Request for New Course

COURSE SYLLABUS IA 400 Malware Analysis and Reverse Engineering Instructor: Office Phone: Email Address: Office Hours: Course goals, objectives and/or expected student outcomes Course Description: This course provides students with an effective immersion into the realm of Malware Analysis and Reverse Engineering. It follows a progressive approach that introduces relevant concepts and techniques while preparing students to become effective malware analysts that can use a standard methodology for detecting, analyzing, reverse engineering and eradicating malware. Purpose: The last two decades have witnessed a significant surge in software application development, which resulted in the introduction of computing systems into the vast majority of existing, as well as emerging, industries. Unfortunately, this was accompanied by an exponential growth in hacking attempts that utilize malicious software (malware) that is geared toward compromising the security of such systems. This course adopts a practical approach in detecting, analyzing, reverse engineering, and eradicating malware. Some of the key aspects of this course include reverse engineering malware from various sources and using various programming languages, including Web-based languages such as JavaScript as well as Document-based ones such as VBScript. This is accomplished by using a standard methodology that involves setting up an inexpensive laboratory, isolating it from production environments, and utilizing a selected set of forensic tools in order to dissect the malware, discover its characteristics, and neutralize its effects. After finishing this course, students will also be familiar with common malware characteristics such as infection vectors and will learn how to bypass some of the advanced malware techniques, such as packing, obfuscation and anti-analysis of armored malware breeds. The field of the Information Assurance (IA) is a primary example of a field that can benefit greatly from malware analysis. IA aims to protect and defend information and information systems by ensuring their confidentiality, integrity, authentication, availability, and nonrepudiation. This is mostly based on designing measures that would ensure the protection of such systems and their associated data. This makes malware analysis an essential component of IA by ensuring the detection, analysis, reverse engineering, and eradication of any software that attempts to temper with these systems or their data. Scope: The scope of this course includes: 1. Introduction to Malware Analysis. 2. Malware Analysis Labs 3. Methodology to detect, analyze, reverse-engineer, and eradicate malware. 4. Malware Analysis Applications. 5. Forensics tools used for Malware Analysis. Course Objectives: This course will equip students with the necessary background knowledge in order to become effective Malware Analysis & Reverse Engineering practitioners. Upon successful completion of this course, students should be able to:
Miller, New Course Sept. 05

New Course Form

1. 2. 3. 4. 5.

Develop a good understanding of Malware Analysis. Identify the different types of Malware Analysis methods. Gain a broad exposure to real world applications of Malware Analysis. Set up a relatively inexpensive lab for Malware Analysis activities. Utilize a standard methodology for detecting, analyzing, reverse engineering, and eradicating malware. 6. Use a Malware Analysis-based approach in order to resolve real world problems. 7. Recognize common malware characteristics. 8. Bypass some of the advanced malware techniques, such as packing, obfuscation and anti-analysis of armored malware breeds Required Texts and Handouts: The main textbook in this course is the following: Malware Analysts Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, First Edition (2010): Michael Ligh, Steven Adair, Blake Hartstein, and Matthew Richard. ISBN-10: 0470613033, ISBN-13: 978-0470613030. Wiley Publications The following are recommended reference textbooks: Malware: Fighting Malicious Code: Ed Skoudis and Lenny Zeltser (2003). ISBN-10: 0131014056, ISBN-13: 978-0131014053. Prentice Hall Publications Malware Forensics: Investigating and Analyzing Malicious Code: Cameron H. Malin, Eoghan Casey, and James M. Aquilina (2008). ISBN-10: 159749268X, ISBN-13: 9781597492683. Syngress Publications.
a.

Outline of the content to be covered Unit 1: Course Expectations and Introduction 1.1 Course Expectations 1.2 Course Introduction Unit 2: Fundamentals of Malware Analysis (MA) 2.1 Reverse Engineering Malware (REM) Methodology 2.2 Brief Overview of Malware analysis lab setup and configuration 2.3 Introduction to key MA tools and techniques 2.4 Behavioral Analysis vs. Code Analysis 2.5 Resources for Reverse-Engineering Malware (REM) Unit 3: Malware taxonomy and characteristics 3.1 Understanding Malware Threats 3.2 Malware indicators 3.3 Malware Classification 3.4 Examining ClamAV Signatures 3.5 Creating Custom ClamAV Databases 3.6 Using YARA to Detect Malware Capabilities Unit 4: Malware Labs 4.1 Creating a Controlled and Isolated Laboratory 4.2 Introduction to MA Sandboxes 4.1.1 Ubuntu 4.1.2 Zeltsers REMnux 4.1.3 SANS SIFT 4.3 Sandbox Setup and Configuration
Page 2 of 5

