Assignment

There are two Tasks in this coursework:

• T1 is to analyse malware and it is worth 30 marks.

• T2 is to test a vulnerable Virtual Machine image and it is worth 70 marks.

For T1, you will be given two pieces of malware (available on Learning Central). You

should analyse both pieces of malware and write a report with your conclusions. This

malware does not have a malicious payload and it is safe to analyse on your machines,

but you will not need to run the malware anyway.

For T2, you will be given a ‘target’ VM image, which contains at least 7 vulnerabilities.

You should follow a systematic process to find and exploit 7 of these, propose fixes for

the vulnerabilities that you find, and finally write a report with your findings and your

recommendations.

You should submit a joint report for both tasks, as a single PDF or Word file. In total, the

report should be at most 4000 words. Anything beyond the first 4000 words will not be

marked.

On the date when the coursework is set (see Date Set on the first page), you will not have

been taught enough to complete the coursework, but you will know enough to start

working on it. It is recommended that you do not wait until the end of the semester to

start working on the coursework. The earlier you start, the more opportunities you will

have to ask for clarifications or any other help.

Learning Outcomes Assessed

1. Perform static and dynamic malware analysis to explain the malware’s anatomy,

its effects on a system and its spreading behaviour.

2. Identify, evaluate, and recommend, with justification, a selection of configurations

and countermeasures to reduce the likelihood and impact of potential security attacks.

3. Perform application penetration testing to identify system and network security

vulnerabilities and exploit them.

4. Explain how to detect and react to network intrusions.

5. Explain how web browsers are used to exploit vulnerabilities and inject malicious

code into web services (e.g. cross-site scripting).

Criteria for assessment

Credit will be awarded against the following criteria.

Task 1 - Malware Analysis (30 marks)

As mentioned above, you will be given two pieces of malware to analyse. For each

malware separately, you must collect evidence about its behaviour and complete the

following sub-tasks by referring to the evidence you collected:

1. List the malware’s significant imports and strings, and its host-based and

network-based indicators. (10 marks)

2. Describe how the malware works. (10 marks)

Specifically for the malware called “sample.dat”, your response should explicitly

also answer the following questions:

a. What is the AES Key, IV used by the malware sample?

b. What are the commands the malware sample runs?

3. Describe the purpose the malware tries to achieve. (10 marks)

Your report must clearly separate your responses to each of these sub-tasks. An

indicative report structure would be this:

Malware #1

Answer to Sub-task 1 for Malware #1

Answer to Sub-task 2 for Malware #1

Answer to Sub-task 3 for Malware #1

Malware #2

Answer to Sub-task 1 for Malware #2

Answer to Sub-task 2 for Malware #2

Answer to Sub-task 3 for Malware #2

For each piece of malware, the marks will be allocated against the following criteria:

Fail

(0-49%)

Pass

(50-59%)

Merit

(60-69%)

Distinction

(70-100%)

Completeness

of results

(40%)

Very little or no

relevant

malware

behaviour

discovered.

Superficial

demonstration

of only basic

skills in malware

analysis

Adequate discovery of

behaviour, but some

significant malware

functionality has been

overlooked.

Some competency in

analysis shown, but

with clear limitations.

Most relevant

malware

behaviour found.

Few errors or

omissions

Extensive

discovery of

relevant malware

behaviour. Wide

range of skills

shown and

executed with

precision.

Factual and

technical

correctness

(40%)

Many factual or

technical errors.

Identification of

malware

behaviour is not

linked to

evidence.

The output of

malware

analysis tools is

not interpreted

correctly on

multiple

occasions.

Technical arguments

contain some errors, or

invalid statements/facts

about the malware are

given. Some evidence is

provided, but linkage to

identified malware

behaviour is not strong

or it could be easily

questioned.

Competence in

malware analysis

process is

evident, by

employing

correct tools and

illustrated for

logical and

technically valid

arguments.

Findings are

clearly linked to

evidence.

Any tools

employed in

collecting evidence

about the malware

must be applied

correctly and their

outputs

interpreted

meaningfully.

Conclusions about

the behaviour of

the malware must

be supported by

the evidence

collected.

Presentation

(20%)

Significant lack

of clarity and/or

coherence.

Unstructured

report. Minimal

awareness of

technical

terminology.

Communication is

adequate to get the

point across but

requires some effort to

understand. Good

attempt to provide

structure to the report,

but with limitations

(e.g. information that

should be in one

section appearing in

another). Some but not

many

misunderstandings of

terminology.

Clear and concise

language. Well-

structured into

sections. Uses

standard

technical

terminology.

