Instructor: Wu-chang Feng
Class: (Zoom link)
Contact and discussion:

• DM @wuchang pdx-cs.slack.com
• Class channel #cs492_592_malware on pdx-cs.slack.com
• In-class questions/feedback anonymously sayat.me

Office hours: here (10am on Mondays) on the course Zoom link.
TA: Allison Naaktgeboren (naak at pdx)
TA Office hours: Mondays 12:30pm-2pm on Zoom | In-person by arrangement
Required textbook

• Practical Malware Analysis, Sikorski and Honig, No Starch Press, 2012.  ISBN-13: 978-1-59327-290-6.

Resources

• Slides and labs Google Drive
• Lecture screencasts on MediaSpace
• CS 201 Review screencasts
• Accounts on linuxlab (FAB 88-09, 88-10)
• Lab VM at /u/wuchang/492_WinXP_x86.ova or from course page at https://.../cs492/492_WinXP_x86.ova
• Homework site
• Course reviews
• Google's write-up

Labs and notebook
Lab assignments will be given each class covering the course material. You will perform each one, while maintaining a lab notebook in a Google Doc that documents your progress via screenshots with your OdinID in them. The notebook should also include answers to any questions in the labs.  Notebooks should be exported as a PDF file and include a table of contents generated by Google Docs. Submission will be done via adding, committing and pushing the file to your private git repository. Use the following naming convention to submit your notebooks.

• notebooks/<week_number>.pdf e.g. notebooks/Week1.pdf
  

The notebook will be graded based upon the following rubric:

• Neatness and organization
• Completeness
• Inclusion of OdinID or project identifier in screenshots

Homework (MetaCTF)
For homework, we will be applying the concepts learned in the labs to Linux binaries. Assignments are to be done individually at the following sites: cs492.oregonctf.org and angr.oregonctf.org. Binaries are unique to each student and no collaboration is allowed. The binaries implement a set of capture-the-flag challenges that require you to reverse engineer a set of binary executables. Each binary asks for a password that will unlock it and print "Good Job". While you will be running binaries on your own machine, answers to each should be submitted at the above site.

To download binaries on a linuxlab machine, do the following:

mkdir metactf; cd metactf; virtualenv -p python3 env
source env/bin/activate
pip install requests bs4
wget http://thefengs.com/wuchang/courses/cs492/meta_dl.py
python meta_dl.py cs492.oregonctf.org username password

If you wish, instead, to run the binaries on a Ubuntu VM of your own, directions for doing so are here. Note that you must ensure that radare2 and the 32-bit libraries are installed on the VM by performing

sudo apt-get install gcc-multilib radare2

• Understand the underlying mechanisms used by malware on compromised systems.
• Understand counter-measures that detect malware.

• Understand techniques malware uses to circumvent and evade detection and analysis
• Develop skills to monitor the behavior of malware safely.
• Develop skills to reverse-engineer malware

Grading

Attendance	5%
Homeworks	50%
Lab notebook	45%

Academic misconduct

• Includes allowing another student to copy your work unless specifically allowed by the instructor.
• Results in a grade of 0 for the assignment or exam.
• Results in the initiation of disciplinary action at the university level.