The dates and topics are subject to change, but this is the basic outline of the course. We may go faster or slower as needed. Details will be added as the course progresses. Homework assignments will be added as those are developed and assigned.

Spring 2020 semester -

  1. 1/27/2020 Introduction
    • Slides
    • The Flare VM is available in this ova file. It's big, roughly 18 gigs!
  2. 1/29/2020 Virtual Machines
    • Homework 1
    • The homework assignment refers to this malware specimen, packed with 7zip.
    • Homework is to be emailed to RJ <joyce8@umbc.edu> no later than 11:59pm Thursday February 6.
    • Malware Research Group meets Fridays 2-3pm, ITE 366, starting Friday January 31!
    • these slides will be used today and next time, too)
  3. 2/3/2020 Basic Tools
  4. 2/5/2020 More on Packing and Unpacking
    • Start with a packing demo
    • The UMBC Cyberdefense Team, aka the Cyberdawgs, will be meeting after this class, on Wednesdays through the semester! The location is ITE 237.
    • Homework 1 is due before midnight tomorrow!
    • Slides: VMs and Sandboxes
  5. 2/10/2020 Configuring Virtual Machines
  6. 2/12/2020 Basic Dynamic Analysis
    • Demos useful for Homework 2
    • I can recommend an article on how malware authors are using VirusTotal.
    • Triage vs. in-depth analysis
    • Running a DLL with rundll32.exe
    • A DLL can be converted into an executable using PEid
    • This tutorial is a good overview of Chapter 3 in PMA.
  7. 2/17/2020 Registry
    • RJ will continue to demo basic dynamic analysis tool, including Wireshark.
    • We used some class time for Homework 2
    • Some resources you might want to look at.
    • Use control panels and so forth to set up an internal network as described on page 57.
    • Use sudo apt-get update followed by sudo apt-get install pure-ftpd to get an ftp server for Ubuntu.
  8. 2/19/2020 Assembler Language Review
    • Anna will be reviewing concepts from x86 assembly slides
    • Homework 3
    • An introduction to x64 assembly from Intel
    • I've heard good things about nasm, a popular assembler for Windows
      • nasm is also available for Ubuntu: sudo apt-get install nasm
      • extensive documentation is available
      • more NASM examples
      • when running nasm with gcc on cygwin, it REALLY helps to have the necessary libraries, whatever they are. Building cygwin with a full install of the development tools is enough
    • Charles is aware of a series of tutorials on YouTube that may be useful for learning Linux assembly
    • Demonstrate searching for papers in the UMBC Library and elsewhere using the Research Port, and also the Subject Guide and related Tutorials
    • Look at Norman Sandbox
  9. 2/24/2020 more dynamic analysis
    • summary of PMA Chapter 6
    • A simple C program that uses several control structures (pma6.c) and the assembly listing (pma6.s) generated with gcc pma6.c -Wa,-adhln -g
      note: no space between Wa and -a
    • The -g flag causes a lot of useful information to appear in the .s file
    • Example: Lab 6-1 (from the end of Chapter 6)
    • One way to monitor network traffic is netcat (this link seems to be a version for XP). Note that netcat runs from the command line. Is there a GUI version?
    • Sandboxes have their limitations! Such as?
    • From this Four Day Course on Reverse Engineering offered by Kaspersky, I became aware of
      • The PE Editor LordPE, which hasn't been updated lately but apparently still has its fans.
      • The Hex Editor Hiew
      • An Import Fixer, Universal Import Fixer 1.2
    • From the Reverse Engineering reddit,
    • What if somebody gives you a USB stick? Do you just plug it in your PC? Not a good idea!
      • VMWare Player may be better for looking at USB devices than VirtualBox, since if a setting allows, it will connect to USB devices right away, without the host OS seeing
    • Take a look at this list of free online malware sandboxes!
    • The Cuckoo Sandbox mentioned in PMA is available for download. You'll want to install it on Linux, preferably a box dedicated to that.
    • This BlackHat talk and associated white paper has lots of information about Cuckoo
    • An online malware sandbox based on Cuckoo is available at http://www.malwr.com, and visualize the results using https://www.malwareviz.com/
    • You don't have to keep your Ubuntu environment current, but there are reasons to do so. Update manager is very capable.
    • It is often (but not always) good to have Virtual Box install guest additions as well as extensions.
  10. 2/26/2020
    • RJ demonstrates IDA. The freeware version of IDA is available on the Flare VM we provide.
    • FLIRT is a feature of IDA that helps with analysis of functions.
    • The old freeware version of IDA, which runs on Windows XP, is available here. (UMBC only)
    • We may do some of exercises 1-9 from the end of chapter 5 as a demo.
  11. 3/2/2020 more on assembler, IDA, and Ghidra
  12. 3/4/2020 more with Ghidra
    • Malware and the Windows API (ppt)
    • This online tool may be an alternative to IDA and Ghidra.
    • Heard about the Shellshock bug? So have I. My friend Steve Bagley has some thoughts. See also this post to Hack Like a Pro.
