ia 400 malware analysis syllabus
TRANSCRIPT
Request for New Course
Miller, New Course Sept. 05
COURSE SYLLABUS
IA 400 Malware Analysis and Reverse Engineering
Instructor:
Office Phone:
Email Address:
Office Hours:
Course goals, objectives and/or expected student outcomes
Course Description: This course provides students with an effective immersion into the
realm of Malware Analysis and Reverse Engineering. It follows a progressive approach that
introduces relevant concepts and techniques while preparing students to become effective
malware analysts that can use a standard methodology for detecting, analyzing, reverse
engineering and eradicating malware.
Purpose: The last two decades have witnessed a significant surge in software application
development, which resulted in the introduction of computing systems into the vast majority
of existing, as well as emerging, industries. Unfortunately, this was accompanied by an
exponential growth in hacking attempts that utilize malicious software (malware) that is
geared toward compromising the security of such systems. This course adopts a practical
approach in detecting, analyzing, reverse engineering, and eradicating malware. Some of the
key aspects of this course include reverse engineering malware from various sources and
using various programming languages, including Web-based languages such as JavaScript
as well as Document-based ones such as VBScript. This is accomplished by using a
standard methodology that involves setting up an inexpensive laboratory, isolating it from
production environments, and utilizing a selected set of forensic tools in order to dissect the
malware, discover its characteristics, and neutralize its effects. After finishing this course,
students will also be familiar with common malware characteristics such as infection vectors
and will learn how to bypass some of the advanced malware techniques, such as packing,
obfuscation and anti-analysis of armored malware breeds.
The field of the Information Assurance (IA) is a primary example of a field that can benefit
greatly from malware analysis. IA aims to protect and defend information and information
systems by ensuring their confidentiality, integrity, authentication, availability, and non-
repudiation. This is mostly based on designing measures that would ensure the protection of
such systems and their associated data. This makes malware analysis an essential
component of IA by ensuring the detection, analysis, reverse engineering, and eradication of
any software that attempts to temper with these systems or their data.
Scope: The scope of this course includes:
1. Introduction to Malware Analysis.
2. Malware Analysis Labs
3. Methodology to detect, analyze, reverse-engineer, and eradicate malware.
4. Malware Analysis Applications.
5. Forensics tools used for Malware Analysis.
Course Objectives: This course will equip students with the necessary background
knowledge in order to become effective Malware Analysis & Reverse Engineering
practitioners. Upon successful completion of this course, students should be able to:
New Course Form
Page 2 of 5
1. Develop a good understanding of Malware Analysis.
2. Identify the different types of Malware Analysis methods.
3. Gain a broad exposure to real world applications of Malware Analysis.
4. Set up a relatively inexpensive lab for Malware Analysis activities.
5. Utilize a standard methodology for detecting, analyzing, reverse engineering, and
eradicating malware.
6. Use a Malware Analysis-based approach in order to resolve real world problems.
7. Recognize common malware characteristics.
8. Bypass some of the advanced malware techniques, such as packing, obfuscation and
anti-analysis of armored malware breeds
Required Texts and Handouts:
The main textbook in this course is the following:
Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious
Code, First Edition (2010): Michael Ligh, Steven Adair, Blake Hartstein, and Matthew
Richard. ISBN-10: 0470613033, ISBN-13: 978-0470613030. Wiley Publications
The following are recommended reference textbooks:
Malware: Fighting Malicious Code: Ed Skoudis and Lenny Zeltser (2003). ISBN-10:
0131014056, ISBN-13: 978-0131014053. Prentice Hall Publications
Malware Forensics: Investigating and Analyzing Malicious Code: Cameron H. Malin,
Eoghan Casey, and James M. Aquilina (2008). ISBN-10: 159749268X, ISBN-13: 978-
1597492683. Syngress Publications.
a. Outline of the content to be covered
Unit 1: Course Expectations and Introduction
1.1 Course Expectations
1.2 Course Introduction
Unit 2: Fundamentals of Malware Analysis (MA)
2.1 Reverse Engineering Malware (REM) Methodology
2.2 Brief Overview of Malware analysis lab setup and configuration
2.3 Introduction to key MA tools and techniques
2.4 Behavioral Analysis vs. Code Analysis
2.5 Resources for Reverse-Engineering Malware (REM)
Unit 3: Malware taxonomy and characteristics
3.1 Understanding Malware Threats
3.2 Malware indicators
3.3 Malware Classification
3.4 Examining ClamAV Signatures
3.5 Creating Custom ClamAV Databases
3.6 Using YARA to Detect Malware Capabilities
Unit 4: Malware Labs
4.1 Creating a Controlled and Isolated Laboratory
4.2 Introduction to MA Sandboxes
4.1.1 Ubuntu
4.1.2 Zeltser’s REMnux
4.1.3 SANS SIFT
4.3 Sandbox Setup and Configuration
New Course Form
Page 3 of 5
Unit 5: Malware Lab Integrity
