CSC 471 Modern Malware Analysis

2022-Spring Course Website

Instructor: Si Chen

Course Logo

About Maleware and Malware Analysis

Malware is a catch-all term for various malicious software, including viruses, adware, spyware, browser hijacking software, and fake security software.
Once installed on your computer, these programs can seriously affect your privacy and your computer's security. For example, malware is known for relaying personal information to advertisers and other third parties without user consent. Some programs are also known for containing worms and viruses that cause a great deal of damage. As a result, the ability to detect, analyze, understand, control, and eradicate malware is an increasingly important issue of economic and national security.

Course Description

This course will introduce students to modern malware analysis techniques through lectures and hands-on interactive analysis of real-world samples, including explore various recent attacks. These examples and studies will help the students develop a foundation and a well-rounded view of cybersecurity research. Participants in the course will also read and discuss research papers, as well as conduct independent project in a topic related to cyber risk and malware analysis.
After taking this course students will be equipped with the skills to analyze advanced contemporary malware using both static and dynamic analysis.

Expected Background

No prerequisite for graduate students, although sufficient security background is expected. For undergraduate students, please make sure you completed CSC 231.
My expected demographic for Malware Analysis was students with zero reverse engineering experience. That said, to be able to take this course you will probably need at least the following skills.
  • Basic programming concepts
  • Knowledge with the C programming language, including pointers, arrays, loops, function calls, etc.
  • Familiar with Unix/Linux including the command-line shell and gdb
  • Familiar with Intel x86 assembly language and architecture
  • Familiar with web programming concepts (HTML, HTTP, TCP, network communications)

Textbook

No Textbook

Reference book:

  1. Monnappa K A, Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware , ISBN 978-1788392501
  2. Michael Sikorski, Andrew Honig, Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, 1st Edition, ISBN 978-1593272906

Course Content

# Date Topic Slides Supporting Materials
Class 1 Jan 25, 2022 Introduction ch01.pdf
  • Windows XP Environment Disclaimer
  • VirtualBox
  • [Video]
  • Class 2 Jan 27, 2022 Basic Concepts, DLL Injection (1) ch02.pdf
  • hack_dll.zip [backup link]
  • hack_dll_src.zip [backup link]
  • [Video]
  • Class 3 Feb 1, 2022 DLL Injection (2), Static Analysis, PE Format (1) ch03.pdf
  • [Video]
  • How to connect to BadgerCTF
  • hack_dll.zip [backup link]
  • flare-floss
  • notepad_xp.zip
  • Lab 1
    (10 points)
    Jan 27, 2022 Lab1: OllyDbg and DLL Injection
    lab1.pdf
  • Windows XP Environment Disclaimer
  • VirtualBox
  • hack_dll.zip [backup link]
  • How to write a lab report
  • Class 4 & 5 Feb 08, Feb 10, 2022 PE Format (2) ch04.pdf
  • [Video 1] [Video 2]
  • LittleEndian.exe
  • LittleEndian.cpp
  • Download PEview
  • malware_sample_0.zip
  • display_sections.py
  • enum_imports.py
  • enum_export.py
  • Lab 2
    (10 points)
    Feb 10, 2022 Lab2: Build a heuristic malware detection system
    lab2.pdf
  • How to connect to BadgerCTF
  • How to write a lab report
  • malware_lab_2.zip password:infected
  • enum_exports.py
  • pefile usage examples (Python)
  • Class 6 Feb 15, 2022 IA32 Registers & X86 ASM ch06.pdf
  • [Video]
  • abexcm1-voiees.exe
  • Class 7 Feb 17, 2022 Stack and Stack Frame ch07.pdf
  • [Video]
  • abexcm1-voiees.exe
  • Stack.exe
  • StackFrame.exe
  • stack.py
  • Class 8 Feb 22, 2022 Dynamic Analysis, Hooks ch08.pdf
  • [Video]
  • Hook.zip password:infected
  • IATHookMsgBox_x86.zip password:infected
  • Class 9 Feb 24, 2022 API Hook ch09.pdf
  • [Video]
  • hookdbg.zip password:infected
  • hookdbg_src.zip password:infected
  • Lab 3
    (10 points)
    Mar 01, 2022 Lab3: Stack, Stack Frame & CrackMe
    lab3.pdf
  • lab3.exe[backup link]
  • A reversing tutorial for newbies by lena151 part10.avi
  • Class 10 Mar 2, 2022 Code Injection ch10.pdf
  • [Video]
  • MsgBox.zip password:infected
  • CodeInjection.zip password:infected
  • CodeInjection_src.zip password:infected
  • Class 11 Mar 8, 2022 API Hook & Stealth process (Rootkit) ch11.pdf
  • [Video]
  • StealthProcess1.zip password:infected
  • StealthProcess2.zip password:infected
  • Class 12 Mar 10, 2022 Anti-virus Software, Dynamic Heuristic Analysis ch12.pdf
  • [Video]
  • ransomware.zip (Experiment 1) password:infected
  • apivirus.zip (Experiment 2)
  • Lab 4
    (10 Points)
    Mar 10, 2022 Lab 4: Build a Dynamic Heuristic Analysis Tool for Detection of Unknown Malware
    lab4.pdf
  • ransomware.zip password:infected
  • Class 13 Mar 22, 2022 Kernel Mode Rootkit (Introduction) ch13.pdf
  • [Video]
  • Class 14 Mar 24, 2022 Kernel Mode Rootkit (SSDT Hook Example) ch14.pdf
  • SSDTHook.zip password:infected
  • Class 15 Mar 29, 2022 Anti-Debugging Technique (1): Static Anti-Debugging, TEB, PEB ch15.pdf
  • StaAD_PEB.zip
  • Class 16 Mar 31, 2022 Anti-Debugging Technique (2): Dynamic Anti-Debugging, SEH, RDTSC ch16.pdf
  • DynAD_SEH.zip
  • DynAD_RDTSC.zip
  • DynAD_SingleStep.zip
  • DynAD_Checksum.zip
  • Class 17 Apr 5, 2022 Anti-Debugging Technique (3): Advanced Anti-Debugging, TLS ch17.pdf
  • Tls.zip
  • PESpin.zip
  • stolen_bytes.zip
  • API_redirection.zip
  • Lab 5
    (10 points)
    Apr 04, 2022 Lab5: Kernel Mode Rootkit
    lab5.pdf
  • lab5.zip
  • Class 18 Apr 7, 2022 Volatility, Stuxnet ch18.pdf
  • [Video]
  • stuxnet.vmem
  • Final Project
    (30 Points)
    April 7, 2022 Malware Analysis: Zeus
    Analysis zeus malware with Volatility and write a malware analysis report
  • zeus.vmem
  • zeus source code -- client side
  • Final project Guidline:

