CY328

Malware Analysis

Spring 2025

Dr. Syed Muhammad Sajjad Slides prepared by Dr M Imran, using with

his permission
Assistant Professor
Dept. of Cyber Security
Malware Analysis 1

Motivation
 Why are you studying this course?
• Hot topic of research and development. But why?
• Malware is, has been, and will remain one of biggest threats!
In 2021, roughly 1.3 Bn malware attacks were recorded1!
• Everyone of us is the potential target for malware…
• There is a constant battle being going on between malware developers
and the security researchers
We need to put our weight in the fight against malware

1 https://www.av-test.org/en/statistics/malware/
Malware Analysis 2

Course Description
 This course provides the understanding of techniques to analyze
malicious programs statically and dynamically
 It will build up the skills of reverse engineering to analyze the
maliciousness in a program
 The course will also lead towards memory forensics to analyze the
changes made in systems due to malicious programs
Malware Analysis 3

Course Learning Outcomes

 CLO-1, GA-1 C2 (Understanding)
• Understand the basic constructs of malware and methods used for
malware analysis, and differentiate between various types of malware.
 CLO-2, GA-5 C3 (Applying)
• Use various software tools to obtain artifacts for static and dynamic
malware analysis.
 CLO-3, GA-3 C4 (Analyzing)
• Analyze a given software sample to determine its maliciousness.
 CLO-4, GA-10 C4 (Analyzing)
• Analyze and synthesize the current literature on malware analysis and
classification.
Malware Analysis 4

Course Objectives
 At the end of the course, you’ll be expected to have:
• Adequate knowledge of maliciousness, and the forms in which
maliciousness can be observed along with the propagation mechanisms
of malware
• Adequate skills to analyze malicious PEs statically
• Adequate skills to analyze PEs dynamically
• Enough skills to reverse engineer PEs in order to find out maliciousness
• Understanding of techniques to conduct memory forensics for analyzing
malicious behavior
Malware Analysis 5

Course Outline
 Introduction to malware structure and malware types
 Malware propagation mechanisms
 Static malware analysis tools and techniques
 Dynamic malware analysis tools and techniques
 Methods to reverse engineer the PEs
 Memory forensics tools and techniques
Malware Analysis 6

Methods & Tools

 Teaching-Learning methods
• Lectures
• Presentations

 Online resources
• Will be shared from time to time
Malware Analysis 7

How will you be tested & graded?

 Quizzes 10%
 Assignments 10%
 Class participation 10%
 Midterm 25%
 Final 45%
Malware Analysis 8

Course Material
 Books
• Practical Malware Analysis
by Sikorsky and Honig

• Learning Malware Analysis

by Monnappa KA
Malware Analysis 9

The Do’s and Don’ts…

 DO…
• Be regular & punctual
• Be respective of the classroom environment
• Participate actively, ask questions!
• Check portal regularly for announcements
 DON’T…
• Use mobile phone in the class
• Bring snacks or drinks to the classroom
• Copy others’ work
Malware Analysis 10

Week 1
Introduction
Malware Analysis 11

What is Malware?
 Short for Malicious Software
 Any software that is deployed on a system with an intention to
perform actions that would not be allowed by the system user
 The actions could be harmful in terms of CIA
• Stealing data
Affects confidentiality
• Changing system configuration or corrupting data
Attack on integrity
• Deleting critical system files or encrypting important data
Targets availability
Malware Analysis 12

What is Malware?
 Short for Malicious Software
 Any software that is deployed on a system with an intention to
perform actions that would not be allowed by the system user
 The actions could be harmless but causing nuisance
• Adware
Malware Analysis 13

Who creates malware, and why?

 Novice hackers
• Just for the fun of it!
• Showing their supremacy over the fellow hackers…
 Criminal ‘black hat’ hackers
• Working alone, earning money using ransomware, for example
• Hired by an organization to target a competitor…
 State actors
• Targeting the critical infrastructure of the enemy
Malware Analysis 14

Is it easy to create malware?

 Depends on the scope and purpose…
 Malware creation toolkits (constructors) available for novice hackers
• VCL (Virus Creation Laboratory)
• PS-MPC (Phalcon-Skism Mass-Produced Code Generator)
 State actors may need years to develop and launch a sophisticated
attack!
• Stuxnet
Malware Analysis 15

How does malware analysis help?

 In order to save the system and data from malware, we need to
detect its presence on the system/network
 But how can we detect if there’s malware in the system?
• We need to know what malware looks like and behaves like
 Malware analysis is performed to find out exactly that!
• The distinguishing features that a particular malware has
• The way a malware propagates
• The functions it performs once it is in the system
 But that’s not all…
• Analysis can also give hints about the malware creator!
Malware Analysis 16

Static malware analysis

 The process of analyzing the malware code
• Binary, disassembled or decompiled form
 The aim is to get an idea of the malware’s functionality by:
• Looking at opcodes
• Generating system/API call graph
 Also gets information from the binary’s metadata
• Linked libraries
• Imported and exported functions
Malware Analysis 17

Dynamic malware analysis

 The process of analyzing the malware by executing it
• Yes, we execute the malware and see what it does!
 But isn’t that dangerous? It’ll harm the system and data!!!
• That’s why it is executed in a ‘safe’ environment
Virtual machine/sandbox
 The behavior of malware is observed in terms of:
• The files it accesses, creates, modifies
• The registry changes it makes
• The network activity it performs
• The remote sites it connects to, etc.
Malware Analysis 18

Malware structure
 Propagation mechanism – how it spreads to (‘infects’) other systems
 Payload – what it does on the ‘infected’ system
Malware Analysis 19

Malware propagation mechanisms

 Self replication
• Viruses
• Worms
 Social engineering
• Phishing
Email attachments
Links to malicious sites
– Drive-by downloads
– Pharming (a cyberattack intended to redirect a website's traffic to
another, fake site by installing a malicious program on the victim's
computer in order to gain access to it)
Malware Analysis 20

Malware payload types

 Downloader
• Once the malware is in the system, it downloads additional malware
components
 Dropper
• It decrypts/extracts and installs the full malware package inside the
infected host
 Trojan
• A seemingly helpful and benign application that has a hidden agenda
 Bot/Botnet
• Botnet is a network of bots, which are malicious agents ready for
receiving commands from a remote Command and Control (C&C)
server for launching attacks such as DDoS
Malware Analysis 21

Malware payload types

 Backdoor
• Enables the attacker to bypass a system’s authentication and security
controls for maintaining access to the system
 Rootkit
• Provides the attacker privileged access to the system and its security
features, allowing him to hide and evade detection
 Ransomware
• Code that encrypts the data or otherwise makes the system
unavailable, and attacker demands payment for returning the data and
control
Malware Analysis 22

Malware payload types

 Information stealers
• Steal sensitive data such as credit card information, passwords
• Include key-loggers, sniffers, form grabbers, etc.
 Adware
• Shows unsolicited/unwanted ads to the user
• Commonly makes use of pop-up windows
• More of a nuisance type than harmful
 Macros
• Executable code e.g., VBA (Visual Basic for Applications) in Microsoft
Word and Excel to automate tasks within applications