CSC 471 Modern Malware Analysis
2022-Spring Course Website
Instructor: Si Chen

About Maleware and Malware Analysis
Malware is a catch-all term for various malicious software, including viruses, adware, spyware, browser hijacking software, and fake security software.
Once installed on your computer, these programs can seriously affect your privacy and your computer's security. For example, malware is known for relaying personal information to advertisers and other third parties without user consent. Some programs are also known for containing worms and viruses that cause a great deal of damage. As a result, the ability to detect, analyze, understand, control, and eradicate malware is an increasingly important issue of economic and national security.
Course Description
This course will introduce students to modern malware analysis techniques through lectures and hands-on interactive analysis of real-world samples, including explore various recent attacks. These examples and studies will help the students develop a foundation and a well-rounded view of cybersecurity research. Participants in the course will also read and discuss research papers, as well as conduct independent project in a topic related to cyber risk and malware analysis.
After taking this course students will be equipped with
the skills to analyze advanced contemporary malware using both static and dynamic analysis.
Syllabus is now available:
[link]
Please check on D2L--> Zoom for the Zoom link for the first two weeks.
Expected Background
No prerequisite for graduate students, although sufficient security background is expected. For undergraduate students, please make sure you completed CSC 231.
My expected demographic for Malware Analysis was students with zero reverse engineering experience. That said, to be able to take this course you will probably need at least the following skills.
- Basic programming concepts
- Knowledge with the C programming language, including pointers, arrays, loops, function calls, etc.
- Familiar with Unix/Linux including the command-line shell and gdb
- Familiar with Intel x86 assembly language and architecture
- Familiar with web programming concepts (HTML, HTTP, TCP, network communications)
Textbook
No Textbook
Reference book:
- Monnappa K A, Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware , ISBN 978-1788392501
- Michael Sikorski, Andrew Honig, Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, 1st Edition, ISBN 978-1593272906
Course Content
# |
Date |
Topic |
Slides |
Supporting Materials |
The password to the zip files is 'infected', no quotes.
Class 1 |
Jan 25, 2022 |
Introduction |
ch01.pdf |
Windows XP Environment Disclaimer
VirtualBox
[Video] |
Class 2 |
Jan 27, 2022 |
Basic Concepts, DLL Injection (1) |
ch02.pdf |
hack_dll.zip [backup link]
hack_dll_src.zip [backup link]
[Video]
|
Class 3 |
Feb 1, 2022 |
DLL Injection (2), Static Analysis, PE Format (1) |
ch03.pdf |
[Video]
How to connect to BadgerCTF
hack_dll.zip [backup link]
flare-floss
notepad_xp.zip
|
Lab 1 (10 points)
|
Jan 27, 2022 |
Lab1: OllyDbg and DLL Injection
Due on: 02/14/2022 23:59:59
|
lab1.pdf
|
Windows XP Environment Disclaimer
VirtualBox
hack_dll.zip [backup link]
How to write a lab report
|
Class 4 & 5 |
Feb 08, Feb 10, 2022 |
PE Format (2) |
ch04.pdf |
[Video 1] [Video 2]
LittleEndian.exe
LittleEndian.cpp
Download PEview
malware_sample_0.zip
display_sections.py
enum_imports.py
enum_export.py
|
Lab 2 (10 points)
|
Feb 10, 2022 |
Lab2: Build a heuristic malware detection system
Due on: 03/03/2022 23:59:59
|
lab2.pdf
|
How to connect to BadgerCTF
How to write a lab report
malware_lab_2.zip password:infected
enum_exports.py
pefile usage examples (Python)
|
Class 6 |
Feb 15, 2022 |
IA32 Registers & X86 ASM |
ch06.pdf |
[Video]
abexcm1-voiees.exe
|
Class 7 |
Feb 17, 2022 |
Stack and Stack Frame |
ch07.pdf |
[Video]
abexcm1-voiees.exe
Stack.exe
StackFrame.exe
stack.py
|
Class 8 |
Feb 22, 2022 |
Dynamic Analysis, Hooks |
ch08.pdf |
[Video]
Hook.zip password:infected
IATHookMsgBox_x86.zip password:infected
|
Class 9 |
Feb 24, 2022 |
API Hook
|
ch09.pdf |
[Video]
hookdbg.zip password:infected
hookdbg_src.zip password:infected
|
Lab 3 (10 points)
|
Mar 01, 2022 |
Lab3: Stack, Stack Frame & CrackMe
Due on: 03/11/2021 23:59:59
|
lab3.pdf
|
lab3.exe[backup link]
A reversing tutorial for newbies by lena151 part10.avi
|
Class 10 |
Mar 2, 2022 |
Code Injection
|
ch10.pdf |
[Video]
MsgBox.zip password:infected
CodeInjection.zip password:infected
CodeInjection_src.zip password:infected
|
Class 11 |
Mar 8, 2022 |
API Hook & Stealth process (Rootkit)
|
