MALWARE ANALYSIS

SHE Level 4
SCQF Credit Points 20.00
ECTS Credit Points 10.00
Module Code MHI225243
Module Leader Nebrase Elmrabit
School School of Computing, Engineering and Built Environment
Subject Cyber Security and Networks
Trimester
  • A (September start)

Pre-Requisite Knowledge

Digital Forensic Investigation or equivalent.

Summary of Content

The cyber landscape and the ways in which it can be exploited continue to evolve. With the increasing prevalence of malware, it is essential to be able to identify and reverse engineer malicious code and investigate activity stemming from malicious software infections, in order to forensically analyse and detect artefacts which remain on infected systems. This module develops a level of understanding behind the construction and development of modern malicious code, the methods employed to exploit weaknesses in systems, together with the techniques that can be utilised to defend and recover from malware attacks. Furthermore, the different methods for the identification, investigation and analysis of malicious code are also examined. This module deepens a student's knowledge and understanding and reasoning by introducing them to alternative and developing environments. The ethical and professional issues/requirements of the professional practitioner are incorporated throughout the syllabus. The percentage of Work Based Learning for this module, as represented by the proportion of the Activity Types which take place off campus, is 78%. The percentage of Work Based Assessment for this module is 50%.

Syllabus

Syllabus: Malware Analysis Fundamentals & Approaches Types of malware and their features. Malware distribution techniques. Methods of deception and strategies for evading detection. Covert Communication. Static and dynamic analysis of malicious executables. Auto analysis techniques including machine learning. Malicious Code Analysis Reverse-engineering malicious code binaries. Identifying assembly logic structures and code constructs with a disassembler. Patterns of common malware characteristics at the API level. Methods for bypassing anti-analysis mechanisms and anti-disassembling techniques. Memory Forensics Analysing memory to assess malware characteristics and reconstruct infection artefacts. Using memory forensics to analyse infections. Legal & Ethical Issues -284 Reinforce understanding and the application of discipline specific legal and ethical issues.

Learning Outcomes

On successful completion of this module a student should be able to:1. Evaluate and demonstrate a critical and systematic understanding of malicious software, malicious code implementation and the methods and strategies of detecting it.2. Critically evaluate the design, code and the implementation of a malicious component and the steps required to reverse engineer the process.3. Employ network and system-monitoring tools to examine and assess how malware interacts with the file system, registry, network and other processes, and utilise memory forensic techniques to examine, predict and compare capabilities.4. Develop critical awareness of the techniques to isolate an infected system and perform malicious code analysis and reverse engineering in line with advanced professional practice.

Teaching / Learning Strategy

Work Based Education aims to maximise the direct and digitally mediated contact time with students by practicing teaching and learning strategies that use authentic work based scenarios and encourage action learning, enquiry based learning, problem based learning and peer learning. All these approaches aim to directly involve the students in the process of learning and to encourage sharing of learning between students. The module team will determine the level and accuracy of knowledge acquisition at key points in the delivery, inputting when necessary either directly or with the support of external experts who will add to the authenticity, the credibility and application of the education and learning in the workplace. The Learning and Teaching Strategy is informed by the University's Strategy for Learning. The course material will be introduced through online presentations as well as guided reading material made available on GCULearn. These are supported by practical exercises, and there will be seminars on campus which will allow students to discuss key concepts and issues with peers and tutors. Students will be expected to undertake a significant level of independent study within the workplace, including practical activities, and links will be provided to appropriate external material such as articles, podcasts and videos to supplement the module content. Students will be encouraged to reflect upon the theoretical learning within the workplace and the application of newly learned concepts to the work environment, and this will form part of the module assessment. Students will receive feedback on their performance throughout the module through undertaking the practical assignments and tutorial exercises and participating in the seminars.

Indicative Reading

Sikorski & Honig (2012), Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software, No Starch Press (1593272901). Ligh et al (2010), Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, John Wiley & Sons (0470613033). Malin (2012), Malware Forensic Field Guide for Windows Systems, Syngress (1597494720). Malin (2014), Malware Forensic field Guide for Linux Systems, Syngress (9781597494717) Sood (2014), Targeted cyber attacks: multi-staged attacks driven by exploits and malware, Syngress (9780128006191) Eilam (2005), Reversing: Secrets of Reverse Engineering, John Wiley & Sons (0764574817). File System Forensic Analysis, Carrier (2005), Pearson Education (0321268172) In addition to the reference material above several online resources (blogs, journals, websites, etc.), which reflect up to date understanding in the field, will be provided to students.

Transferrable Skills

Logical thinking and problem solving. Critical analysis. Communication skills (electronic, written, oral and listening) necessary to make effective presentation of a technical nature (information, ideas, problems and their solutions) to a range of audiences. Creativity, innovation and independent thinking. Reliability, integrity, honesty and ethical awareness. Ability to prioritise tasks and time management (organising and planning work).

Module Structure

Activity Total Hours
Lectures (FT) 24.00
Practicals (FT) 24.00
Independent Learning (FT) 108.00
Assessment (FT) 20.00
Seminars (FT) 24.00

Assessment Methods

Component Duration Weighting Threshold Description
Exam (Exams Office) 2.00 50.00 35% Unseen written exam
Coursework 1 n/a 50.00 35% Practical based assignment