MALWARE ANALYSIS

SHE Level 4
SCQF Credit Points 20.00
ECTS Credit Points 10.00
Module Code MHI224463
Module Leader Omair Uthmani
School School of Computing, Engineering and Built Environment
Subject Cyber Security and Networks
Trimester
  • A (September start)

Pre-Requisite Knowledge

Digital Forensic Investigation or equivalent.

Summary of Content

The cyber landscape and the ways in which it can be exploited continue to evolve. With the increasing prevalence of malware, it is essential to be able to identify and reverse engineer malicious code and investigate activity stemming from malicious software infections, in order to forensically analyse and detect artefacts which remain on infected systems. This module develops a level of understanding behind the construction and development of modern malicious code, the methods employed to exploit weaknesses in systems, together with the techniques that can be utilised to defend and recover from malware attacks. Furthermore, the different methods for the identification, investigation and analysis of malicious code are also examined. This module deepens a student's knowledge and understanding and reasoning by introducing them to alternative and developing environments. The ethical and professional issues/requirements of the professional practitioner are incorporated throughout the syllabus.

Syllabus

Syllabus: Malware Analysis Fundamentals & Approaches Types of malware and their features. Malware distribution techniques. Methods of deception and strategies for evading detection. Covert Communication. Static and dynamic analysis of malicious executables. Auto analysis techniques including machine learning. Malicious Code Analysis Reverse-engineering malicious code binaries. Identifying assembly logic structures and code constructs with a disassembler. Patterns of common malware characteristics at the API level. Methods for bypassing anti-analysis mechanisms and anti-disassembling techniques. Memory Forensics Analysing memory to assess malware characteristics and reconstruct infection artefacts. Using memory forensics to analyse infections. Legal & Ethical Issues -284 Reinforce understanding and the application of discipline specific legal and ethical issues.

Learning Outcomes

On successful completion of this module a student should be able to:On completion of this module the student should be able to - 1. Evaluate and demonstrate a critical and systematic understanding of malicious software, malicious code implementation and the methods and strategies of detecting it.2. Critically evaluate the design, code and the implementation of a malicious component and the steps required to reverse engineer the process.3. Employ network and system-monitoring tools to examine and assess how malware interacts with the file system, registry, network and other processes, and utilise memory forensic techniques to examine, predict and compare capabilities.4. Develop critical awareness of the techniques to isolate an infected system and perform malicious code analysis and reverse engineering in line with advanced professional practice.

Teaching / Learning Strategy

The university 'Strategy for Learning' documentation has informed the learning and teaching strategy for this module. The module's material will be introduced through lectures, while practical laboratory exercises, based on lecture material, will be given to students whereby they will experiment with, tools and techniques to perform malicious code analysis and reverse engineering. Tutorials will be used to help explain and elaborate on both the lecture material and the laboratory exercises. All lecture, tutorial and laboratory material will be available on GCU Learn and links will be provided to appropriate external material such as podcasts, videos and literature. GCU Learn will also be used to provide the students with module specific forums and wiki's to stimulate student and lecturer interaction out-with the normal lecture, laboratory and tutorial session. In addition, students will be encouraged to access NETLAB, an innovative hands-on online lab learning environment providing access to live systems and network devices. During all laboratory and tutorial sessions students will receive formative feedback on their performance in undertaking the laboratory and tutorial exercises. Summative feedback can be obtained for the coursework and final written exam undertaken as part of the module.

Indicative Reading

Sikorski & Honig (2012), Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software, No Starch Press (1593272901). Ligh et al (2010), Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, John Wiley & Sons (0470613033). Malin (2012), Malware Forensic Field Guide for Windows Systems, Syngress (1597494720). Malin (2014), Malware Forensic field Guide for Linux Systems, Syngress (9781597494717) Sood (2014), Targeted cyber attacks: multi-staged attacks driven by exploits and malware, Syngress (9780128006191) Eilam (2005), Reversing: Secrets of Reverse Engineering, John Wiley & Sons (0764574817). File System Forensic Analysis, Carrier (2005), Pearson Education (0321268172) In addition to the reference material above several online resources (blogs, journals, websites, etc.), which reflect up to date understanding in the field, will be provided to students.

Transferrable Skills

C1 - Logical thinking and problem solving. C2 - Critical analysis. D1 - Communication skills (electronic, written, oral and listening) necessary to make effective presentation of a technical nature (information, ideas, problems and their solutions) to a range of audiences. E2 - Creativity, innovation and independent thinking. E4 - Reliability, integrity, honesty and ethical awareness. -426 E6 - Ability to prioritise tasks and time management (organising and planning work).

Module Structure

Activity Total Hours
Independent Learning (FT) 120.00
Lectures (FT) 24.00
Assessment (FT) 20.00
Practicals (FT) 24.00
Tutorials (FT) 12.00

Assessment Methods

Component Duration Weighting Threshold Description
Exam (Exams Office) 2.00 50.00 35% Unseen written exam
Coursework 1 n/a 50.00 35% Practical based assignment