MSIT 5460 Introduction to Malware Analysis

Instructor Dr. Xinwen Fu

Office Dandeneau Hall 340
Phone (978) 934-3623
Course Name MSIT.5460 Introduction to Malware Analysis
Credits 3.00
Duration 9/1/2022 - 12/20/2022
Location Fully online; Access Blackboard
E-Mail For use when Blackboard is down - xinwen_fu@uml.edu
Otherwise, use only Blackboard mail for class
Chat Schedule Tuesday, 8:00PM – 9:00 PM Eastern Time

Course Description
This course introduces the use of reverse engineering techniques to find and analyze the
behavior of malware in binary form. The topics include basic static analysis, basic dynamic
analysis, advanced static analysis, advanced dynamic analysis, shell code analysis, malware
behavior and anti-reverse engineering. To take this course, students shall have experience in
the C programming language. Knowledge of assembly language is preferred although not
necessary since the course will have a crash mini-course in X86 disassembly covering
assembly language. The students will do the assignments and labs on either their own
computers or in a virtual lab environment.

Prerequisites for the Course

Students must already have completed a bachelor's degree in a related discipline to enroll in this
course and in a graduate career. Students must have experience in programming while C programing
experience is a plus.

Course Materials
This class is challenging given that students will perform reverse engineering of software
binaries and assembly language will be taught in the class. You will need to stay self-motivated
and participatory throughout the entire semester.

Required Book
Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software
by Michael Sikorski and Andrew Honig, February 2012, 800 pp.
ISBN-13: 978-1-59327-290-6

Required Software
For assignments, students in this class will submit files in either Microsoft Office formats or PDF.
If students do not currently have Office, please access the following link: UMLIT Software
Services for Students - Office for Students for computers and mobile devices. Students may
also access vLabs, which allows students to access the university's software including Microsoft
Office anytime from anywhere.

Course Materials “Release” Day

Each "week" of this course typically begins on a Monday (12:00 AM ET), and ends on a Sunday
(11:59 PM ET). Because of the schedule, Week 1 may not be a full week and will start on the
university assigned start date at 12:00 AM ET. After Week 1, each week will run for 7 days
each, from Monday through Sunday. Last week of a semester is the final exam week.
The course calendar at the end of this syllabus provides additional details with regards to the
course schedule. Your midterm exam and final exam will be assigned during week 8 and last
week of the semester respectively. You can take your exam at any point during that week. More
details to follow.

Interaction Guidelines – Communication and Participation

Through the semester, we use three ways to communicate with each other, mail, chat and
discussion board. These channels will be used to for communication between students and the
instructor and communication between students themselves.

Mail (My Messages and Mail on the Course Menu)

• All course related emails must be sent within the Blackboard mail system. Students have to
log into Blackboard to send and view mail. Mails sent within Blackboard are not able to be
delivered to public email accounts. Mails are reserved for sensitive questions you feel may
be disturbing if delivered to all students. All other course related questions should be posted
to Discussion Board for course material documentation so that all students can participate
the discussion and learn from the discussion. Students can also send personal email to the
instructor’s school email account only when Blackboard is not available for maintenance or
blackout.
• You can expect a reply to mails from the instructor within 24 hours. If the instructor is unable
to, he will let you know beforehand.
• Mails do NOT count toward your final grade.

Chat (Chat on the Course Menu)

• Chat is voluntary and encouraged.
• A chat session runs from 8:00PM ~ 9:00PM EST each Tuesday except last week of the
semester for real time discussion of course materials.
• Chats do NOT count toward your final grade.

Discussion Board (Discussion Board on the Course Menu):

• Each chapter has its own discussion module as a discussion forum. We will cover 10
chapters of the textbook in addition to Chapter 0 Malware Analysis Premier, which will be
combined with Chapter 2 Malware Analysis in Virtual Machines. We will have 10 discussion
forums. The instructor will create two threads within each forum, corresponding to two topics
related to the chapter. The discussion forum will be available on Monday when a new
chapter is started. Some long chapters may need two weeks of time to complete. Each
 student MUST reply to these two topics within a discussion forum. Students may create
threads within each forum for related discussion.
• The discussion board is for asking and answering questions. The instructor will answer
raised questions within 24 hours. Feel free to respond to each other’s questions. Please
direct questions to a specific chapter and thread for easy course material documentation
and clarity. Therefore, the discussion board will be used as a Question & Answer repository.
• The participation is mandatory and contributes 15% toward to a student’s final grade.

Netiquette
Netiquette stands for Network Etiquette. It refers to proper behavior while interacting online. The
golden rule of netiquette is essentially to treat people as you would want to be treated. Please
be polite and considerate. Think about whether your comment could cause hurt feelings. Be
careful about how your words can come across because misunderstandings can be common
online. Feel free to use emoticons to show your tone.

