MALWARE ANALYSIS AND REVERSE ENGINEERING

SHE Level 4
SCQF Credit Points 20.00
ECTS Credit Points 10.00
Module Code MHI223288
Module Leader Omair Uthmani
School School of Computing, Engineering and Built Environment
Subject Cyber Security and Networks
Trimester
  • A (September start)

Pre-Requisite Knowledge

Network Penetration Testing & Ethical Hacking, Digital Forensics Analysis

Summary of Content

The cyber landscape and the ways in which it can be exploited continue to evolve. With the increasing prevalence of malware, it is essential to be able to identify and reverse engineer malicious code and investigate activity stemming from malicious software infections, in order to forensically analyse and detect artefacts which remain on infected systems. This module develops a level of understanding behind the construction and development of modern malicious code, the methods employed to exploit weaknesses in systems, together with the techniques that can be utilised to defend and recover from malware attacks. Furthermore, the different methods for the identification, investigation and analysis of malicious code are also examined. This module deepens a student's knowledge and understanding and reasoning by introducing them to alternative and developing environments (including, mobile devices). The ethical and professional issues/requirements of the professional practitioner are incorporated throughout the syllabus.

Syllabus

-284 Malware Analysis Fundamentals & Approaches - Types of malware and their features. Malware distribution techniques. Web threats. Methods of deception and strategies to evade detection. Covert Communication. Intrusion signatures. Behavioural analysis of malicious executables. Static and dynamic code. Reverse-engineering malware. Intercepting network connections. Network flow analysis. Malicious Code Analysis - Reverse-engineering malware at the code level. Network analysis. Anti-disassembling techniques. Identifying assembly logic structures with a disassembler. Patterns of common malware characteristics at the API level. Methods for bypassing anti-analysis mechanisms. Malicious Documents and Memory Forensics - Reverse engineering of malicious executables using memory forensic techniques. Analyse malicious Microsoft Office (Word, Excel, PowerPoint) and Adobe PDF documents, Analysing memory to assess malware characteristics and reconstruct infection artifacts. Using memory forensics to analyse rootkit infections. Legal & Ethical Issues - Reinforce understanding and the application of discipline specific legal and ethical issues.

Learning Outcomes

On completion of this module the student should be able to - 1. Evaluate and demonstrate a critical and systematic understanding of malicious software, malicious code implementation and the methods of detecting software vulnerabilities.2. Critically evaluate the design, code and the implementation of a malicious component and the steps required to reverse engineer the process.3. Employ network and system-monitoring tools to examine and assess how malware interacts with the file system, registry, network and other processes, and utilise memory forensic techniques to examine, predict and compare capabilities.4. Identify, select and critically evaluate techniques at the forefront of the discipline used in detection strategies and the defence of systems against malicious software and software based attacks.5. Develop critical awareness of the techniques to isolate an infected system and perform malicious code analysis and reverse engineering in line with advanced professional practice.6. Demonstrate the ability to simplifying complex evidence and communicate subject knowledge clearly to specialist and non-specialist audiences.7. Examine and assess ethical issues and evaluate the professional requirements of a security practitioner.

Teaching / Learning Strategy

Learning and teaching will take place through a variety of mechanisms, including lectures, seminars, with associated practical sessions, research into current developments and issues, and case studies. This module places an emphasis on active "hands-on" and an independent approach to learning. Case studies will be used formatively in tutorials throughout the module in order to promote application of knowledge to specific problems and encourage discussion. Topics will be introduced in lectures and discussed through guided inquiry learning activities. Key concepts of knowledge and understanding will be re-enforced and consolidated through the critical analysis and discussion of case studies in tutorials that are designed to explain and elaborate both on lecture and laboratory content. Additionally directed learning will reinforce essential theory and place understanding into context. Independent study will be encouraged to satisfy the student's own interests. A Virtual Learning Environment (VLE) will also be used that provides access to a range of relevant learning resources and materials to enhance the teaching strategy. Managed blended learning environments will be used to consider material and provide the capability for on-line reflection of material related to learning outcomes, and enable peer support. Feedback will be implemented via a combination of generic feedback, and verbal feedback during tutorials and laboratory sessions together with self assessment and peer review exercises to help the student to assess their understanding of material and to develop their learning strategy. The subject discipline is continuously evolving and as a result students will be expected to keep up to date with developments through independent research. Students will be encouraged to adopt an independent learning style, acquiring and applying knowledge through their own research and enquiry, supported by a series of guided activities and exercises. Students will be encouraged to share the findings of their research through seminar presentations and participation in on-line discussions with the rest of the student cohort. The material presented in this module is potentially damaging if used maliciously and the capabilities developed in this module have potential for harm. Academics will emphasise the professional expectations of students as well as stressing the students' ethical and moral responsibilities to themselves and others, including the School and the University.

Indicative Reading

Sikorski & Honig (2012), Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software, No Starch Press (1593272901). Ligh et al (2010), Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, John Wiley & Sons (0470613033). Malin (2012), Malware Forensic Field Guide for Windows Systems, Syngress (1597494720). Malin (2014), Malware Forensic field Guide for Linux Systems, Syngress (9781597494717) Sood (2014), Targeted cyber attacks: multi-staged attacks driven by exploits and malware, Syngress (9780128006191) Eilam (2005), Reversing: Secrets of Reverse Engineering, John Wiley & Sons (0764574817). File System Forensic Analysis, Carrier (2005), Pearson Education (0321268172) In addition to the reference material above several online resources (blogs, journals, websites, etc.), which reflect up to date understanding in the field, will be provided to students.

Transferrable Skills

-426 Traditional Academic Skills - specialist knowledge, ability to apply knowledge, logical thinking, critical analysis, problem-solving, written and spoken communication, ability to use numerical data, and research skills Personal Development Skills - self-confidence, self-discipline, self-reliance, awareness of strengths and weaknesses, creativity, independence, knowledge of international affairs, desire to go on learning, ability to reflect, reliability, integrity, honesty and regard for others Enterprise Or Business Skills - ability to prioritise tasks, time management, interpersonal skills, presentational skills, ability to work in teams and leadership

Module Structure

Activity Total Hours
Lectures (FT) 24.00
Assessment (FT) 20.00
Tutorials (FT) 12.00
Independent Learning (FT) 120.00
Practicals (FT) 24.00

Assessment Methods

Component Duration Weighting Threshold Description
Coursework 1 n/a 50.00 35% Practical work
Exam (Exams Office) 2.00 50.00 35% Unseen written exam