Type of assignment: This assignment should be done in same groups as the term project.

Note: The assignment submission should clearly list the student members of the group, their names, and student numbers on the first page.

Points: The maximum number of points for this assignment is 78, which will be prorated accordingly after all assignments are posted. Weight of each problem is in parenthesis.

Format:

1. Assignment submissions are accepted in the following formats only: HTML (extension .html), PDF (.pdf), ASCII text (.txt). Assignments submitted in any other format will be discarded. All text in the assignment submissions must be typed and figures plotted to be easy to read and understand. Spelling, grammar, and other language errors will result in fewer points credited to the corresponding problem solutions.
2. Your submission file should be named to reflect the group number (see group number assignments below), and the assignment number, e.g., group53-5.pdf.

Problems

1. (15) (Malicious Logic): Pick one of the following malicious software (malware):

   1. Nyxem.E
   2. NetSky.P
   3. Exploit.HTML.Mht
   4. Mytob
   5. Feebs
   6. Agobot
   7. VB.ab
   8. Small.DAM
   9. VBS/StartPage.BO
   10. Santy
   11. Deloder
   12. Storm worm
   13. Doombot
   14. Zhelatin
   15. Hairy
   1. Post a message (one message per group) in the course WebCT discussion topic named "Malware" indicating which malware your group has picked.
   2. If another group posted an earlier message indicating that they had picked the same malware as your group, go back to step 1 and pick "free" malware.
   3. Classify the picked malware according to the classification discussed in class.
   4. Analyze the design of the picked malware, i.e., its structure, behavior, mechanisms it uses for selecting victims, infecting them, hiding itself and its authors, etc.
   5. Identify the aspects specific to your malware that can be used to detect or prevent it. Based on your analysis, recommend short, medium and log term countermeasures (i.e., protection and detection techniques) against the threat posed by this malware. Classify your techniques using material from the corresponding course session.
   6. Idenitify which of the principles for designing secure systems have not been followed by the developers of those systems vulnerabilities in which allowed the allowed the malware you analyzed to become effective.
   7. Cite all your sources of information.
   8. Use no more than 4 pages to write a short report (with proper title, authors, abstract, introduction, body, conclusion, and references section) in format of IEEE Transactions documenting your findings obtained in steps 4--6. Use figures and tables, if necessary to achieve better impact of your report.
   9. Post your report in PDF on WebCT discussion topic named "Malware" by the same deadline as the one for this assignment. Marks for late reports will be decreased, 1% of the problem mark per each minute after the deadline.
      

2. (15) (Usable security) Pick one application whose GUI has some parts related to security. Post the name of this applciation in the WebCT discussion topic "Usable Security". If another group already posted a message and indicated that they will analyze this application, then your group should pick some other application.
   
   Analyze security-related parts of the selected application's GUI on the subject of the guidlenies of designing usable interfaces for security. These guidelines will be discussed in the guest lectures on October 30th and November 1st. Explain which guidelines were followed and which were not by the developers of your application. Explain your answers. Suggest improvements.
   
   
3. (48) (Development of Secure Software): Each group is to complete successfully as many lessons as it can by logging in http://webgoat.ece.ubc.ca/WebGoat/attack with the corresponding user name and password from the following table. Groups cannot help each other. If it is found out that one group received help from another group, both groups will receive zero points for this problem even if one of them is eligible for the bonus points (see below). One point per completed lesson will be credited for this problem. The lessons are on learning about common vulnerabilities of Web applications. Some of these vulnerabilities are common to many other types of software applications.
   
   Important rule: WebGoat source code cannot be examined in order to complete this question.
   
   Helpful hints to help you with the assignment:
   1. You can access webgoat.ece.ubc.ca only from the UBC network. To access it from outside of the UBC network, you need to use VPN (see www.vpn.ubc.ca for instructions). If on campus, use an IAPv2 port, which can be found in various buildings, including MacLeod and the Libraries. Direct your questions about IAPv2 port to ECE IT services (help@ece.ubc.ca).
   2. Install personal copy of WebGoat on your computer(s) so that you restart WebGoat whenever it crashes because of your actions. webgoat.ece.ubc.ca will crashe too often if each group will be trying to attack it while doing this assignment.
   3. If you cannot access webgoat.ece.ubc.ca because, for example, your or another group crashed WebGoat, send e-mail asking to reboot WebGoat on webgoat.ece.ubc.ca to help@ece.ubc.ca. The course teaching staff does not have privileges to reboot WebGoat on that host.
      
      Attention: Only the report card on webgoat.ece.ubc.ca is what counts for marks.

   group members	username	password
   WeiQin Cheng, Fei Han, ManJuon Tung, Kai Xu	group01	077ce4
   Abdullah Alqattan, Nicholas Pearson, Nima Kaviani, Patrick Lewis	group02	2083af
   David Boen, Victor Chan, Daniel Dent, Andrew Tjia	group03	3d9b1a
   Lane Feltis, Neema Teymory, Natalie Silvanovich	group04	f4ef9a
   Joaquin Valdez	group05	cead59
   Michael Grebenyuk, Albert Sodyl, Byron Thiessen, Sijia Wang	group06	f738ac
   Jason Poon, Oliver Zheng	group07	de4795
   Arunkumar Chebium, Pawittar Dhillon, Farhan Masud, Kaveh Farshad	group08	f08e17
   Charanjit Dhanoya, Chendursundaran Kumaragurubaran, Joey Ting	group09	ef9ace
   Taivo Evard, Noriel Rilloma, Carlos Colon-Vonarx	group10	ad59ef
   Jeffrey Qian, Je-Yu George Lee, William Ha, Phoebe Hsu	group11	eb5a53
   Kenneth Wong, Thomson Lai, Bosco Lee, Frankie Shum	group12	e968aa
   San-Tsai Sun, Sheung Lau, Stephen Liu, Ting han Wei	group13	cb2015
   Pouyan Arjmandi, Robi Boeck, Fahimeh Raja, and Ganapathy Viswanathan	group14	d2d424
   Gaurav Agashe, Pooya Jaferian, Faraaz Shamji, Steven Yu	group15	eff934

    

4. (18 points) (Bonus question) First group who can also complete the challenge of attacking three "hackable" admin interfaces and post a message on the course WebCT discussion topic "Assignments" indicating that it completed the challenge will receive additional (i.e., bonus) 18 points for this assignment. The group will have to demonstrate to the course TA the technique of accomplishing the challenge before the credit will be dispensed. If the group fails to demonstrate, the second group will become eligible for the bonus.
   
   Important rule: WebGoat source code cannot be examined in order to complete this question.