Assignment
There are two Tasks in this coursework:
• T1 is to analyse malware and it is worth 30 marks.
• T2 is to test a vulnerable Virtual Machine image and it is worth 70 marks.
For T1, you will be given two pieces of malware (available on Learning Central). You
should analyse both pieces of malware and write a report with your conclusions. This
malware does not have a malicious payload and it is safe to analyse on your machines,
but you will not need to run the malware anyway.
For T2, you will be given a ‘target’ VM image, which contains at least 7 vulnerabilities.
You should follow a systematic process to find and exploit 7 of these, propose fixes for
the vulnerabilities that you find, and finally write a report with your findings and your
recommendations.
You should submit a joint report for both tasks, as a single PDF or Word file. In total, the
report should be at most 4000 words. Anything beyond the first 4000 words will not be
marked.
On the date when the coursework is set (see Date Set on the first page), you will not have
been taught enough to complete the coursework, but you will know enough to start
working on it. It is recommended that you do not wait until the end of the semester to
start working on the coursework. The earlier you start, the more opportunities you will
have to ask for clarifications or any other help.
Learning Outcomes Assessed
1. Perform static and dynamic malware analysis to explain the malware’s anatomy,
its effects on a system and its spreading behaviour.
2. Identify, evaluate, and recommend, with justification, a selection of configurations
and countermeasures to reduce the likelihood and impact of potential security attacks.
3. Perform application penetration testing to identify system and network security
vulnerabilities and exploit them.
4. Explain how to detect and react to network intrusions.
5. Explain how web browsers are used to exploit vulnerabilities and inject malicious
code into web services (e.g. cross-site scripting).
Criteria for assessment
Credit will be awarded against the following criteria.
Task 1 - Malware Analysis (30 marks)
As mentioned above, you will be given two pieces of malware to analyse. For each
malware separately, you must collect evidence about its behaviour and complete the
following sub-tasks by referring to the evidence you collected:
1. List the malware’s significant imports and strings, and its host-based and
network-based indicators. (10 marks)
2. Describe how the malware works. (10 marks)
Specifically for the malware called “sample.dat”, your response should explicitly
also answer the following questions:
a. What is the AES Key, IV used by the malware sample?
b. What are the commands the malware sample runs?
3. Describe the purpose the malware tries to achieve. (10 marks)
Your report must clearly separate your responses to each of these sub-tasks. An
indicative report structure would be this:
Malware #1
Answer to Sub-task 1 for Malware #1
Answer to Sub-task 2 for Malware #1
Answer to Sub-task 3 for Malware #1
Malware #2
Answer to Sub-task 1 for Malware #2
Answer to Sub-task 2 for Malware #2
Answer to Sub-task 3 for Malware #2
For each piece of malware, the marks will be allocated against the following criteria:
Fail
(0-49%)
Pass
(50-59%)
Merit
(60-69%)
Distinction
(70-100%)
Completeness
of results
(40%)
Very little or no
relevant
malware
behaviour
discovered.
Superficial
demonstration
of only basic
skills in malware
analysis
Adequate discovery of
behaviour, but some
significant malware
functionality has been
overlooked.
Some competency in
analysis shown, but
with clear limitations.
Most relevant
malware
behaviour found.
Few errors or
omissions
Extensive
discovery of
relevant malware
behaviour. Wide
range of skills
shown and
executed with
precision.
Factual and
technical
correctness
(40%)
Many factual or
technical errors.
Identification of
malware
behaviour is not
linked to
evidence.
The output of
malware
analysis tools is
not interpreted
correctly on
multiple
occasions.
Technical arguments
contain some errors, or
invalid statements/facts
about the malware are
given. Some evidence is
provided, but linkage to
identified malware
behaviour is not strong
or it could be easily
questioned.
Competence in
malware analysis
process is
evident, by
employing
correct tools and
illustrated for
logical and
technically valid
arguments.
Findings are
clearly linked to
evidence.
Any tools
employed in
collecting evidence
about the malware
must be applied
correctly and their
outputs
interpreted
meaningfully.
Conclusions about
the behaviour of
the malware must
be supported by
the evidence
collected.
Presentation
(20%)
Significant lack
of clarity and/or
coherence.
Unstructured
report. Minimal
awareness of
technical
terminology.
Communication is
adequate to get the
point across but
requires some effort to
understand. Good
attempt to provide
structure to the report,
but with limitations
(e.g. information that
should be in one
section appearing in
another). Some but not
many
misunderstandings of
terminology.
Clear and concise
language. Well-
structured into
sections. Uses
standard
technical
terminology.