ch11.pdf |
[Video]
StealthProcess1.zip password:infected
StealthProcess2.zip password:infected
|
Class 12 |
Mar 10, 2022 |
Anti-virus Software,
Dynamic Heuristic Analysis
|
ch12.pdf |
[Video]
ransomware.zip (Experiment 1) password:infected
apivirus.zip (Experiment 2)
|
Lab 4 (10 Points)
|
Mar 10, 2022 |
Lab 4: Build a Dynamic Heuristic Analysis Tool for Detection of Unknown Malware
Due on: 03/31/2022 23:59:59
|
lab4.pdf
|
ransomware.zip password:infected
|
Class 13 |
Mar 22, 2022 |
Kernel Mode Rootkit (Introduction)
|
ch13.pdf |
[Video]
|
Class 14 |
Mar 24, 2022 |
Kernel Mode Rootkit (SSDT Hook Example)
|
ch14.pdf |
SSDTHook.zip
password:infected
|
Class 15 |
Mar 29, 2022 |
Anti-Debugging Technique (1): Static Anti-Debugging, TEB, PEB
|
ch15.pdf |
StaAD_PEB.zip
|
Class 16 |
Mar 31, 2022 |
Anti-Debugging Technique (2): Dynamic Anti-Debugging, SEH, RDTSC
|
ch16.pdf |
DynAD_SEH.zip
DynAD_RDTSC.zip
DynAD_SingleStep.zip
DynAD_Checksum.zip
|
Class 17 |
Apr 5, 2022 |
Anti-Debugging Technique (3): Advanced Anti-Debugging, TLS
|
ch17.pdf |
Tls.zip
PESpin.zip
stolen_bytes.zip
API_redirection.zip
|
Lab 5 (10 points)
|
Apr 04, 2022 |
Lab5: Kernel Mode Rootkit
Due on: 04/21/2022 23:59:59
|
lab5.pdf
|
lab5.zip
|
Class 18 |
Apr 7, 2022 |
Volatility, Stuxnet
|
ch18.pdf |
[Video]
stuxnet.vmem
|
Final Project (30 Points)
|
April 7, 2022 |
Malware Analysis: Zeus
Due on: 05/13/2022 23:59:59
|
Analysis zeus malware with Volatility and write a malware analysis report
|
zeus.vmem
zeus source code -- client side
|
Final project Guidline:
Our final project is to analyze a notorious Trojan malware -- Zeus). You need to use the provided memory dump file (zeus.vmem) and use Volatility to analyze it. This part is similar to Class 18. Then you need to use the leaked source code to justify it.
This is a group project and each group can have at most 5 students. You can find your teammate via our Discord channel. You can also work individually if you want. If you decided to work as a team then please send me an email before 05/01, 2022, and let me know your group member's name and WCU ID. If your team needs a private discord channel (text or voice), please let me know, I can create one for your team.
You cannot claim that you are in a team after 05/02, 2022. You can still work on this project individually.
About the Final Report:
- Each team needs to submit one detailed malware analysis report (in PDF format) on D2L. The team leader needs to submit the report using his/her student account to D2L, in the first page of your group report, please write down how your team divides the tasks for each member.
- In your report, please use both text and figure (e.g., screenshot) to show what you've done. Do NOT copy or reuse other groups/student's screenshots.
- Malware analysis report is a document that provides an in-depth breakdown of the functionality and risk of a new or evolving cyber threat. Your malware analysis report should include the following information:
- Introduction -- give a brief introduction of the malware
- Findings -- describes what the malware is designed to do by using the following two methods:
- Use Volatility to analyze the malware memory dump and report how Volatility could be used to find relevant artifacts of the activity within memory (e.g., find all API Hooks of Zeus).
- Use the leaked malware source code to justify such activity (e.g., identify which function/line of code that does the API Hooks). (Note that this part is very important, your group needs to pinpoint the functions/line of codes for each malware activity that you find in the memory dump).
- Summary -- Summary of your work and give some best practices for preventing infections and recovering from them.
Report Grading Rubric:
- Technical Content (50%)
- Find an adequate amount of malware activities/behaviors from the memory dump and justify it using the leaked source code
- Appropriate level of detail and thoroughness of documentation
- Organization (15%)
- Clearly identified purpose and approach
- Content is clearly organized and supports the objective
- Presentation (15%)
- Layout/Visuals (20%)
- Consistent presentation of graphics
Presentation Rubic:
Presentation rubrics (total 15%):
- 6% Slides --> 12+ pages, all content throughout the presentation is accurate. There are no factual errors.
- 6% Presentation --> 15 mins, technical terms are well-defined, and the presentation demonstrates substance and depth.
- 2% Q&A Session --> 5 mins, demonstrates full knowledge of the topic.
- 1% --> prepare and ask questions for other groups.
Tutorials and Supporting Materials