Have you ever considered of becoming a malware analyst? If yes, please continue reading this article and find out some hints and useful links for those who want to start Malware Analysis.
Malware analysis is a process of determining the functionality, origin and potential impact of a certain malware sample
Malware is also known as malicious software is a computer software which is developed to harm the host operating system or to steal personal information or sensitive data from various computer users, including businesses, or government institutions. Some of the most widely used malware samples include virus, ransomware, cryptocurrency miners, worms, Trojan horses, rootkit, spyware or backdoor. Malware can also include software that gathers user data without their knowledge or permission. Malware can be distributed via various ways and channels, such as phishing, social engineering, drive-by download, exploit kits, or infected pen drive. Malware analysis is a big business since malware attacks are increasing and can cost companies dearly. Once malware breached defenses, it is necessary to act quickly in order to cure infections and prevent future attacks. According to Michael Sikorski and Andrew Honig, Malware analysis is a cat-and-mouse game, in which the rules are constantly changing.
Where to start from? Firstly, you have to prepare an isolated virtual environment, so you can protect yourself from infections. The isolated virtual environment will the special tools installed will enable you to deploy the malware sample and analyze it without the risk of infecting yourself.
Malware analysis tools
Using virtual machines for malware analysis is very recommended. A Windows virtual machine also known as VM enables users to flexible to debug malware live without infecting the host. If the malware infects the VM, it can be quickly reverted to a clean snapshot. Traditionally malware analysts and security researchers had to maintain their own virtual machines, but it all ended with the release of FLARE-VM project in 2017. FLARE-VM is built on top of the Chocolatey package manager for Windows and provides central management for windows software. In addition, there are many other tools used for reverse engineering or software reversing. Reverse engineering is used to analyze closed source software to gather unavailable data, such as algorithms, hidden access passwords and so on. Reverse engineering widely used for malware analysis or potential security vulnerabilities. As software analysis requires appropriate knowledge it also needs proper tools, such as identification tools, disassemblers and decompilers, Hex editors and others. There are many free or experimental projects out there for users to discover. A decent set of reverse engineering tools provides a security expert Bartosz Wojcik which can be found at Pelock.com.
Get malware samples from trustful sources
For beginners, we would recommend exploring some malware samples from malwarebreakdown.com and malware-traffic-analysis.net. These websites include a fresh, nicely catalogs samples for free. In addition, beginners should join Twitter and follow security experts and researchers. Also, try to join hacker and malware analysts communities and forums. We recommend you to join Virus Bay community as you become more proficient. Malware trackers such as Tracker Fumik0, Benkow, or CyberCrime Tracker, can be very useful to the latest malware and receive more information about campaigns.
Start Practicing of analysing malware samples
RE and malware analysis can also be considered as art, so start practicing. Check out Beginner Malware Reversing Challenges and other tutorials available online. What is more, reversing a native application requires users to understand low-level concepts. The malware concept will require you to learn PE format, which is available in related articles of Matt Pietrek and Ange Albertini. Check also PE-bear and try to view various executables, compare it with what you read about the format. Even though malware analysis does not require proficient programming knowledge, you have to have basics. Thus, knowledge in programming will allow you to better experiment with the techniques and create tools helping in an analysis. The languages used daily are C/C++, Python, and assembler, so check out this article.
Unpack Malware safely
In order to analyze the core of the malware, you have to know how to unpack it from the outer and protective layer. Usually, malware distributors use legitimate packers and protections. Malware can also come in a custom layer, prepares with a special focus on AntiVirus evasion. Check out this article, which explains the concept deeper.
Prevent Malware injections
Most of the time malware injects its malicious code into other processes in order to impersonate other applications and hook. Hooking enables malware to intercept API calls. Hooking is used for various purposes including, avoiding monitoring, intercepting the data being sent and other. In addition, hooking is also used by sandboxes to monitor malware.