Files
Page 1 of 3 Malware Analysis Project DEADLINE: As per CA schedule WEIGHT: 40% of module marks COURSE: MSc / PGDip in Cybersecurity TASKS: For the purpose of this project you are expected to carry out an investigation into a botnet. Mainly, the investigation should be done by carrying out a literature review of research papers, industry reports and any other resources you may find related to that botnet. In addition, you may identify, download and analyse pcap file(s) and/or dataset(s) associated with that botnet. Please note that you are NOT required to download and analyse the malware bot component of the botnet. If you decide to download it for further analysis, you should only do this once you have comprehensively researched and have a very good understanding of its behaviour and possible consequences. You are responsible for any damage you may cause as a result of your actions. The final task will be to document potential defences to protect against future attacks by this botnet on organisations/individuals. Students will have to submit a report documenting their work. The report should be concise, with the main part of the report (excluding references and appendix), limited at 10 pages in a typical 1 column format with paragraph font size of 12 pt. REPORT STRUCTURE: 1. Executive Summary: Description of the objectives and key findings of the investigation. 2. Methodology: Details and justifications (with references) of the botnet investigation methods that were used, which can include but may not be limited to: • Detail your strategy to search for and select the academic papers, industry reports, and other references. • Detail the pcap files and/or dataset that you identified and analysed (if any). • If you decide to download and analyse the bots, provide details and justifications (with references) of the malware analysis methods that were used (e.g., static analysis, dynamic analysis, Internet investigation, etc.), • Provide description of the test environment setup (e.g., OS version, configuration, precaution and sandboxing measures, etc.), description of the software tools and online tools used for the analysis of the pcap files / datasets / bots, and justification of their choice (i.e., vis-à-vis alternative tools). 3. Botnet Investigation & Findings: Detailed description of the botnet, interpretation and critical analysis of the findings. This section must be broken down into multiple subsections with meaningful headings for each aspect considered, which can include but may not be limited to: • Bots Identification: Description of the bot sample, such as: type of the file, its name, size, hashes, current anti-virus detection capabilities, etc. • Botnet Size and Damage: Provide estimates (with references) of the botnet size, as well as details about reported damage caused by the botnet (e.g., monetary cost for institutions, number of affected users / systems, etc.). • Target Devices: details about the target devices (e.g., PCs, mobile devices, IoT devices, etc.). • Botnet Architecture: Details and diagram of the architecture/ topology used by the botnet, number and type of C&C server(s), etc. Page 2 of 3 • Botnet Behaviour: Detail the behaviour of the botnet (e.g., interaction with registry, files, network, etc.), its main purpose / use cases (e.g., steal credit card information, carry out DDoS attacks), etc. • Botnet Resilience: Detail if the botnet uses any C&C protection and resilience techniques (e.g., bulletproof hosting, DGAs, fast-flux, etc.), detail if the bots use any hiding techniques, persistence mechanisms (e.g., surviving reboots), etc. • Botnet Takedown: Detail any efforts by law enforcement and/or other organisations / individuals to identify who created and/or operated the botnet (if known), any efforts to deactivate the botnet and how successful these were, etc. • Botnet Evolution: Details on how the botnet evolved, new variants of the botnet showing up, etc. 4. Recommendations: Provide recommendations on how organisations/individuals can protect themselves against future attacks by this botnet (e.g., best practices, firewall rules, IDS, anti-virus, etc.). 5. Conclusions: Include an overall discussion of the main findings, limitations and implications, detail next steps (i.e., what else would you do if you had more time). 6. References: Include references to all the resources you consulted when preparing this CA (e.g., research papers, industry reports, web resources, etc.). 7. Appendix: Include screenshots and any additional details required to evidence how you conducted thee practical tasks (the use of screenshots should be kept to a minimum in the main part of the document). SUBMISSION: The final report must be submitted to Moodle (Turnitin) on/before the above stated deadline. All report submissions will be electronically screened for evidence of academic misconduct (i.e., plagiarism and collusion)! WARNING: Please note that you are not required to download and analyse the malware bot component of the botnet. If you do so, make sure that your VM lab is fully isolated from your host and network (no shared folders, networking, etc.). You are responsible for any potential problems arising because of you downloading the bot or being negligent. If you, in any way, shape or form, inadvertently, or on purpose transmit any malware of any form to any system of NCI or another student or staff member, you will fail this module and will have to answer to the college disciplinary committee. Distributing malware is also illegal! Page 3 of 3 MARKING RUBRIC: Grade Criterion Solid H1 > 80% H1 > 70% H2.1 > 60% H2.2 > 50% PASS > 40% FAIL< 40% objectives (10%) objectives were clearly