Request for New Course

Miller, New Course Sept. 05

COURSE SYLLABUS

IA 400 Malware Analysis and Reverse Engineering

Instructor:

Office Phone:

Email Address:

Office Hours:

Course goals, objectives and/or expected student outcomes

Course Description: This course provides students with an effective immersion into the

realm of Malware Analysis and Reverse Engineering. It follows a progressive approach that

introduces relevant concepts and techniques while preparing students to become effective

malware analysts that can use a standard methodology for detecting, analyzing, reverse

engineering and eradicating malware.

Purpose: The last two decades have witnessed a significant surge in software application

development, which resulted in the introduction of computing systems into the vast majority

of existing, as well as emerging, industries. Unfortunately, this was accompanied by an

exponential growth in hacking attempts that utilize malicious software (malware) that is

geared toward compromising the security of such systems. This course adopts a practical

approach in detecting, analyzing, reverse engineering, and eradicating malware. Some of the

key aspects of this course include reverse engineering malware from various sources and

using various programming languages, including Web-based languages such as JavaScript

as well as Document-based ones such as VBScript. This is accomplished by using a

standard methodology that involves setting up an inexpensive laboratory, isolating it from

production environments, and utilizing a selected set of forensic tools in order to dissect the

malware, discover its characteristics, and neutralize its effects. After finishing this course,

students will also be familiar with common malware characteristics such as infection vectors

and will learn how to bypass some of the advanced malware techniques, such as packing,

obfuscation and anti-analysis of armored malware breeds.

The field of the Information Assurance (IA) is a primary example of a field that can benefit

greatly from malware analysis. IA aims to protect and defend information and information

systems by ensuring their confidentiality, integrity, authentication, availability, and non-

repudiation. This is mostly based on designing measures that would ensure the protection of

such systems and their associated data. This makes malware analysis an essential

component of IA by ensuring the detection, analysis, reverse engineering, and eradication of

any software that attempts to temper with these systems or their data.

Scope: The scope of this course includes:

1. Introduction to Malware Analysis.

2. Malware Analysis Labs

3. Methodology to detect, analyze, reverse-engineer, and eradicate malware.

4. Malware Analysis Applications.

5. Forensics tools used for Malware Analysis.

Course Objectives: This course will equip students with the necessary background

knowledge in order to become effective Malware Analysis & Reverse Engineering

practitioners. Upon successful completion of this course, students should be able to:

New Course Form

Page 2 of 5

1. Develop a good understanding of Malware Analysis.

2. Identify the different types of Malware Analysis methods.

3. Gain a broad exposure to real world applications of Malware Analysis.

4. Set up a relatively inexpensive lab for Malware Analysis activities.

5. Utilize a standard methodology for detecting, analyzing, reverse engineering, and

eradicating malware.

6. Use a Malware Analysis-based approach in order to resolve real world problems.

7. Recognize common malware characteristics.

8. Bypass some of the advanced malware techniques, such as packing, obfuscation and

anti-analysis of armored malware breeds

Required Texts and Handouts:

The main textbook in this course is the following:

Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious

Code, First Edition (2010): Michael Ligh, Steven Adair, Blake Hartstein, and Matthew

Richard. ISBN-10: 0470613033, ISBN-13: 978-0470613030. Wiley Publications

The following are recommended reference textbooks:

Malware: Fighting Malicious Code: Ed Skoudis and Lenny Zeltser (2003). ISBN-10:

0131014056, ISBN-13: 978-0131014053. Prentice Hall Publications

Malware Forensics: Investigating and Analyzing Malicious Code: Cameron H. Malin,

Eoghan Casey, and James M. Aquilina (2008). ISBN-10: 159749268X, ISBN-13: 978-

1597492683. Syngress Publications.

a. Outline of the content to be covered

Unit 1: Course Expectations and Introduction

1.1 Course Expectations

1.2 Course Introduction

Unit 2: Fundamentals of Malware Analysis (MA)

