COMP0060 Malware

This database contains the 2018-19 versions of syllabuses.

Note: Whilst every effort is made to keep the syllabus and assessment records correct, the precise details must be checked with the lecturer(s).

Academic session






Module delivery

1819/A7U/T1/COMP0060 Masters (MEng)

Related deliveries

1819/A7P/T1/COMP0060 Postgraduate

Prior deliveries



Masters (MEng)

FHEQ Level


FHEQ credits



Term 1

Module leader

Clark, David


Clark, David

Krinke, Jens

Barr, Earl

Module administrator

Ball, Louisa


The module provides students with:

  1. specialist understanding of the issues and techniques in malware detection and classification.
  2. a broad understanding of the human, social, economic and historical context in which malware occurs.

Learning outcomes

Successful completion of this course will provide students with a specialist understanding of the nature of malware, its capabilities, and how it is combatted through detection and classification. Students will understand what are the underlying scientific and logical limitations on society’s ability to combat malware. Furthermore, students should have an appreciation and broad understanding of the social, economic and historical context in which malware occurs.

Availability and prerequisites

This module delivery is available for selection on the below-listed programmes. The relevant programme structure will specify whether the module is core, optional, or elective.

In order to be eligible to select this module as optional or elective, where available, students must meet all prerequisite conditions to the satisfaction of the module leader. Places for students taking the module as optional or elective are limited and will be allocated according to the department’s module selection policy.

Programmes on which available:

  • MEng Computer Science (International Programme) (Year 4)
  • MEng Computer Science (Year 4)
  • MEng Mathematical Computation (International Programme) (Year 4)
  • MEng Mathematical Computation (Year 4)


In order to be eligible to select this module, students must have:

  • taken undergraduate modules in logic and discrete mathematics, assembly, and imperative programming.


Topics: Introduction (malware analysis, tools list). Lab 1: architecture; Labs 2 and 3: 8086 instructions; Lab 4: from C to assembly; Labs 5 and 6: Radare 2; Lab 7: static analysis; Lab 8: dynamic analysis (Wireshark, PIN); Lab 9: packing/unpacking (Yara, PEID)


  • The taxonomy of malware and its capabilities: viruses, Trojan horses, rootkits, backdoors, worms, targeted malware
  • History of malware

The social and economic context for malware

  • crime, anti-malware companies, legal issues, the growing proliferation of malware

Basic Analysis

  • Signature generation and detection
  • clone detection methods

Static analysis theory

  • program semantics
  • abstract interpretation framework

Static Analysis

  • System calls: dependency analysis issues in assembly languages; semantic invariance of system call sequences
  • abstract interpretation as a formal framework for detection
  • taint-based analyses
  • semantic clones

Dynamic Analysis

  • virtualization: semantic gap
  • reverse engineering
  • hybridisation with static analysis

Similarity metrics

  • Kolmogorov Complexity
  • association metrics
  • other entropy based metrics
  • NLP based approaches.

Problems in large scale classification

  • scalability
  • triage methods
  • Required FP rate


  • Polymorphism
    • compression
    • encryption
    • virtualization
  • Metamorphism
    • high level code obfuscation engines
    • on-board metamorphic engines
    • semantics-preserving rewritings
  • Frankenstein

The theory of malware

  • Rice’s theorem and the undecidability of semantic equivalence
  • Adleman’s proof of the undecidability of the presence of a virus
  • Cohen’s experiments on detectability and self-obfuscation

An indicative reading list is available via


The module is delivered through a combination of lectures, class-room based exercises, and labs.


This module delivery is assessed as below:



Weight (%)



Written examination (2hrs 30mins)







In order to pass this Module Delivery, students must:

  • achieve an overall weighted Module mark of at least 50.00%;

AND, when taken as part of MEng Computer Science and MEng Mathematical Computation:

  • achieve a mark of at least 40.00% in any Components of assessment weighed ≥ 30% of the module.

Where a Component comprises multiple Assessment Tasks, the minimum mark applies to the overall component.