specified and achieved above and beyond the programme expectations. outstanding executive summary and detailed malware identification. objectives were clearly specified and fully achieved. insightful executive summary and detailed malware identification. objectives are well specified and achieved. good executive summary and detailed malware identification. objectives are well specified, and mostly met. executive summary may not be very insightful, malware identification mostly complete. there are clear objectives, which are at least partially met. executive summary and malware identification somewhat incomplete. objective were inadequately specified and not achieved. lack of executive summary or incorrect malware identification. methodology (15%) the methodology plays a well-conceived and essential role in meeting the project objectives. the chosen methodology was outstandingly justified vis-à-vis alternative methodologies and carried out above the programme expectations. the methodology plays a well- conceived and essential role in meeting the project objectives. the chosen methodology is fully justified vis-à-vis alternative methodologies and rigorously carried out. the methodology is meaningful and appropriate for the project objectives. the chosen methodology is well justified and competently carried out. the methodology is appropriate for the objectives. some incomplete attempt to justify the chosen methodology. the chosen methodology was specified but not justified. methodology was not specified or was inappropriate. botnet investigation (50%) the analysis goes above and beyond the programme expectations. the findings are outstandingly presented and thoroughly discussed. rigorous and creative analysis with excellent presentation and discussion of the findings. rigorous analysis with well-presented and discussed findings. some reasonable attempt, but the analysis lacks depth and breath. some basic analysis was conducted, with limited findings. little to no analysis. recommendations & conclusions (15%) creative detailed recommendations fully supported by references to literature. insightful conclusions which appreciate limitations and implications of the study. detailed recommendations supported by references to literature. conclusions appreciate limitations and implications of the study. good recommendations with references to literature. shows an understanding of implications of the study. reasonable attempt to provide recommendations. implications and limitations of the study not fully appreciated. some attempt to provide recommendations. implications and limitations not well understood. no or inappropriate recommendations and conclusions. report quality (10%) outstandingly written and structured report, with excellent use of language, headings, image/table captions, and rigorous referencing of source material using the apa, harvard or ieee style. well-written and structured report, with excellent use of language, headings, image/table captions, and consistent citation and referencing of source material. report has a few structure and/or language errors. figures are well presented. references are complete and consistent. satisfactory report with clear structure and acceptable grammar and spelling. references are consistent and complete. reasonable report presentation and acceptable grammar and spelling. some figures may be hard to read. references are mostly complete and consistent. poorly written and structured document, and poor use of english. figures may be hard to read. references (if any) are probably incomplete. title malware analysis project msc in cybersecurity forename surname student id: xxx school of computing national college of ireland lecturer: xxx title forename surname student id 1 executive summary description of the objectives and key findings of the investigation. figure 1: this is a caption. 2 methodology details and justifications (with references) of the botnet investigation methods that were used, which can include but may not be limited to: · detail your strategy to search for and select the academic papers, industry reports, and other references. · detail the pcap files and/or dataset that you identified and analysed (if any). · if you decide to download and analyse the bots, provide details and justifications (with references) of the malware analysis methods that were used (e.g., static analysis, dynamic analysis, internet investigation, etc.), · provide description of the test environment setup (e.g., os version, configuration, precaution and sandboxing measures, etc.), description of the software tools and online tools used for the analysis of the pcap files / datasets / bots, and justification of their 40%="" objectives="" (10%)="" objectives="" were="" clearly="" specified="" and="" achieved="" above="" and="" beyond="" the="" programme="" expectations.="" outstanding="" executive="" summary="" and="" detailed="" malware="" identification.="" objectives="" were="" clearly="" specified="" and="" fully="" achieved.="" insightful="" executive="" summary="" and="" detailed="" malware="" identification.="" objectives="" are="" well="" specified="" and="" achieved.="" good="" executive="" summary="" and="" detailed="" malware="" identification.="" objectives="" are="" well="" specified,="" and="" mostly="" met.="" executive="" summary="" may="" not="" be="" very="" insightful,="" malware="" identification="" mostly="" complete.="" there="" are="" clear="" objectives,="" which="" are="" at="" least="" partially="" met.="" executive="" summary="" and="" malware="" identification="" somewhat="" incomplete.="" objective="" were="" inadequately="" specified="" and="" not="" achieved.