    Our final project is to analyze a notorious Trojan malware -- Zeus). You need to use the provided memory dump file (zeus.vmem) and use Volatility to analyze it. This part is similar to Class 18. Then you need to use the leaked source code to justify it.
    This is a group project and each group can have at most 5 students. You can find your teammate via our Discord channel. You can also work individually if you want. If you decided to work as a team then please send me an email before 05/01, 2022, and let me know your group member's name and WCU ID. If your team needs a private discord channel (text or voice), please let me know, I can create one for your team.
    You cannot claim that you are in a team after 05/02, 2022. You can still work on this project individually.

    About the Final Report:

    • Each team needs to submit one detailed malware analysis report (in PDF format) on D2L. The team leader needs to submit the report using his/her student account to D2L, in the first page of your group report, please write down how your team divides the tasks for each member.
    • In your report, please use both text and figure (e.g., screenshot) to show what you've done. Do NOT copy or reuse other groups/student's screenshots.
    • Malware analysis report is a document that provides an in-depth breakdown of the functionality and risk of a new or evolving cyber threat. Your malware analysis report should include the following information:
      • Introduction -- give a brief introduction of the malware
      • Findings -- describes what the malware is designed to do by using the following two methods:
        • Use Volatility to analyze the malware memory dump and report how Volatility could be used to find relevant artifacts of the activity within memory (e.g., find all API Hooks of Zeus).
        • Use the leaked malware source code to justify such activity (e.g., identify which function/line of code that does the API Hooks). (Note that this part is very important, your group needs to pinpoint the functions/line of codes for each malware activity that you find in the memory dump).
      • Summary -- Summary of your work and give some best practices for preventing infections and recovering from them.

    Report Grading Rubric:

    • Technical Content (50%)
      • Find an adequate amount of malware activities/behaviors from the memory dump and justify it using the leaked source code
      • Appropriate level of detail and thoroughness of documentation
    • Organization (15%)
      • Clearly identified purpose and approach
      • Content is clearly organized and supports the objective
    • Presentation (15%)
      • Easy to read
    • Layout/Visuals (20%)
      • Consistent presentation of graphics

    Presentation Rubic:

    Presentation rubrics (total 15%):
    • 6% Slides --> 12+ pages, all content throughout the presentation is accurate. There are no factual errors.
    • 6% Presentation --> 15 mins, technical terms are well-defined, and the presentation demonstrates substance and depth.
    • 2% Q&A Session --> 5 mins, demonstrates full knowledge of the topic.
    • 1% --> prepare and ask questions for other groups.

    Tutorials and Supporting Materials