An updated version of this blog can be found here.
Knowing how to analyze malware has become a critical skill for security incident responders and digital forensic investigators. Understanding the inner-workings of malicious code and the way malware on the infected system helps in deriving the indicators of compromise to locate malicious artifacts throughout the organizations. The process also allows security professionals to assess the scope, severity and repercussions of the incident, and may help the organization bring the parties responsible for the incident to justice.
Since I teach the Reverse-Engineering Malware course at SANS Institute and have been active in this field for some time, I am often asked how one could get started with malware analysis. Below are my recommendations.
Entering the Field of Malware Analysis
Malware analysts are in high demand in both government and private sectors. If you're not sure what the job entails, take a look at the typical malware analyst job description I put together, along with my tips on how to be successful in this field. The bad news is that most organizations only want to hire experienced malware analysts. If you're looking to get into the field, I recommend finding a job that is focused on other aspects of security, while at the same time exposing you to opportunities for reverse-engineering malware. Once you get some malware analysis experience that way, pursue a job that focuses on this aspect of information security.
On-line Malware Analysis Articles
You can learn a lot about malware analysis on-line. I wrote a number of articles on the topic, so allow me to walk you through them:
- Get started with my article 5 Steps to Building a Malware Analysis Toolkit Using Free Tools. If using virtualization software to set up your lab, take a look at Using VMware for Malware Analysis.
- Read about the 3 Phases of Malware Analysis Process to get an overview of the key aspects of the malware-reversing effort and a related article Mastering 4 Stages of Malware Analysis.
- Got get a good sense for what typical output of the reversing process looks like, take a look at my post What to Include in a Malware Analysis Report and at Anuj Soni's article How to Track Your Malware Analysis Findings.
- As you continue to experiment with malware analysis, take a look at the cheat sheets I put together for reverse-engineering malware and analyzing malicious documents.
Malware Analysis Webcasts
I recorded several webcasts that can act as a good starting point for individuals getting into malware analysis:
- Introduction to Malware Analysis: Learn the two-phased approach to reversing malware, including an example of examining its code using a debugger.
- Introduction to Behavioral Analysis of Malicious Software: Take a closer look at the steps needed to analyze the behavior of a suspicious Windows executable, using a backdoor program as a practical example.
- Malware Analysis Essentials using REMnux: See some of my favorite REMnux tools in action for statically examining malicious Windows executables and other files.
- What's New in REMnux v4 for Malware Analysis: Get an overview of several handy tools added to REMnux as part of the version 4 release.
Books on Malware Analysis
There are also a few books you may want to explore to dig deeper into the topic of malware analysis, including:
- Practical Malware Analysis offers an excellent step-by-step walk-through of the steps and tools useful for examining malware. This book is good to read before as well as after taking the SANS FOR610 course on this topic.
- Malware Analyst's Cookbook provides amazing tips and tools for malware incident response and analysis, but is best for the readers who have some familiarity with the topic beforehand.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