="" lack="" of="" executive="" summary="" or="" incorrect="" malware="" identification.="" methodology="" (15%)="" the="" methodology="" plays="" a="" well-conceived="" and="" essential="" role="" in="" meeting="" the="" project="" objectives.="" the="" chosen="" methodology="" was="" outstandingly="" justified="" vis-à-vis="" alternative="" methodologies="" and="" carried="" out="" above="" the="" programme="" expectations.="" the="" methodology="" plays="" a="" well-="" conceived="" and="" essential="" role="" in="" meeting="" the="" project="" objectives.="" the="" chosen="" methodology="" is="" fully="" justified="" vis-à-vis="" alternative="" methodologies="" and="" rigorously="" carried="" out.="" the="" methodology="" is="" meaningful="" and="" appropriate="" for="" the="" project="" objectives.="" the="" chosen="" methodology="" is="" well="" justified="" and="" competently="" carried="" out.="" the="" methodology="" is="" appropriate="" for="" the="" objectives.="" some="" incomplete="" attempt="" to="" justify="" the="" chosen="" methodology.="" the="" chosen="" methodology="" was="" specified="" but="" not="" justified.="" methodology="" was="" not="" specified="" or="" was="" inappropriate.="" botnet="" investigation="" (50%)="" the="" analysis="" goes="" above="" and="" beyond="" the="" programme="" expectations.="" the="" findings="" are="" outstandingly="" presented="" and="" thoroughly="" discussed.="" rigorous="" and="" creative="" analysis="" with="" excellent="" presentation="" and="" discussion="" of="" the="" findings.="" rigorous="" analysis="" with="" well-presented="" and="" discussed="" findings.="" some="" reasonable="" attempt,="" but="" the="" analysis="" lacks="" depth="" and="" breath.="" some="" basic="" analysis="" was="" conducted,="" with="" limited="" findings.="" little="" to="" no="" analysis.="" recommendations="" &="" conclusions="" (15%)="" creative="" detailed="" recommendations="" fully="" supported="" by="" references="" to="" literature.="" insightful="" conclusions="" which="" appreciate="" limitations="" and="" implications="" of="" the="" study.="" detailed="" recommendations="" supported="" by="" references="" to="" literature.="" conclusions="" appreciate="" limitations="" and="" implications="" of="" the="" study.="" good="" recommendations="" with="" references="" to="" literature.="" shows="" an="" understanding="" of="" implications="" of="" the="" study.="" reasonable="" attempt="" to="" provide="" recommendations.="" implications="" and="" limitations="" of="" the="" study="" not="" fully="" appreciated.="" some="" attempt="" to="" provide="" recommendations.="" implications="" and="" limitations="" not="" well="" understood.="" no="" or="" inappropriate="" recommendations="" and="" conclusions.="" report="" quality="" (10%)="" outstandingly="" written="" and="" structured="" report,="" with="" excellent="" use="" of="" language,="" headings,="" image/table="" captions,="" and="" rigorous="" referencing="" of="" source="" material="" using="" the="" apa,="" harvard="" or="" ieee="" style.="" well-written="" and="" structured="" report,="" with="" excellent="" use="" of="" language,="" headings,="" image/table="" captions,="" and="" consistent="" citation="" and="" referencing="" of="" source="" material.="" report="" has="" a="" few="" structure="" and/or="" language="" errors.="" figures="" are="" well="" presented.="" references="" are="" complete="" and="" consistent.="" satisfactory="" report="" with="" clear="" structure="" and="" acceptable="" grammar="" and="" spelling.="" references="" are="" consistent="" and="" complete.="" reasonable="" report="" presentation="" and="" acceptable="" grammar="" and="" spelling.="" some="" figures="" may="" be="" hard="" to="" read.="" references="" are="" mostly="" complete="" and="" consistent.="" poorly="" written="" and="" structured="" document,="" and="" poor="" use="" of="" english.="" figures="" may="" be="" hard="" to="" read.="" references="" (if="" any)="" are="" probably="" incomplete.="" title="" malware="" analysis="" project="" msc="" in="" cybersecurity="" forename="" surname="" student="" id:="" xxx="" school="" of="" computing="" national="" college="" of="" ireland="" lecturer:="" xxx="" title="" forename="" surname="" student="" id="" 1="" executive="" summary="" description="" of="" the="" objectives="" and="" key="" findings="" of="" the="" investigation.="" figure="" 1:="" this="" is="" a="" caption.="" 2="" methodology="" details="" and="" justifications="" (with="" references)="" of="" the="" botnet="" investigation="" methods="" that="" were="" used,="" which="" can="" include="" but="" may="" not="" be="" limited="" to:="" ·="" detail="" your="" strategy="" to="" search="" for="" and="" select="" the="" academic="" papers,="" industry="" reports,="" and="" other="" references.="" ·="" detail="" the="" pcap="" files="" and/or="" dataset="" that="" you="" identified="" and="" analysed="" (if="" any).="" ·="" if="" you="" decide="" to="" download="" and="" analyse="" the="" bots,="" provide="" details="" and="" justifications="" (with="" references)="" of="" the="" malware="" analysis="" methods="" that="" were="" used="" (e.g.,="" static="" analysis,="" dynamic="" analysis,="" internet="" investigation,="" etc.),="" ·="" provide="" description="" of="" the="" test="" environment="" setup="" (e.g.,="" os="" version,="" configuration,="" precaution="" and="" sandboxing="" measures,="" etc.),="" description="" of="" the="" software="" tools="" and="" online="" tools="" used="" for="" the="" analysis="" of="" the="" pcap="" files="" datasets="" bots,="" and="" justification="" of="">