2.1 Reverse Engineering Malware (REM) Methodology

2.2 Brief Overview of Malware analysis lab setup and configuration

2.3 Introduction to key MA tools and techniques

2.4 Behavioral Analysis vs. Code Analysis

2.5 Resources for Reverse-Engineering Malware (REM)

Unit 3: Malware taxonomy and characteristics

3.1 Understanding Malware Threats

3.2 Malware indicators

3.3 Malware Classification

3.4 Examining ClamAV Signatures

3.5 Creating Custom ClamAV Databases

3.6 Using YARA to Detect Malware Capabilities

Unit 4: Malware Labs

4.1 Creating a Controlled and Isolated Laboratory

4.2 Introduction to MA Sandboxes

4.1.1 Ubuntu

4.1.2 Zeltser’s REMnux

4.1.3 SANS SIFT

4.3 Sandbox Setup and Configuration

New Course Form

Page 3 of 5

Unit 5: Malware Lab Integrity

5.1 Routing TCP/IP Connections

5.2 Capturing and Analyzing Network Traffic

5.3 Internet simulation using INetSim

5.4 Using Deep Freeze to Preserve Physical Systems

5.5 Using FOG for Cloning and Imaging Disks

5.6 Using MySQL Database to Automate FOG Tasks

Unit 6: Malware Analysis Tools

6.1 Introduction to Python

6.2 Introduction to x86 Intel assembly language

6.3 Scanners: VirusTotal, Jotti, and NoVirusThanks

6.4 Analyzers: ThreatExpert, CWSandbox, Anubis, Joebox

6.5 Dynamic Analysis Tools: Process Monitor, Regshot, HandleDiff

6.6 Analysis Automation Tools: VirtualBox, VMWare, Python

6.7 Other Analysis Tools

Unit 7: Malware Forensics

7.1 Using TSK for Network and Host Discoveries

7.2 Using Microsoft Offline API to Registry Discoveries

7.3 Identifying Packers using PEiD

7.4 Registry Forensics with RegRipper Plug-ins

7.5 Case Studies:

7.5.1 Bypassing Poison Ivy’s Locked Files

7.5.2 Bypassing Conficker’s File System ACL Restrictions

7.5.3 Detecting Rogue PKI Certificates

Unit 8: Malware and Kernel Debugging

8.1 Opening and Attaching to Processes

8.2 Configuration of JIT Debugger for Shellcode Analysis

8.3 Controlling Program Execution

8.4 Setting and Catching Breakpoints

8.5 Debugging with Python Scripts and PyCommands

8.6 DLL Export Enumeration, Execution, and Debugging

8.7 Debugging a VMware Workstation Guest (on Windows)

8.8 Debugging a Parallels Guest (on Mac OS X)

8.9 Introduction to WinDbg Commands and Controls

8.10 Detecting Rootkits with WinDbg Scripts

8.11 Kernel Debugging with IDA Pro

Unit 9: Memory Forensics and Volatility

9.1 Memory Dumping with MoonSols Windows Memory Toolkit

9.2 Accessing VM Memory Files

9.3 Overview of Volatility

9.4 Investigating Processes in Memory Dumps

9.5 Code Injection and Extraction

9.1.1 Detecting and Capturing Suspicious Loaded DLLs

9.1.2 Finding Artifacts in Process Memory

9.1.3 Identifying Injected Code with Malfind and YARA

Unit 10: Researching and Mapping Source Domains/IPs

10.1 Using WHOIS to Research Domains

10.2 DNS Hostname Resolution

10.1.1 Querying Passive DNS

10.1.2 Checking DNS Records

10.3 Reverse IP Search

New Course Form

Page 4 of 5

10.4 Creating Static Maps

10.5 Creating Interactive Maps

b. Student assignments including presentations, research papers, exams, etc.

(See Below)

c. Method of evaluation

Student Requirements: The goal of this course is to provide students with sufficient

background in the field of Malware Analysis and Reverse Engineering with an emphasis on

Information Assurance principles. Students are expected to attend all class sessions, except in

the case of illness or excruciating circumstances, which are to be approved by the course

instructor. Students are also expected to participate in class activities, conduct research in

relevant areas, and perform one or more presentations to the class. Reading assignments will

be also be given out by the instructor, in support of such activities. There will also be a

midterm and a final to test students’ knowledge.

Assessment and Evaluation:

Assignments (2): 20%

Class Discussions, Activities, and Participation: 10%

Midterm: 25%

Group Project & Research: 20%

Final: 25%

Students are expected to take in-class exams on the scheduled dates. Should there be an unavoidable

problem, the Instructor may, at his discretion provide a makeup exam.

d. Grading scale (if a graduate course, include graduate grading scale)

95 - 100% = A 80 - 83% = B- 70 - 73% = C- 0- 59% = E

90 - 94% = A- 77 - 79% = C+ 67 - 69% = D+

87 - 89% = B+ 74 - 76% = C 64 - 66% = D

84- 86% = B 70 - 73% = C- 60 - 63% = D-

e. Special requirements

f. Bibliography, supplemental reading list

SANS/Lenny Zeltser:

Reverse-Engineering: Malware Analysis Tools and Techniques Training

http://zeltser.com/reverse-malware/

Combating Malware in the Enterprise

http://zeltser.com/combating-malware-course/

Related SANS Course:

SANS Forensics610 Reverse Engineering Malware: http://www.sans.org/security-training/reverse-

engineering-malware-malware-analysis-tools-techniques-54-mid

References:

Malware Analysis: An Introduction [whitepaper]

http://www.sans.org/reading_room/whitepapers/malicious/malware-analysis-

introduction_2103

New Course Form

Page 5 of 5

GIAC Reverse Engineering Malware (GREM) [Certification]

http://www.giac.org/certification/reverse-engineering-malware-grem

Forensic Discovery [book]

http://www.amazon.com/exec/obidos/tg/detail/-/020163497X/104-5123010-9411940

http://www.porcupine.org/forensics/forensic-discovery/

Practical Malware Analysis [presentation]

http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Paper/bh-dc-07-

Kendall_McMillan-WP.pdf

Malware Analysis for Administrators [article]

http://www.symantec.com/connect/articles/malware-analysis-administrators

Stuxnet Malware Analysis [paper]

http://www.codeproject.com/KB/web-security/StuxnetMalware.aspx

g. Other pertinent information.

Sample List of Malware Analysis Tools:

System Monitor, Process Explorer, CaptureBAT, Regshot, VMware

BinText, LordPE, QuickUnpack, Firebug, PELister, PEiD

IDA Pro, OllyDbg and plug-ins such as OllyDump, HideOD

Rhino, Malzilla, SpiderMonkey, Jsunpack-n

Internet Explorer Developer Toolbar, cscript

Honeyd, NetCat, Wireshark, curl, wget, xorsearch

OfficeMalScanner, OffVis, Radare, FileInsight

Volatility Framework and plug-ins such as malfind2 and apihooks

SWFTools, Flare, shellcode2exe, fake DNS server, and others