5.1 Routing TCP/IP Connections
5.2 Capturing and Analyzing Network Traffic
5.3 Internet simulation using INetSim
5.4 Using Deep Freeze to Preserve Physical Systems
5.5 Using FOG for Cloning and Imaging Disks
5.6 Using MySQL Database to Automate FOG Tasks
Unit 6: Malware Analysis Tools
6.1 Introduction to Python
6.2 Introduction to x86 Intel assembly language
6.3 Scanners: VirusTotal, Jotti, and NoVirusThanks
6.4 Analyzers: ThreatExpert, CWSandbox, Anubis, Joebox
6.5 Dynamic Analysis Tools: Process Monitor, Regshot, HandleDiff
6.6 Analysis Automation Tools: VirtualBox, VMWare, Python
6.7 Other Analysis Tools
Unit 7: Malware Forensics
7.1 Using TSK for Network and Host Discoveries
7.2 Using Microsoft Offline API to Registry Discoveries
7.3 Identifying Packers using PEiD
7.4 Registry Forensics with RegRipper Plug-ins
7.5 Case Studies:
7.5.1 Bypassing Poison Ivy’s Locked Files
7.5.2 Bypassing Conficker’s File System ACL Restrictions
7.5.3 Detecting Rogue PKI Certificates
Unit 8: Malware and Kernel Debugging
8.1 Opening and Attaching to Processes
8.2 Configuration of JIT Debugger for Shellcode Analysis
8.3 Controlling Program Execution
8.4 Setting and Catching Breakpoints
8.5 Debugging with Python Scripts and PyCommands
8.6 DLL Export Enumeration, Execution, and Debugging
8.7 Debugging a VMware Workstation Guest (on Windows)
8.8 Debugging a Parallels Guest (on Mac OS X)
8.9 Introduction to WinDbg Commands and Controls
8.10 Detecting Rootkits with WinDbg Scripts
8.11 Kernel Debugging with IDA Pro
Unit 9: Memory Forensics and Volatility
9.1 Memory Dumping with MoonSols Windows Memory Toolkit
9.2 Accessing VM Memory Files
9.3 Overview of Volatility
9.4 Investigating Processes in Memory Dumps
9.5 Code Injection and Extraction
9.1.1 Detecting and Capturing Suspicious Loaded DLLs
9.1.2 Finding Artifacts in Process Memory
9.1.3 Identifying Injected Code with Malfind and YARA
Unit 10: Researching and Mapping Source Domains/IPs
10.1 Using WHOIS to Research Domains
10.2 DNS Hostname Resolution
10.1.1 Querying Passive DNS
10.1.2 Checking DNS Records
10.3 Reverse IP Search
New Course Form
Page 4 of 5
10.4 Creating Static Maps
10.5 Creating Interactive Maps
b. Student assignments including presentations, research papers, exams, etc.
(See Below)
c. Method of evaluation
Student Requirements: The goal of this course is to provide students with sufficient
background in the field of Malware Analysis and Reverse Engineering with an emphasis on
Information Assurance principles. Students are expected to attend all class sessions, except in
the case of illness or excruciating circumstances, which are to be approved by the course
instructor. Students are also expected to participate in class activities, conduct research in
relevant areas, and perform one or more presentations to the class. Reading assignments will
be also be given out by the instructor, in support of such activities. There will also be a
midterm and a final to test students’ knowledge.
Assessment and Evaluation:
Assignments (2): 20%
Class Discussions, Activities, and Participation: 10%
Midterm: 25%
Group Project & Research: 20%
Final: 25%
Students are expected to take in-class exams on the scheduled dates. Should there be an unavoidable
problem, the Instructor may, at his discretion provide a makeup exam.
d. Grading scale (if a graduate course, include graduate grading scale)
95 - 100% = A 80 - 83% = B- 70 - 73% = C- 0- 59% = E
90 - 94% = A- 77 - 79% = C+ 67 - 69% = D+
87 - 89% = B+ 74 - 76% = C 64 - 66% = D
84- 86% = B 70 - 73% = C- 60 - 63% = D-
e. Special requirements
f. Bibliography, supplemental reading list
SANS/Lenny Zeltser:
Reverse-Engineering: Malware Analysis Tools and Techniques Training
http://zeltser.com/reverse-malware/
Combating Malware in the Enterprise
http://zeltser.com/combating-malware-course/
Related SANS Course:
SANS Forensics610 Reverse Engineering Malware: http://www.sans.org/security-training/reverse-
engineering-malware-malware-analysis-tools-techniques-54-mid
References:
Malware Analysis: An Introduction [whitepaper]
http://www.sans.org/reading_room/whitepapers/malicious/malware-analysis-
introduction_2103
New Course Form
Page 5 of 5
GIAC Reverse Engineering Malware (GREM) [Certification]
http://www.giac.org/certification/reverse-engineering-malware-grem
Forensic Discovery [book]
http://www.amazon.com/exec/obidos/tg/detail/-/020163497X/104-5123010-9411940
http://www.porcupine.org/forensics/forensic-discovery/
Practical Malware Analysis [presentation]
http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Paper/bh-dc-07-
Kendall_McMillan-WP.pdf
Malware Analysis for Administrators [article]
http://www.symantec.com/connect/articles/malware-analysis-administrators
Stuxnet Malware Analysis [paper]
http://www.codeproject.com/KB/web-security/StuxnetMalware.aspx
g. Other pertinent information.
Sample List of Malware Analysis Tools:
System Monitor, Process Explorer, CaptureBAT, Regshot, VMware
BinText, LordPE, QuickUnpack, Firebug, PELister, PEiD
IDA Pro, OllyDbg and plug-ins such as OllyDump, HideOD
Rhino, Malzilla, SpiderMonkey, Jsunpack-n
Internet Explorer Developer Toolbar, cscript
Honeyd, NetCat, Wireshark, curl, wget, xorsearch
OfficeMalScanner, OffVis, Radare, FileInsight
Volatility Framework and plug-ins such as malfind2 and apihooks
SWFTools, Flare, shellcode2exe, fake DNS server, and others