New Course Form

Unit 5: Malware Lab Integrity 5.1 Routing TCP/IP Connections 5.2 Capturing and Analyzing Network Traffic 5.3 Internet simulation using INetSim 5.4 Using Deep Freeze to Preserve Physical Systems 5.5 Using FOG for Cloning and Imaging Disks 5.6 Using MySQL Database to Automate FOG Tasks Unit 6: Malware Analysis Tools 6.1 Introduction to Python 6.2 Introduction to x86 Intel assembly language 6.3 Scanners: VirusTotal, Jotti, and NoVirusThanks 6.4 Analyzers: ThreatExpert, CWSandbox, Anubis, Joebox 6.5 Dynamic Analysis Tools: Process Monitor, Regshot, HandleDiff 6.6 Analysis Automation Tools: VirtualBox, VMWare, Python 6.7 Other Analysis Tools Unit 7: Malware Forensics 7.1 Using TSK for Network and Host Discoveries 7.2 Using Microsoft Offline API to Registry Discoveries 7.3 Identifying Packers using PEiD 7.4 Registry Forensics with RegRipper Plug-ins 7.5 Case Studies: 7.5.1 Bypassing Poison Ivys Locked Files 7.5.2 Bypassing Confickers File System ACL Restrictions 7.5.3 Detecting Rogue PKI Certificates Unit 8: Malware and Kernel Debugging 8.1 Opening and Attaching to Processes 8.2 Configuration of JIT Debugger for Shellcode Analysis 8.3 Controlling Program Execution 8.4 Setting and Catching Breakpoints 8.5 Debugging with Python Scripts and PyCommands 8.6 DLL Export Enumeration, Execution, and Debugging 8.7 Debugging a VMware Workstation Guest (on Windows) 8.8 Debugging a Parallels Guest (on Mac OS X) 8.9 Introduction to WinDbg Commands and Controls 8.10 Detecting Rootkits with WinDbg Scripts 8.11 Kernel Debugging with IDA Pro Unit 9: Memory Forensics and Volatility 9.1 Memory Dumping with MoonSols Windows Memory Toolkit 9.2 Accessing VM Memory Files 9.3 Overview of Volatility 9.4 Investigating Processes in Memory Dumps 9.5 Code Injection and Extraction 9.1.1 Detecting and Capturing Suspicious Loaded DLLs 9.1.2 Finding Artifacts in Process Memory 9.1.3 Identifying Injected Code with Malfind and YARA Unit 10: Researching and Mapping Source Domains/IPs 10.1 Using WHOIS to Research Domains 10.2 DNS Hostname Resolution 10.1.1 Querying Passive DNS 10.1.2 Checking DNS Records 10.3 Reverse IP Search
Page 3 of 5

New Course Form

10.4 10.5
b.

Creating Static Maps Creating Interactive Maps

Student assignments including presentations, research papers, exams, etc. (See Below) Method of evaluation Student Requirements: The goal of this course is to provide students with sufficient background in the field of Malware Analysis and Reverse Engineering with an emphasis on Information Assurance principles. Students are expected to attend all class sessions, except in the case of illness or excruciating circumstances, which are to be approved by the course instructor. Students are also expected to participate in class activities, conduct research in relevant areas, and perform one or more presentations to the class. Reading assignments will be also be given out by the instructor, in support of such activities. There will also be a midterm and a final to test students knowledge. Assessment and Evaluation: Assignments (2): 20% Class Discussions, Activities, and Participation: 10% Midterm: 25% Group Project & Research: 20% Final: 25% Students are expected to take in-class exams on the scheduled dates. Should there be an unavoidable problem, the Instructor may, at his discretion provide a makeup exam.

c.

d.

Grading scale (if a graduate course, include graduate grading scale) 95 - 100% = A 80 - 83% = B- 70 - 73% = C- 0- 59% = E 90 - 94% = A- 77 - 79% = C+ 67 - 69% = D+ 87 - 89% = B+ 74 - 76% = C 64 - 66% = D 84- 86% = B 70 - 73% = C- 60 - 63% = D-

e. f.

Special requirements Bibliography, supplemental reading list SANS/Lenny Zeltser: Reverse-Engineering: Malware Analysis Tools and Techniques Training http://zeltser.com/reverse-malware/ Combating Malware in the Enterprise http://zeltser.com/combating-malware-course/ Related SANS Course: SANS Forensics610 Reverse Engineering Malware: http://www.sans.org/security-training/reverseengineering-malware-malware-analysis-tools-techniques-54-mid References: Malware Analysis: An Introduction [whitepaper] http://www.sans.org/reading_room/whitepapers/malicious/malware-analysisintroduction_2103
Page 4 of 5

New Course Form

GIAC Reverse Engineering Malware (GREM) [Certification] http://www.giac.org/certification/reverse-engineering-malware-grem Forensic Discovery [book] http://www.amazon.com/exec/obidos/tg/detail/-/020163497X/104-5123010-9411940 http://www.porcupine.org/forensics/forensic-discovery/ Practical Malware Analysis [presentation] http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Paper/bh-dc-07Kendall_McMillan-WP.pdf Malware Analysis for Administrators [article] http://www.symantec.com/connect/articles/malware-analysis-administrators Stuxnet Malware Analysis [paper] http://www.codeproject.com/KB/web-security/StuxnetMalware.aspx
g.

Other pertinent information. Sample List of Malware Analysis Tools: System Monitor, Process Explorer, CaptureBAT, Regshot, VMware BinText, LordPE, QuickUnpack, Firebug, PELister, PEiD IDA Pro, OllyDbg and plug-ins such as OllyDump, HideOD Rhino, Malzilla, SpiderMonkey, Jsunpack-n Internet Explorer Developer Toolbar, cscript Honeyd, NetCat, Wireshark, curl, wget, xorsearch OfficeMalScanner, OffVis, Radare, FileInsight Volatility Framework and plug-ins such as malfind2 and apihooks SWFTools, Flare, shellcode2exe, fake DNS server, and others

Page 5 of 5