • Chapter 17, Anti-debugging
    • Chapter 20, Shellcode Analysis
    • We haven't talked much about malware on the Mac. An overview.
    • Discuss final exam as appropriate
    • Tomorrow is the last day to fill out the on-line course evaluations. Accessible through an email sent to you, and over Blackboard.
  30. 5/15/2019
    • No class today!
    • The take-home final exam will be released no later than today. I'll send out an email...Good luck!
  31. 5/20/2019 Final Exam due by 5pm
    • Enjoy your summer!