In war, there are always two sides: the attackers and the defenders. A less focused on group is the researchers and developers. While soldiers are fighting a war on the front lines, scientists and engineers are researching and developing new weapons, defenses and tools; things that give their side an advantage. If one of these such creations is ever captured by the opposing forces, it is reverse engineered to understand exactly how it works, how it can be defended against and even how to re-purpose it. The same goes for war on the cyber front, malicious attackers and system administrators (Black and White Hats) are the soldiers, malware authors develop new and dangerous forms of malware and Malware Analysts reverse engineer these weapons to find out how to stop them.
What is a Malware Analyst?A Malware Analyst is a highly specialized reverse-engineer, programmer and detective. They accomplish their task by using various tools and expert level knowledge to understand not only what a particular piece of malware can do but also how it does it. Becoming a Malware Analyst requires a large amount of focus and discipline as well as training and practice of the inner workings of computer systems, programming methodologies in multiple languages and a keen mind for solving puzzles and connecting the dots.
You might consider becoming a Malware Analyst if you have a passion for computer security, enjoy solving puzzles and like the prospect of always learning new things. You might also enjoy it if you prefer a profession that always poses a challenge or if you look forward to working on new and interesting things. No day is ever the same as the previous, everyday is an opportunity to learn something new and fine-tune your skills. In addition to the personal satisfaction you would get from being a Malware Analyst, you would also become a samurai in the fight to make the cyber world a safer place.
The type of person who would be perfect for becoming a Malware Analyst would be:
- A fast learner
- Able to derive meaning from nonsense
- A good puzzle solver
- Able to think outside of the box
- Willing to frequently use the scientific method
PrerequisitesPrior to walking the path to become a Malware Analyst, a person should be familiar with:
- Operating System Concepts
- High Level & Low Level Programming (familiarity is fine, working knowledge not required at first)
- Fundamentals of networking
- How to use the internet to perform research
Building the basicsBeing a Malware Analyst can take you many different places during your career and you can end up analyzing all types of malware, from normal application malware to exploits hidden in PDF files or malware found on smart phones. So where should you start when it comes to your training? You should master a few basics before trying anything too advanced:
Learn Assembly LanguageIn the hierarchy of programming languages, you have at the very top scripting languages like PERL or Python, followed by high and middle level languages like C++, C. Followed down by Assembly language, machine language and finally binary code which is read by the hardware.
Assembly language is low-level and therefore involves many more instructions than you would see in a higher-level program. For example, the code required to print something in the console in a higher-level languages is usually just one line and sometimes just one symbol. In Assembly, this simple procedure may require anywhere from 5 to 20 lines of code.
Analysts Tip: Learning Assembly is easy if you already know a higher-level language, imagine what the operating system needs to do in order for a single function call to execute, this is what you will see in Assembly. By learning shortcuts to parsing Assembly, you will find what you are looking for much faster.
Learn how to use the toolsAs a construction worker needs to know how to use a hammer and a mechanic needs to know how to use a wrench, a Malware Analyst needs to know to work their own set of unique and powerful tools. Some tools are easy to use and some are not, some have clear output and some dump you with lots of data that you need to be able to parse. The tools of a Malware Analyst are incredibly important and usually one of the first things learned. Here is a list of the types of tools required and some examples of them:
- Disassembler – IDA Pro
- Debugger – OllyDbg, WinDbg
- System Monitor – Process Monitor, RegShot. Process Explorer
- Network Monitor – TCP View, Wireshark
- Packer Identifier – PEID
- Unpacking Tools – Qunpack. GUNPacker
- Binary Analysis Tools – PE Explorer, Malcode Analysts Pack
- Code Analysis Tools - LordPE, ImpRec
Learn about malwareLearning about malware might seem a bit redundant when you are training to become a Malware Analyst; however, it is a very important aspect of your training. Malware evolves and changes every year, it uses new methods to infect as well as operate and sometimes brings back old methods if they are applicable again. If you were writing a program to play Tic-Tac-Toe, you could try to write it from scratch, or you could see how other people have written it before and get an idea of what you need to do. The same applies for malware analysis; reading white papers and analysis reports about different types of malware will give you an idea of what you might be seeing while reversing.
Process injection is a method that malware uses to hide its operations, it must go through a set of functions in order to perform this technique and it is important that you be able to identify it happening in the code based upon prior experience and knowledge about how malware works. Research, practice, knowledge and experience are key to being able to effectively analyze new malware and should be the staples of your Malware Analyst training.
Helpful Links and SourcesThere are many different ways to learn about becoming a Malware Analyst; some people choose to go through courses taught online or in person, which can cost upwards of a few thousand dollars. Other people choose to learn as they go, picking up information where they can and learning from their own experience. Both are decent ways of learning about malware analysis but the cheap and easy way would be through doing online research and reading lots of books. Here is a list of my favorite sources for learning about malware analysis:
- Tuts4You.com Tutorials
- Sans.org and anything by Lenny Zeltser
- Google Searches for “Malware Analysis <specific topic>”
- Malware Analyst's Cookbook
- Rootkits: Subverting the Windows Kernel
- Practical Malware Analysis
- The IDA Pro Book
- Reversing: Secrets of Reverse Engineering