How To be A Malware Researcher ?
Malware now is the worst cyber threat. In The last couple of years, the release rate of malicious code and of other unwanted programs was greater than the one related to previous 20 years.The severity and sophistication rates increased more and more, From Small viruses and worms to the sophisticated and highlt dangerous worms like stuxnet, Duju, Flame and Gauss.
The Spreed of malware increases very fast. with the large extension of network like internet and the impressive diffusion of social networks have advantaged the spreed of malicious software, Millions of connected devices from big servers to smart phones and tablets are now targets of malware.
The Malware Researcher Mission:
A malware analyst examines malicious software, such as bots,worms and Trojans to understand the nature of their threat.This risk usually involves Reverse-engineering the compiled executable and examining how the program interacts with its environment.
The analyst may be asked to document the specimen’s attack capabilities, understand its propagation characteristics, and define signatures for detecting its presence. A malware analyst is sometimes called a reverse engineer. Security product companies, in industries such as anti-virus or network intrusion prevention, may hire malware analysts to develop ways of blocking malicious code.
Large organizations in non-security industries may also hire full-time malware analysts to help protect their environment from attacks, or to respond to incidents that involve malicious software. Maiware analysis skills are also valued by companies that cannot justify hiring full-time people to perform this work, but who wish their security or IT administrators to be able to examine malicious software when the need arises.
What is Reverse Engineering?
Reverse engineering is the process of taking a compiled binary and attempting to recreate (or simply understand) the original way the program works. A programmer initially writes a program, usually in a high-level language such as C++ or Visual Basic (or God forbid, Delphi). Because the computer does not inherently speak these languages, the code that the programmer wrote is assembled into a more machine specific format. one to which a computer does speak. This code is called, originally enough, machine language. This code is not very human friendly, and often sometimes requires a great deal of brain power to figure out exactly what the programmer had in mind.
Areas of Ma!ware Analysis:
To analyze a malware sample, you have 3 main ways to collect information about it and to understand what this malware does and how you can detect it. Behavioral Analysis: Behavioral Analysis is simply examine what happens in the system or the internet while the malware running … or what this process (the malware program) does like modifying the registry or writing, a file or connect to a website or IRC channel.
The most known tools are:
• Wireshark: used for monitoring Internet packets and connections
• Process Monitor: used for monitoring file operations (read or write), Process operation (open Process or create a process) or registry operations (registry read or write)
• CaptureBAT: it’s used to capture the registry modifications from before running the malware sample until closing to monitor the registry operations Other way to monitor a malware sample is to monitor via emulation or inside a sandbox. Sandbox is an emulator for the OS which emulates the malware code and examine its behavior like:
This area of analysis is simply looking into the file of the malware and examining it statically without running. Like:
• Looking at the strings … as you can find a name of a website, IRC commands, commands from the attacker and the reply, API names (windows functions like MessageBoxA) or registry entries name that will be modified or added.
• Looking at the File Structure (PE Headers) and examine it … if the file is packed (compressed) with known Packer like UPX and FSG … and how to unpack it, examine the Import Table and The Imported APIs or examine the entrypoint (pointer to the 1st instruction) and so on
• Looking at the code in Assembly and examine its code and how it’s executed (statically). It could be used with the code that you can’t reach in normal execution like a reply to an attacker’s command and so on. The known Tools for Static Analysis:
• PEID: used to examine the PE Header and to detect the packer or the programming language for this piece of malware
• PE Explorer: known PE Reader
• IDA Pro: used to disassemble the application and examine its code statically and used to find the strings inside the malware
Dynamic Analysis is any examination performed on the code while executing the malware to examine the malware process’s memory. code and registers. And this could be done by using a debugger which you can break in the middle of the execution to examine or modify the process memory. And also could be done with some types of Emulators. The Known Tools:
• 0llyDbg: the most known debugger for windows 32 bits
• IDA Pro: it includes debuggers inside
• WinDbg: Microsoft debugger
• 0llyDrx: Modified 0llyDbg
Malware Researcher Job Requirements:
That’s a Job Requirements desired for working in known company: “JOB DESCRIPTION: This great opportunity will allow the Malware Analyst to evaluate and investigate malware incidents for the entire corporate network. This is a hands-on position involving collaborative interaction with the customer, working directly with team members consisting of Computer Security Investigators and Forensic Analysts. The successful candidate will possess the following skills and capabilities:
– Hands-on experience with reverse engineering tools such as IDA Pro, 011yDbg, and other similar toolsets
– Documented ability to reverse engineer undocumented binary software
– Detailed understanding of how various attacks work at the memory and register level
– In-depth understanding of operating system kernels, advanced protection mechanisms, device drivers, and/or compilers
– Proficiency in assembler languages – Strong shell, C, C++, and/or Java programming skills”
How to become a Malware Researcher:
To become a Malware Researcher, you learn these things:
1. Assembly Language
2. Operating System Principals like: Processes and Threads, Kernel-Mode and User-Mode, APIs and DLLs, Physical Memory and Virtual Memory and so on.
3. Reverse Engineering and its tools like IDA Pro and 011yDbg … you should practice and practice to become a skilled reverser.
4. Great understanding of Malware Types and Techniques
5. C++ Language: you should learn C++ and you can practice via joining Open Source Project.
To learn Assembly language … you should learn how to write on with assembly … you can use Masm as a compiler and use EasyCode Masm as an IDE.
For operating system principals, you can read “Identifying Malicious Code Through Reverse Engineering” book. It’s an awesome book and covers windows principals very well and the assembly language.
For Reverse Engineering, you should read “Reversing, the secrets of Reverse Engineering” Book … it’s the best for Reverse Engineering Also you can practice by taking crackme challenges in www. crackme.de and you can download malware samples from www.openmalware.org and reverse them.
For Learning about Malware,
you can read “The Art of Computer Virus Research and Defense” or “Malware Analyst Coolbook” … they are great books and most read
For Learning C++ language, you can watch tutorial videos from www.codeVDO.com . and you can contribute to the open source security projects (specially on malware). Contributing to open source projects will add to your CV and make you have a great network.
The Open Source Projects Related To Malware
Security Research and Development Framework/
This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches from the theoretical approach to the practical implementation.
This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF. www.code .goog le. com/p/srdf
ClamWin is a Free Antivirus program for Microsoft Windows 7 / Vista / XP / Me / 2000 / 98 and Windows Server 2008 and 2003.
ClamWin Free Antivirus is used by more than 600,000 users worldwide on a daily basis. It comes with an easy installer and open source code. You may download and use it absolutely free of charge. http://www.clamwin.com/
- “Malware, a cyber threat increasingly difficult to contain” by ierluigi Paganini at Hackin9 Exploiting Software 07\2012 .
- “Malware Analyst – Job Description° by Lenny Zeltser at ttp://zeltser.com
Reference Guide – Reversing & Malware Analysis Training ttp://securityxploded.com/malware-analysis-training-refer-nce.php
About The author
Malware Researcher at Symantec and Author of Pokas x86 Emulator and Security Research and Development Framework