NETW7006 Malware Analysis

This coursework is worth 70% of the module. The coursework should be submitted via Moodle. This is an individual coursework. Normal university rules on mitigating circumstances and academic conduct apply. The coursework must be uploaded to Moodle before Friday July 17 11pm. This must be treated as an individual piece of work.

It is important to note that you need to identify different types of malware which was not found in the previous submitted report.

Resources

The machine for analysis is an XP virtual machine which you can get at

?The username is - administrator

?The password is - AVictim

A range of tools are pre-installed on the VM. You may install whatever else you need. You may share folders from the VM to a Kali VM if you wish to use any Linux tools.

Assignment (What you have to do)

You are required to find, analyse and identify the malware on the virtual machine given. There are more than 12 pieces of malware on the computer. Find and analyse atleast six of the malwares.

You should document the process that you go through to detect and analyse the malware and for each piece of malware, where appropriate, you should determine the following -

?What the malware does

?Where is the malware located (it may be located in multiple places)

?What, if any, obfuscation techniques does it use?

?What. if any. network communication does it utilise?

?Potential manual removal techniques

Documenting your process is a key as we are more concerned with how you find and analyse the malware rather than the number of Malware that you locate.

Submission

You should submit a report on Moodle documenting –

?The process you went through to identify and analyse the malware

?Any tools that you used

?For each piece of malware, an answer to the questions in the assignment

?A reflection on the process

Mark scheme

For this coursework, you are expected to submit a report which includes the process of identifying and analysing the malware.

70%-100%

The student has made a good attempt at all of (a)-(g). The student has able to answer all the questions in the assignments. The process of finding every pieces of malware and its analysis are well documented. The overall results are well presented in the report.  The presentation is clear, engaging and conveys the information well.

60%-69%

The student has made a good attempt at all of (a)-(g). Also made a good attempt to answer all the questions in the assignments. The process of finding every pieces of malware and its analysis are well documented but not in detail. The results are well presented and concluding comments are given. The presentation is good and conveys the necessary information.

50%-59%

The student has attempted most of (a)-(g). The questions in the assignments are not fully address. The process of finding every pieces of malware and its analysis are documented but not in detail. The results are presented but not in detail. Reasonable presentation.

40%-49%

The student has attempted less than half of (a)-(g). Half of the question in the assignments are answered. The process of finding every pieces of malware and its analysis is weak. Weak presentation.

30%-39%

Less than a half of (a)-(g). Only two question in the assignments are answer. The process of finding every pieces of malware and its analysis is poorly presented.

0%-29%

Less than a quarter of (a)-(g). The process of finding every pieces of malware and its analysis is poorly presented.

Learning Outcome

This coursework is designed to test your attainment of the following learning outcomes:

?Utilise appropriate tools, and techniques, for reverse engineering malware, including a critical analysis of local and network activity.

?Demonstrate a critical understanding of obfuscation techniques and the tools and techniques that can be utilised to de-obfuscate obfuscated code.

?Demonstrate a detailed understanding of the human factors in malware and how these can be best defended against.