    • Another alternative to IDA is radare. It can be used in visual mode, or through the command line. Its documentation is extensive, and the price is right.
    • If you want to learn more about Radare...tutorial on RE for 64-bit
    • Alternatives to IDA exist, such as Hopper for OS X and Linux.
    • I like Dr. Fu's site.
  13. 3/9/2020 still more Ghidra
    • More on Ghidra homework.
    • Following Malware Execution - inspired by PMA slides
    • Here is a malware example, as a password-protected zipfile (zip) with password "malware" without the quotes
    • As practice for the midterm. answer these questions: (1) what is the length and SHA-256 hash for this binary? (easy) (2) what, if anything, raises your suspicions in the IMPORTS table? (somewhat easy) (3) using IDA or the disassembler of your choice, what is it that makes this file malicious? what function does something bad? there may be several good answers to this question. we can then discuss in class.
    • The midterm exam has been scheduled for late March, exact date TBD.
  14. 3/11/2020 Control Structures in Malware
    • To participate in class over WebEx:
      JOIN WEBEX MEETING https://umbc.webex.com/umbc/j.php?MTID=mf43b843d36e1adacaaacc43c05406c70 Meeting number (access code): 731 097 087
      Host key: 125723
      Meeting password: infected
    • I'll be presenting the slides this evening using screen sharing, finishing from last class session.
    • Spring Break means no class on March 16 or March 18. Enjoy!
  15. 3/23/2020 Chapter 8
    • I'll be having office hours 3:30-5pm, instead of the normal time (WebEx)
    • If you want to "visit" me during office hours, do send a quick email to confirm availability. You are welcome to ask for an appointment...
    • CLASS WILL BE ONLINE FOR THE REST OF THE SEMESTER
    • The class WebEx link is found here. Access is restricted to UMBC.
    • See gpvpn.umbc.edu for more information on the campus VPN.
    • RJ and I will be holding our respective office hours over WebEx.
      • Nicholas's personal WebEx room
      • RJ's personal WebEx room
    • We may or may not present this material on
    • Topic to be determined. Probably a review of the midterm.
  16. 3/25/2020 Exam and Project
    • EXAM has been released as of 4:30pm Wednesday, March 25, in take-home format. Due by 5pm the following Monday.
      • The exam and the 7z file with the malware specimens.
      • Feel free to start working on it, or just read through it. We can address your questions during class time.
      • Email your completed exam to RJ <joyce8@umbc.edu>
      • Last year's midterm exam is available. The malware specimen is here (midterm2019.7z) and the usual password.
      • An exam from a previous year is still available. You will need these files: Midterm1.7z and Midterm2.7z
    • Starting today, we'll be recording class sessions. This is following direction from Prof. Joshi and the campus.
      • The class WebEx link is found here. Participation is restricted to UMBC. WebEx has been having problems today. I may arrange to have Google Meet or some other alternative available. For now, we're staying with WebEx.
      • The recording of today's class. Not restricted. Only fair in quality, with delays and pixelation.
    • If your Windows 7 installation complains that it has no license, then grab this file win_activate.bat and run it as Administrator. That .bat file is restricted to UMBC IP addresses, so you will need to be on campus, or connected via the VPN mentioned above.
    • No new material is planned for this class session
  17. 3/30/2020 more Chapter 8.
    • The class WebEx link is found here. Access is restricted to UMBC.
      • See gpvpn.umbc.edu for more information on the campus VPN.
      • The recording of today's class will be here.
    • Peter Drucker's article "Managing Oneself" appeared in the January, 2005 issue of Harvard Business Review.
      • The paper is not being assigned as part of this course, but if you as an authorized UMBC library patron and wish to read it, here it is.
      • The link is supposed to work from a UMBC IP address only.
    • Demonstrate use of ImmDbg
      • For programming in C and related languages on Windows, I prefer code::blocks, which is available open-source, for both Windows and UNIX.
      • A demo of Code::Blocks (5 minutes, audio quality is only fair.)
      • The Pelles C compiler is also an option.
      • For a detailed introduction to Immunity, see Nardella's paper from SANS Institute.
      • Go over Exercise 9-02 from PMA. Part 1 (48 minutes) Part 2(40 minutes)
    • Trying again, sharing these two presentations. Have modified panopto permissions so that anyone with the link can access. Let me know if access is still a problem!
  18. 4/1/2020 More on Immunity
    • The SANS Institute has a reading room, which includes lots of interesting papers related to malware.
    • RJ went over the exam. Most people did well. His notes on the assembly problem.
    • Finish demo of Immunity Debugger - Q&A, and comments, on the recorded demos.
    • Tonight's class was recorded.
  19. 4/6/2020 Malware Behavior
  20. 4/8/2020 Encoding Data
  21. 4/13/2020 Anti-Deisassembly
  22. 4/15/2020 Anti-Debuggingmore on packing and unpacking
    • Chapter 17, Anti-Debugging
    • Charles might demonstrate the use of Jupyter Notebooks, such as this, to perform static analysis.
