James Poulson - Capstone

In my list of desired projects, Malware Analysis was up there in the number 2 or 3 position. I thought it would be very cool to be able to learn how to analyze software and determine it’s maliciousness and I thought it could be a useful tool for my personal life if I ever wanted to download stuff from the internet. While all these things are still true, I don’t think this project provides much value to others.

The deliverable of this project is a report containing the findings from our malware analysis. My team chose a collection of malware samples from a book called Practical Malware Analysis and studied different samples statically and dynamically. Again, this was a learning experience but I don’t think our report on the heavily studied malware contained in this very popular book is very valuable.

I am realizing now that I valued the product that I would be creating with my group in this 3-quarter class. I envisioned a product that could go in my portfolio and be used to demonstrate my development skills. Unfortunately, the jobs I’ve been applying to are in Software Engineering and not Cyber Security so I don’t believe the outcome of this project will be useful to me.

If I had another chance at the Senior Software Engineering Project, I think I would fight harder to do a Software Engineering Project because those are my professional interests and not just my personal ones. I would have liked to have something cool and polished to show for my work in this class.

Process Monitor (procmon) is a necessary tool for dynamic malware analysis on any Windows interface. The software provides insight into all the running processes on the computer. I thought I got lucky on finding the software online. In a quick Google search I found the link to download the entirety of the Sysinternals suite right from the Microsoft website. Unfortunately for me, the downloadable was only compatible with Windows 10 or newer and not work on my Windows 7 ISO.

At this point, I begin my typical rabbit-hole search for solutions to Windows problems. I happened upon forums and eventually found a few different .zip files that contained procmon, and I installed them to my environment. Of course, none of them worked. I received numerous errors, including “incompatible driver.” With some versions, the app would trick me. It would run for a moment, then that Windows “procmon.exe stopped responding” dialog would appear and the whole thing would close.

I had heard that procmon would crash if it tried to render too much information, and the filters should be adjusted to only show the desired processes. Unfortunately, I could not keep the application running long enough to tinker with the filters. I had also heard from a group mate, that it may be necessary to allocate more memory to the virtual machine to prevent the application from crashing. This didn’t work either.

A quick message to my group mate and a Discord link later, I had procmon working on Windows 7. Apparently he had the same luck I did: tinkering with settings, filters and trying out a bunch of versions of procmon until he found just the right one. It is a shame that Microsoft doesn’t have a more accessible archive with these legacy applications and it’s a shame that, unless you’re a real computer wizard, you have to download various versions of the software, plug and (try to) play.

Despite this trouble with the software, I did find it useful for my project. Particularly with Lab07-03.exe, a piece of malware that opens every executable file on the system for modification. Without procmon, it is very difficult to evaluate malware. Other applications like Process Explorer or Task Manager don’t quite provide the same insight.

Comments, naming conventions and white space have been taught to us ever since we began studying CS at Oregon State. Good coding habits have been a subject of every class, usually in the form of a course page describing code style expectations, just like an English class might describe what citation style to use. While I am good at reading those pages and writing out my comments, there are some more time-consuming habits I need to apply.

DRY is an acronym commonly used in this subject, and it stands for Don’t Repeat Yourself. In practice this involves writing reusable code. If there is a common operation in your code (or even a common value), it is important to create functions to perform this operation instead of writing it many times throughout your code (https://medium.com/@josueparra2892/20-best-programming-practices-407df688b96e item #3).

I recently violated this principle horribly in my Programming Language Fundamentals class. Because each assignment in this class asks the student to write a program in a different, obscure language, code cleanliness is a lower priority as I was just trying to get the foreign code to work. Before I submitted my assignment, I noticed about a dozen repeating lines throughout the 100 or so lines of code. I had taken an iterative approach to writing code, when I could have planned much better to organize my code into reusable chunks. This is a habit that I practice often, but even after a few years of coding I still slip.

While I write decently organized code with understandable variable names and comments, what don’t I do? While reading through “15 Bad coding practices you should avoid,” I was reminded about a gap in my skills: Error Handling. So much of the code I write is for academia, and therefore there are most often rubrics and automated tests in Gradescope with which I can evaluate my code. However, I am aware that moving into a career Software Development, it is important to bulletproof your code against edge-cases and unexpected errors. This means that instead of your program crashing, it will be able to handle these errors gracefully and provide a user with useful information to help them correct their actions (https://codedamn.com/news/programming/bad-coding-practices-examples-you-should-avoid line #5). Unit tests are useful for testing many possible inputs in a program and can help identify gaps in the software.