Assignment Guidelines
How You Will Be Graded
Your final course grade will be based on the following

Requirement Number @ Points each % Total Grade

Discussion Boards Two discussion questions for each chapter; totally 20 20%
questions
Labs One lab for each chapter; 10 labs in total 30%
Term Project One term project 10%
Midterm Exam One midterm exam 20%
Final Exam One final exam 20%
Total 100%

Your final course letter grade will be determined as follows

Numeric Grade Letter Grade

95-100 A+
90-94.9 A
85-89.9 A-
80-84.9 B+
75-79.9 B
70-74.9 B-
65-69.9 C+
60-64.9 C
0-59.9 F

Discussion board postings

 • The class has 10 discussion forums and each forum has two threads created by the
instructor. There are totally 20 threads. Each forum is released on Monday when we
start a new chapter. Please note Chapters 0 and 2 are combined. Students MUST reply
to each thread while discussion between students is encouraged, but not mandatory.
• A reply to a thread, called a post, is to be turned in on or before the due date and time,
which is 11:59PM on a Sunday.
• The 20 posts count as 20% of a student’s final score.
• A discussion board post will be accepted up to one week late, with deduction of half of
the points.
• Discussion board posts will not be accepted beyond one-week post due date and
students will all points for a missing post to a thread.

Labs
• The class has 10 labs, one lab for each chapter. Each lab is released on a Monday
when we start a new chapter. All labs are to be turned in on or before the due date and
time, which is 11:59PM on a Sunday. The due date and time for each lab will be
specified on assignment postings.
• A lab is worth 10 points. The 10 labs count as 30% of a student’s final score.
• Each lab has a few questions, which may be steps performed by students to perform
software operations. Each question has a score.
• A lab turned in up to 24-hours late will be reduced by 10% of the worth, and more than
24 hours late will be reduced 100%.
• All labs are expected to be individually and independently completed. Should two or
more students turn in substantially the same solution or program, in the judgment of the
instructor, the assignment will be given a grade of zero and the student will be notified. A
second such incident will result in an F grade for the course.

Term Project
• In the term project, students will complete steps to exploit a server with a buffer overflow
vulnerability.
• The term project can be completed by individual students or a team of two students. It is
a responsibility of a student to find a team member.
• Students are encouraged to join a team. Teamwork is encouraged since all members of
a team will receive the same score based on the entire team’s performance for team
project. A team project has to list the contributions from each member.
• Term project is to be turned in on or before the due date and time given in the course
calendar at the end of this syllabus. The due date and time for term project will be also
specified on the corresponding assignment posting.
• The term project is worth 10 points and count as 10% of a student’s final grade. It has a
few questions, which may be steps performed by students to perform software
operations. Each question has a score.
• Term project turned in up to 24-hours late will be reduced by 10% of the worth, and more
than 24 hours late will be reduced 100%.
Exams
• We have a midterm exam and a final exam in Week 8 and Week 15 of this class
respectively.
 • Exams are based on textbooks, supplementary materials, and assignments.
• All exams will be open book.
• The start date and time of an exam will be always at 12:00AM on a specified date and
the end date and time will be always at 11:59PM on a specified date.
• An exam will have true/false questions and multiple-choice questions. Each question’s
worth will be explicitly stated in the exam.
• Make-up exams will only be given in case of serious need and only when the instructor
is notified prior to the exam time. Otherwise, the grade is automatically zero for that
exam.
• The make-up exams will be different from those given to the class.

Academic Integrity Policy

UMass Lowell Online students are expected to be honest and to respect ethical standards in
meeting academic assignments and requirements. A student who cheats on an examination or
assignment is subject to administrative dismissal. Please visit the Academic Integrity Web site
for specific details regarding this policy.

Student Disability Services

UMass Lowell Online students requiring academic accommodations should contact Student
Disability Services for assistance.

UML Library Off-Campus Access

Off-Campus library access requires users to login to the proxy server. Information can be found
at this link: Off-Campus Access to UML Library

Course Calendar
Week Chapter Assignment Assigned Due Date
1 Chapter 0: Primer Forum 9/1/22 9/11/22
2 Chapter 2: VM Lab 9/5/22 9/11/22
3 Chapter 1: Basic Static Analysis Forum 9/12/22 9/18/22
Lab
4 Chapter 3: Basic Dynamic Forum 9/19/22 9/25/22
Analysis Lab
5&6 Chapter 4: A Crash Course in Forum 9/26/22 10/9/22
X86 Disassembly Lab
7 Chapter 5: IDA Forum 10/10/22 10/16/22
Lab
8 Midterm Exam Covering chapters 0, 10/17/22 10/23/22
2, 1, 3, 4, 5
Week Chapter Assignment Assigned Due Date
8 Chapter 8: Debugging Forum 10/17/22 10/23/22
Lab
9 Term Project Exploit a program with 10/24/22 5/2/21
a buffer overflow
vulnerability
9 Chapter 9: Ollydbg/immunity Forum 10/24/22 10/30/22
debugger Lab
10&11 Chapter 19: Shellcode Analysis Forum 10/31/22 11/13/22
Lab
12&13 Chapter 7: Analyzing Malicious Forum 11/14/22 11/27/22
Windows Programs Lab
14&15 Chapter 11: Malware Behavior Forum 11/28/22 12/11/22
Lab
16 Final Exam Covering chapters 8, 12/12/22 12/20/22
9, 19, 7, 11