SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and Incident Response Blog

How to Get Started With Malware Analysis

Knowing how to analyze malware has become a critical skill for security incident responders and digital forensic investigators. Understanding the inner-workings of malicious code and the way malware on the infected system helps in deriving the indicators of compromise to locate malicious artifacts throughout the organizations. The process also allows security professionals to assess the scope, severity andrepercussionsof the incident, and may help the organization bring the parties responsible for the incident to justice.

Since I teach the Reverse-Engineering Malware course at SANS Institute and have been active in this field for some time, I am often asked how one could get started with malware analysis. Below are my recommendations.

Entering the Field of Malware Analysis


Malware analysts are in high demand in both government and private sectors. If you're not sure what the job entails, take a look at the typical malware analyst job description I put together, along with my tips on how to be successful in this field. The bad news is that most organizations only want to hire experienced malware analysts. If you're looking to get into the field, I recommend finding a job that is focused on other aspects of security, while at the same time exposing you to opportunities for reverse-engineering malware. Once you get some malware analysis experience that way, pursue a job that focuses on this aspect of information security.

On-line Malware Analysis Articles


You can learn a lot about malware analysis on-line. I wrote a number of articles on the topic, so allow me to walk you through them:

Books on Malware Analysis


There are also a few books you may want to explore to dig deeper into the topic of malware analysis, including:
  • Malware: Fighting Malicious Code provides a foundation for understanding malicious software threats (I'm a co-author).
  • Malware Forensics focuses on incident response that involves malware, but also includes some malware analysis details.
  • The IDA Pro Book gets pretty deep into IDA Pro, which is a popular disassembler for compiled malicious executables, and is great for people who want to master this tool.
  • Malware Analyst's Cookbook and DVD provides amazing tips and tools for malware incident response and analysis, but is best for the readers who have some familiarity with the topic beforehand.

Forums and Blogs for Malware Analysis


There are several on-line forums for malware analysis including:In addition, anti-virus companies have blogs where they share details about malware--you can often learn from them about malware threats and, sometimes, about malware analysis approaches. SANS Internet Storm Center sometimes publishes notes on malware analysis as well.

Malware Analysis Course


Last and not least, may I recommend the malware analysis course I teach at SANS? It has helped many professionals enter the field of reverse-engineering and malware analysis.

If you have recommendations on how to get started with malware analysis, please leave a comment.

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches how toanalyzemalware at SANS Institute. Lenny is activeon Twitterand writes asecurity blog.

12 Comments

Posted November 13, 2010 at 12:30 PM | Permalink | Reply

Jason

Great post for someone like me who is just discovering malware analysis, thanks! From what I can tell so far, it also seems like having a good understanding of assembly and how Windows works is important. Unfortunately, that's all new to me so that's where I'm having the most trouble. Can you (or anyone else) recommend any sites or books in those areas to add to the list?

Posted November 15, 2010 at 2:50 PM | Permalink | Reply

Lenny Zeltser

Jason, great question. I am still looking for the perfect assembly and Windows primer that's good for people looking to get started with malware analysis. In the mean time, I posted a few recommendations here: http://blog.zeltser.com/post/1581504925/get-started-with-malware-analysis

Posted November 15, 2010 at 7:52 PM | Permalink | Reply

James

Interest article - thanks.

One thing that always puzzles me is that there is so much info available on delving into the malware binary, but few good articles on how you identify the malware on a computer with 100,000 files in the first place!

Without an accurate infection date/time and with dozens of auto start locations on Windows, poor hash libraries etc - just finding the stuff in the first places is you first challenge! Do you just trust AV scanners to find it all? Perhaps you could address this in a future post.

Posted November 16, 2010 at 12:10 AM | Permalink | Reply

Jason

Lenny, now I've got some good reading material for tonight. Thanks for pointing me in the right direction!

Posted November 19, 2010 at 8:07 AM | Permalink | Reply

Greg

Thanks for the information. For my current Malware Reverse engineering my final exam is to reverse one out of four pieces of Malware given to me by the professor. Lets just say I am in a better position after visiting the multiple links provided by Lenny and almost done with with my report. The code analysis section is the only part of the project that I am struggling with.

The Analyst Cookbook and DVD has been a great addition to my learning also.

Posted November 20, 2010 at 8:03 PM | Permalink | Reply

Michael

Great post Lenny. There are many books that don't deal specifically with malware analysis, but that can help you a great deal with understanding how malware works. I made a list of them here: http://www.malwarecookbook.com/?p=49

Posted November 21, 2010 at 3:06 AM | Permalink | Reply

Woodmann

Hi Lenny, thanks for the recognition.

Malware recognition has been very important in the world of RCE. I hope everyone who visits the woodmann sites can pick up a few tips to help them.

Woodmann

Posted December 16, 2011 at 2:52 AM | Permalink | Reply

Mike

Like to throw in my two cents regarding JOBS in Malware Analysis. For those wishing to get into the field of Malware Analysis, you should start in a field that can lead you into the position. For example, I worked in a SOC for 7 years as a network analyst. Started off taking snort based IDPS alerts. Considering that many of the alerts were related to Botnet traffic, worms propagation etc. My curiosity and studying of Malware Analysis naturally came with it. I wrote snort signatures for our IDPS product and in an attempt to stay ahead of the game, would set up honeypots, research blacklisted domains and would set up virtual labs all in an attempt to learn more and more about Malware. My attempts paid off in that my last 2 years with the SOC I was promoted to being an Exploit Research analyst where the company paid for my taking of Lenny's course (GREM). Which was fantastic!
I presently work as a Senior Malware Analyst for IBM Global.

Posted April 24, 2012 at 6:43 AM | Permalink | Reply

Viet Nguyen Chan

You should add the book "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" into Books on Malware Analysis. It's really great !

VietNC

Posted February 07, 2013 at 9:19 AM | Permalink | Reply

Darryl Lane

Lenny this is the first book I read and felt it gave good understanding of Assembly "Hacking: The Art of Exploitation Book/CD Package 2nd Edition".

I agree with Viet, I've only just started reading "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" and I'm finding it a great read.

Posted November 26, 2013 at 10:46 PM | Permalink | Reply

Dave

Lenny,
I am getting started on Malware Analysis. Do you have a recommendation on a good primer assembly and Windows?
Thank you

Posted December 02, 2013 at 2:42 PM | Permalink | Reply

Lenny Zeltser

Dave, take a look at a few recommendations I posted at http://blog.zeltser.com/post/1581504925/get-started-with-malware-analysis

Post a Comment






Captcha

* Indicates a required field.