CS6038/CS5138 Malware Analysis Department of Electrical Engineering and Computing Systems
College of Engineering and Applied Science
University of Cincinnati
Meets every Tue/Thu in 3210 RECCENTER @ 4:00PM-5:20PM
Want to participate?: Apply to Graduate School Here
This class will introduce the CS graduate students to malware concepts, malware analysis, and black-box reverse engineering techniques. The target audience is focused on computer science graduate students or undergraduate seniors without prior cyber security or malware experience. It is intended to introduce the students to types of malware, common attack recipes, some tools, and a wide array of malware analysis techniques.
In general, if you’ve taken the following courses, you should have a good foundation for the class:
CS4029/6029 - Operating Systems
CS2029 - Data Structures
As virtualization is a key ingredient to any malware analysis, students are expected to have access to a laptop which can run multiple virtual machines at a time, with adequate CPU, RAM, and available disk storage. The minimum configuration expected to work well is a system with 4 cores (4 or 8 threads), 16GB of RAM and at least 150GB of free space on disk. Lesser configurations may work, but will likely increase the amount of wait time, minimized multitasking, and generally add to frustration.
Course syllabus
Lectures/notes (from 2020 class)
2020-03-02 - Multi-Stage Document Attacks (lecture)2020-02-16 - Simple Program Flow Editing with Immunity (lecture)
2020-02-16 - Immunity Debugger View and Description (lecture)
2020-02-11 - Immunity Debugger Intro, Capture & Reroute Malware Traffic (lecture)
2020-02-11 - Analysis of Assignment 4, advanced parts (lecture)
2020-02-09 - Configuration Analysis, Run Time Analysis & Editing (lecture)
2020-02-05 - Ghidra Intro (lecture)
2020-02-04 - EXE File Analysis Lecture 1 (lecture)
2020-02-02 - Assembly Language Crash Course (lecture)
2020-01-28 - Analysis Exercise (lecture)
2020-01-24 - Static Analysis of Compromised VM (lecture)
2020-01-21 - Building Malware - Metasploit & Pupy RAT (lecture)
2020-01-20 - Building an Attack (lecture)
2020-01-19 - Malware Taxonomy Discussion (lecture)
2020-01-14 - Introduction to Course and VirtualBox (lecture)
Lectures/notes (from prior classes)
2018-04-03 - Debugging and VM Detection (lecture)2018-03-20 - Document Format Analysis (lecture)
2018-02-22 - Malware Research Online (lecture)
2018-02-20 - Code-based Yara String Matching (lecture)
2018-01-25 - Container Model for Streams/Files and Deconstructing the Attack (lecture)
2018-01-18 - VirtualBox Lab Example Attacks & Analysis (lecture)
2018-01-16 - VirtualBox Lab Setup and Crash Course II (lecture)
2017-03-07 - Analysis of PDF Documents (lecture)
2017-03-02 - Analysis of Complex Data Structures (lecture)
2017-02-28 - Numeric Data Encoding, Arrays, and Memory Analysis (lecture)
2017-02-23 - Demo of Static Code Analysis Using Objdump, IDA Free, and Yara (lecture)
2017-02-21 - Demo of Static Analysis Using Strings (lecture)
2017-02-14 - Assembly Language Crash Course (Pt. 2), A Deeper Dive (lecture)
2017-02-09 - Assembly Language Crash Course (Pt. 1) (lecture)
2017-02-07 - Static Analyzers (Yara, vscan, ClamAV) (lecture)
2017-02-02 - Applying Static Analysis (lecture)
2017-01-31 - Static Analysis Introduction (lecture)
2017-01-26 - Malware Research Online (lecture)
2017-01-24 - Malware Taxonomy and Terminology (lecture)
2017-01-19 - Analyzing the Attack With Basic Tools (lecture)
2017-01-17 - Attack Introduction (lecture)
2017-01-12 - VirtualBox Lab Setup and Crash Course (lecture)
2017-01-10 - Introduction to Course and VirtualBox (lecture)
Assignments
LAB02: Building a Custom Attack (Due: Tuesday, 2020-01-23 11:59PM)LAB01: VM Setup and Test (Due: Tuesday, 2020-01-16 11:59PM)
Assignments (old)
Final: Malware Analysis Report (Due: Saturday, 2018-04-28 11:55PM)HW04: Dynamic Malware Monitoring (Due: Sunday, 2017-04-22 11:55PM)
HW03: Yara Binary Code Analysis (Due: Sunday, 2017-03-25 11:55PM)
HW02: Yara Static Analysis Using Strings, Observables (Due: Sunday, 2018-03-18 11:55PM)
HW01: VM Setup, Virtual Networking, Traffic Capture (Due: Thursday, 2018-02-15 11:55PM)
Final: Malware Analysis Report (Due: Friday, 2017-04-28 11:55PM)
HW05: Yara Binary Code Analysis (Due: Sunday, 2017-04-23 11:55PM)
HW04: Yara Static Analysis Using Strings, Observables (Due: Sunday, 2017-04-23 11:55PM)
HW03: Static Analysis Utility (Due: Thursday, 2017-03-02 11:55PM)
HW02: Kali Metasploit Experiment (Due: Tuesday, 2017-02-21 11:55PM)
HW01: VM Setup, Virtual Networking, Traffic Capture (Due: Thursday, 2017-02-16 11:55PM)
Other videos on malware I’ve done
- Malware Analysis on a Budget - Discussion of malware analysis tools and research projects out in the open-source community
- MalwareDNA - Talk about an instruction-analysis technique I devised in 2013
Recommended Resources
- Scott Nusbaum taught this class in Spring 2019, here is his great curriculum
- Adventures in Security (http://securitykitten.github.io/) - Nick Hoffman: A colleage, former coworker, and friend
- Secured.org Blog (http://amanda.secured.org/) - Amanda Rousseau, Malware Research for Endgame
- Secured.org RE101 (https://securedorg.github.io/RE101/ - Amanda Rousseau, RE101 course for 2017 WiCyS Conference
- contagio malware dump (http://contagiodump.blogspot.com/) - A malware analysis and artifact sharing blog started by Mila
- tuts4you (https://tuts4you.com/download.php) - RE tutorials, documentation, and other stuff
- RPI Malware Analysis Course - Malware Analysis course at Rensselaer Polytechnic Institute
- theZoo - A repository of LIVE malware, and navigation CLI
- Awesome Security Talks (github repository) - A long list of videos related to various security topics from conferences, going back to 2013
- Malware Analyzer - Reviews a bunch of malware analysis utilities