I never thought I would feel nostalgia as I worked through this course. I had never used Virtual Machines, never used Hypervisors nor had I attempted to deliberately download malware from the internet. So what is there to look back on?

In order to set up my virtual environment, I installed VMWare Workstation Pro which allows you to manage different virtual machines. I downloaded a Windows XP Professional ISO and booted it up. The boot up sound immediately brought me back to my childhood. When I was just 5 or 6, my grandma had an old dinosaur of a computer. It was a Gateway computer (https://en.wikipedia.org/wiki/Gateway,_Inc.), and their logo of a cow-print cube still lives in my mind. This was the kind of computer that was made out of giant pieces of beige plastic, and would boot up so slow you could probably build one from scratch before anything was clickable on the screen.

When Windows XP booted up in my virtual environment, I immediately forgot I was doing homework. I found the old games of Minesweeper and Pinball and played them for a while. They are still great games to this day. I called my sister up and when I showed her the green pasture desktop picture she screamed. It was such a feeling to mess around with an old piece of software like this. It brought me back to being a kid.

But we all know that I’m not working with my team to be the best Pinball player that Microsoft had ever seen. Setting up Windows XP was just one part of getting my environment ready to test malware. When I got into this degree program, I expected to constantly be learning to use new technology. Industry standards seem to change overnight, as do the tools. I never thought I would end up being 6 years old again, playing Pinball on my laptop as I entered my final year of my degree. It was a pleasant surprise.

Now we are more than halfway through the first quarter of our 3-quarter series working on our Capstone Project. I’ve been placed in a group with 4 others, working on a project titled Malware Analysis. This project was high on my list for preferred projects, and I still have a lot to learn about what goes into executing this analysis successfully.

In order to analyze malware, it is important to isolate one’s self from the outside world. Rather, it is important to isolate the malware in a virtual environment within one’s computer so that it will have no effect on the host machine. The project specifications ask our group to create a series of virtual machines connected by a virtual network and analyze several kinds of malware both statically and dynamically. Static analysis is the study of malware without executing it and dynamic analysis requires one to execute the software. The latter is the case where the importance of the virtual environment becomes apparent.

A few folks in my group have experience with building virtual environments. This experience they have come across in either work or from another course at Oregon State, namely Defense Against the Dark Arts. I have no experience running ISOs in a hypervisor such as VMWare Workstation and just as little experience connecting devices via a virtual network. These specific requirements of the project unsettled me at first because it is new technology for me, but my group has reassured me that the process of configuring a virtual environment is very straightforward. A group mate of mine has even put together a step-by-step walk through for us about how to do it. JT, it is much appreciated.

Around the same time I started this quarter, I had begun work as an IT Technician, a very low level one. Much of my schooling didn’t help all that much with my new job surprisingly. Most of my education thus far has been in software, and this position focuses more on hardware such as thermal printers or Active Directory, company-specific applications and networks. In my work I have discovered that some servers utilize VMWare, a buzzword I have only come familiar with in this project. I am hoping that in my work in my Capstone Project that my two worlds of academia and work will merge, and I will become a more rounded computer scientist because of it.

In typical programmer fashion, I will begin this blogging with the classic title. I’m new to this blogging tool, so you may see some dramatic changes in format as I figure out how this thing works. As for now…

I am a 25 year old student of Computer Science, living in Southwest Washington with my wife. We are expecting a child in December (Christmas Eve, actually) but the doctors tell us due to some medical reasons, the baby may be yanked out earlier. If I’m not in school, I am working full time in my new IT position at a large shipping company in Portland, OR.

I am not one for hobbies. I don’t play sports or sew or anything. Outside of any honorable pursuits I listen to podcasts and music, I eat at restaurants with my wife. We spend quite a bit of time with her family, as they all live around here. Once I got married off, my parents moved to Utah to be closer to my other siblings (I have 3 sisters), though I see them at least once a year.

My journey to study Computer Science is a weird one. At a time where I had little career plans, my uncle had a roommate who worked as a freelance software developer. Unfortunately for me, whenever he would talk about what he did day-to-day he would speak in very technical terms, all of which I could not understand. But he peaked my interest enough to get me to take a free online course in Java. The creative problem solving and structured language made me feel very cool when I got something to work, like changing the colors of pixels.

If you fast forward a few years, a lot has happened since. I am nearing the end of my degree program and could hold a conversation with my uncle’s roommate any day. That is, if he didn’t move to Miami and steal crypto from a rich guy. It’s a wild story if you can find it out there. Nevertheless, I’m glad I embarked on this journey. And as I am a year away from the end, I’m hoping to start work on an exciting project that maybe is a tad more rewarding than, “Hello World!”