    • interested in a Ph.D. degree? take a look at this PhD Survival Guide
    • Homework 5 due THURSDAY 4/16 at 5pm. if turned in by Wednesday at 5pm, 5 points extra credit.
    • Tonight's class was recorded.
  23. 4/20/2020 more on packing and unpacking
    • Chapter 18 notes
    • Charles will ask people how they're doing? With online classes, and so forth
    • RJ will be taking much of the class time today for a demo
      • class will be recorded as usual, but you can take your own screen shots as we go along
    • Homework 6 has been released. (Google Drive) (docx)
    • The malware for Homework 6 (Google Drive) (7z)
    • The OllyDumpEx plugin
    • The ImportREC plugin
    • Sorokin's paper on structural entropy (pdf)
    • Tonight's class was recorded.
  24. 4/22/2020 even more
    • Special Guest Today!
    • A link to Ryan's slides (pdf)
    • Here's an interesting report from FireEye
    • Two MS. thesis defenses in the near future:
      • Robert Joyce (your TA) "Evaluating Automatic Malware Classifiers in the Absence of Reference Labels", 10-11:30am Thursday April 23 (WebEx)
      • Neha Gaikwad, "Android Malware Analysis Using Java and SVM"12 noon-1:30pm Thursday April 23 (WebEx)
      • Akash Gurram Reddy "Evaluating Machine Learning based Malware Classifiers", 10-11:45am, Friday April 24 (WebEx)
    • Ryan says that FireEye is holding back on internships for the time viewing, due to the public health crisis. But keep checking their jobs web site. Foreign nationals are welcome to apply for internships. Thanks, Ryan!
    • Tonight's class was recorded.
  25. 4/27/2020 YARA
  26. 4/29/2020 More on YARA
    • The YARA Homework has been released.
      • HW7.doc (you'll have two weeks for this.)
      • hw7_dataset.7z (you'll need to on the VPN to access this 150MB data file)
    • A longer demo of YARA
    • It is important for you to be on the CSEE email lists. Instructions are here.
    • Homework 6 due THURSDAY 5pm
    • Remember to fill out the student evaluations! For this class and others you're taking. Thanks!
    • Tonight's class is being recorded.
  27. 5/4/2020 Ongoing Research Topics
    • The dataset and writeup for Homework 7 have been updated. Use the latest versions!
      • get them both from the web site as usual
    • Tensor Decomposition and Applications to Malware Analysis, and Shakespeare? pdf
    • Representing malware specimens in a compact, semantics-preserving form pdf
    • Tonight's class was recorded.
  28. 5/6/2020 Malware on UNIX
    • Charles will talk about Exploit Kits!
      • As an introduction, excerpts from a talk I gave at "the agency" a few years ago, including this 3-d graph!
      • And a related blog post from Cynet
      • A review of Exploit Kits from November 2019
      • A post about a new exploit kit, called Capesand, from November 2019.
      • A post about the Fallout EK, from January 2019
      • and a much older report from Trend Micro
      • Google Project Zero
    • Tonight's class was recorded.
    • Just for fun, a report from crowdstrike on a Linux rootkit. Contains a working sample!
      • haven't talked too much about Linux malware, have we?
    • The Student Evaluation of Educational Quality (SEEQ) is a standardized course evaluation instrument used to provide measures of an instructor’s teaching effectiveness.  The results of this questionnaire will be used by promotion and tenure committees as part of the instructor’s evaluation. The Direct Instructor Feedback Forms (DIFFs) were designed to provide feedback to instructors and they are not intended for use by promotion and tenure committees. The responses to the SEEQ and the DIFFs will be kept confidential and will not be distributed until final grades are in.
  29. 5/11/2020 Wrapping Up
    • This is the last day of class!
    • Special Guest speaker!
    • Dr. Rob Brandon will be talking about analysis of Android malware. His slides (pdf)
    • Android App Reverse Engineering from Maddie Stone (workshop)
    • If time permits, Exploiting the rich header (from Shmoocon 2019)
    • We haven't talked much about malware on the Mac. An overview.
    • Chapter 20, Shellcode Analysis, which we won't get to discuss. You should know about this, though.
    • Discuss final exam as appropriate
    • Tomorrow is the last day to fill out the on-line course evaluations, which are accessible through an email sent to you, and over Blackboard. Please fill these out, thanks!
    • Tonight's class was recorded.
  30. 5/13/2020
    • No class today!
    • Let us know by TODAY if you want to take the final. You now have access to all your grades up to and including HW 7.
    • The final exam and its malware has been released. I'll send out an email...Good luck!
  31. 5/18/2020 Final Exam due by 8pm
    • Final grades have been posted
    • Maddies Stone has Android Malware material on YouTube
      • Android App Reverse Engineering Live! from April 24, 2020 (youtube)
      • Android App Reverse Engineering Live! from May 19, 2020 (youtube)
    • After the semester ends, I may end up putting items of interest here. Such as:
      • This report from BlackBerry on RATS
    • Enjoy your summer!