The description of

the malware

evidence collection

process, the

analysis and the

conclusions drawn

must be clear,

concise, and

coherent. No

marks will be lost

for spelling or

grammar errors, as

long as they do not

impede

understanding

Clear, precise, to-

the-point

description with

no ambiguities nor

irrelevant

information

included. Logical

structure, easy to

follow with

appropriate use of

screenshots.

Displays excellent

command of

technical

terminology.

Task 2 – Penetration Testing (70 marks)

To gain full marks, you should clearly follow a systematic pentesting methodology, you

should clearly describe each vulnerability you find, how you found it in the VM, how you

exploited it, and you should clearly recommend, with justification, a selection of

configurations and countermeasures for fixing it. Your whole analysis should be specific

to the VM you are given – do not just provide a generic description of vulnerabilities or

types of vulnerabilities.

Vulnerabilities that do not count and will not give you any marks:

• Network vulnerabilities, e.g. arp spoofing.

• Denial of service attacks

• Lack of an encrypted connection to the VM

• Social Engineering attacks

In the VM, there are at least 7 vulnerabilities among those you are taught in the module,

for example:

• SQL injection

• XSS attack

• Remote Command Execution

• Cross-site Request Forgery

• Bad cookie practice

• Bad HTTP headers

• Weak passwords

But you may also find other vulnerabilities – they all count.

Each vulnerability counts for up to 10 marks (up to 70 marks total). If you include more

than 7 vulnerabilities, you will not gain more than 70 marks. In fact, you may lose marks,

if any of your descriptions contain e.g. technical errors. So, aim to submit only your top 7

vulnerabilities.

An indicative report structure would be this:

Executive Summary (optional)

Vulnerability #1

• Description of the vulnerability (e.g. Reflected XSS on webpage Y, input box Z) and

assessment of its severity

• Steps/commands you followed to discover the vulnerability

• Steps/commands you followed to exploit the vulnerability (including what damage

it can cause)

• Steps/countermeasures to fix the vulnerability

Vulnerability #2

• Description

• …

…

Vulnerability #7

• Description

• …

Marks will be allocated following these specific marking criteria:

Fail

(0-49%)

Pass

(50-59%)

Merit

(60-69%)

Distinction

(70-100%)

Completeness

of results

(40%)

3 or fewer valid

vulnerabilities

discovered.

Superficial

demonstration of

only basic skills in

pentesting.

Significant

omissions in the

presented

explanations and

recommendations

for fixes.

4 vulnerabilities

found, with some

significant ones

missing.

Some competency in

pentesting shown,

but with clear

limitations. Some

explanations given for

how to find the

vulnerabilities and

how they can cause

damage, but with

omissions.

Recommendations for

countermeasures are

present but limited in

quantity or quality.

5-6 valid

vulnerabilities

found. Skilful tool

usage. Effective

recommendations

for fixing

vulnerabilities.

Minor

omissions/errors

in explanations

and

recommendations.

7 distinct

vulnerabilities are

found. For each

one, a thorough

explanation is

given on how an

attacker can find it

and how they can

exploit it.

Complete

description of

what the

vulnerability is,

how it can cause

damage and to

whom. Competent

assessment of its

severity and state-

of-the-art

recommendations

for fixes and

countermeasures.

Wide range of

skills shown and

executed with

precision.

Argument

(40%)

Many factual or

technical errors.

Identification of

security

vulnerabilities is

not linked to

evidence.

Mistaken

interpretation of

tool outputs.

Arguments contain

some errors or invalid

statements/facts are

presented. Some

evidence is provided,

but linkage to

identified

vulnerabilities is not

strong or it could be

easily questioned.

Significant ability

illustrated for

logical and

technically valid

arguments.

Identification of

vulnerabilities are

clearly linked to

evidence.

Any pentesting

tools used are

applied correctly

and their outputs

interpreted

meaningfully.

Conclusions about

the vulnerabilities

are supported by

the evidence

collected.

Scientifically and

technically correct

statements, with

no nuances

missed. Evidence

provided is both

adequate to

support the

conclusions and it

has no reasonable

alternative

interpretations.

Presentation

(20%)

Significant lack of

clarity and/or

coherence.

Unstructured

report. Minimal

awareness of

technical

terminology.

Communication is

adequate to get the

point across but

requires some effort

to understand. Good

attempt to provide

structure to the

report, but with

limitations (e.g.

information that

should be in one

section appearing in

another). Some but

not many

misunderstandings of

terminology.

Clear and concise

language. Well-

structured into

sections. Uses

standard technical

terminology.

Clear, precise, to-

the-point

description with

no ambiguities nor

irrelevant

information

included. Logical

structure, easy to

follow with

appropriate use of

screenshots.

Displays excellent

command of

technical

terminology.