The description of
the malware
evidence collection
process, the
analysis and the
conclusions drawn
must be clear,
concise, and
coherent. No
marks will be lost
for spelling or
grammar errors, as
long as they do not
impede
understanding
Clear, precise, to-
the-point
description with
no ambiguities nor
irrelevant
information
included. Logical
structure, easy to
follow with
appropriate use of
screenshots.
Displays excellent
command of
technical
terminology.
Task 2 – Penetration Testing (70 marks)
To gain full marks, you should clearly follow a systematic pentesting methodology, you
should clearly describe each vulnerability you find, how you found it in the VM, how you
exploited it, and you should clearly recommend, with justification, a selection of
configurations and countermeasures for fixing it. Your whole analysis should be specific
to the VM you are given – do not just provide a generic description of vulnerabilities or
types of vulnerabilities.
Vulnerabilities that do not count and will not give you any marks:
• Network vulnerabilities, e.g. arp spoofing.
• Denial of service attacks
• Lack of an encrypted connection to the VM
• Social Engineering attacks
In the VM, there are at least 7 vulnerabilities among those you are taught in the module,
for example:
• SQL injection
• XSS attack
• Remote Command Execution
• Cross-site Request Forgery
• Bad cookie practice
• Bad HTTP headers
• Weak passwords
But you may also find other vulnerabilities – they all count.
Each vulnerability counts for up to 10 marks (up to 70 marks total). If you include more
than 7 vulnerabilities, you will not gain more than 70 marks. In fact, you may lose marks,
if any of your descriptions contain e.g. technical errors. So, aim to submit only your top 7
vulnerabilities.
An indicative report structure would be this:
Executive Summary (optional)
Vulnerability #1
• Description of the vulnerability (e.g. Reflected XSS on webpage Y, input box Z) and
assessment of its severity
• Steps/commands you followed to discover the vulnerability
• Steps/commands you followed to exploit the vulnerability (including what damage
it can cause)
• Steps/countermeasures to fix the vulnerability
Vulnerability #2
• Description
• …
…
Vulnerability #7
• Description
• …
Marks will be allocated following these specific marking criteria:
Fail
(0-49%)
Pass
(50-59%)
Merit
(60-69%)
Distinction
(70-100%)
Completeness
of results
(40%)
3 or fewer valid
vulnerabilities
discovered.
Superficial
demonstration of
only basic skills in
pentesting.
Significant
omissions in the
presented
explanations and
recommendations
for fixes.
4 vulnerabilities
found, with some
significant ones
missing.
Some competency in
pentesting shown,
but with clear
limitations. Some
explanations given for
how to find the
vulnerabilities and
how they can cause
damage, but with
omissions.
Recommendations for
countermeasures are
present but limited in
quantity or quality.
5-6 valid
vulnerabilities
found. Skilful tool
usage. Effective
recommendations
for fixing
vulnerabilities.
Minor
omissions/errors
in explanations
and
recommendations.
7 distinct
vulnerabilities are
found. For each
one, a thorough
explanation is
given on how an
attacker can find it
and how they can
exploit it.
Complete
description of
what the
vulnerability is,
how it can cause
damage and to
whom. Competent
assessment of its
severity and state-
of-the-art
recommendations
for fixes and
countermeasures.
Wide range of
skills shown and
executed with
precision.
Argument
(40%)
Many factual or
technical errors.
Identification of
security
vulnerabilities is
not linked to
evidence.
Mistaken
interpretation of
tool outputs.
Arguments contain
some errors or invalid
statements/facts are
presented. Some
evidence is provided,
but linkage to
identified
vulnerabilities is not
strong or it could be
easily questioned.
Significant ability
illustrated for
logical and
technically valid
arguments.
Identification of
vulnerabilities are
clearly linked to
evidence.
Any pentesting
tools used are
applied correctly
and their outputs
interpreted
meaningfully.
Conclusions about
the vulnerabilities
are supported by
the evidence
collected.
Scientifically and
technically correct
statements, with
no nuances
missed. Evidence
provided is both
adequate to
support the
conclusions and it
has no reasonable
alternative
interpretations.
Presentation
(20%)
Significant lack of
clarity and/or
coherence.
Unstructured
report. Minimal
awareness of
technical
terminology.
Communication is
adequate to get the
point across but
requires some effort
to understand. Good
attempt to provide
structure to the
report, but with
limitations (e.g.
information that
should be in one
section appearing in
another). Some but
not many
misunderstandings of
terminology.
Clear and concise
language. Well-
structured into
sections. Uses
standard technical
terminology.
Clear, precise, to-
the-point
description with
no ambiguities nor
irrelevant
information
included. Logical
structure, easy to
follow with
appropriate use of
screenshots.
Displays excellent
command of
technical
terminology.