Knowing how to analyze malware has become a critical skill for security incident responders and digital forensic investigators. Understanding the inner-workings of malicious code and the way malware on the infected system helps in deriving the indicators of compromise to locate malicious artifacts throughout the organizations. The process also allows security professionals to assess the scope, severity andrepercussionsof the incident, and may help the organization bring the parties responsible for the incident to justice.
Since I teach the Reverse-Engineering Malware course at SANS Institute and have been active in this field for some time, I am often asked how one could get started with malware analysis. Below are my recommendations.
Entering the Field of Malware Analysis
Malware analysts are in high demand in both government and private sectors. If you're not sure what the job entails, take a look at the typical malware analyst job description I put together, along with my tips on how to be successful in this field. The bad news is that most organizations only want to hire experienced malware analysts. If you're looking to get into the field, I recommend finding a job that is focused on other aspects of security, while at the same time exposing you to opportunities for reverse-engineering malware. Once you get some malware analysis experience that way, pursue a job that focuses on this aspect of information security.
On-line Malware Analysis Articles
You can learn a lot about malware analysis on-line. I wrote a number of articles on the topic, so allow me to walk you through them:
- Get started with my article 5 Steps to Building a Malware Analysis Toolkit Using Free Tools. If using virtualization software to set up your lab, take a look atUsing VMware for Malware Analysis.
- Read about the 3 Phases of Malware Analysis Process to get an overview of the key aspects of the malware-reversing effort.
- Continue with my free webcast Introduction to Malware Analysis. The webcast lets you download the malware sample, so you can experiment with it in your lab.
- Got get a good sense for what typical output of the reversing process looks like, take a look atWhat to Include in a Malware Analysis Report.
- As you continue to experiment with malware analysis, take a look at the cheat sheets I put together for reverse-engineering malware and analyzing malicious documents.
- Learn by reading other people's malware analysis reports; a good starting point is the listing I recently put together.
- If you are looking to automate your malware analysis steps, take a look at my article Free Toolkits for Automating Malware Analysis.
Books on Malware Analysis
There are also a few books you may want to explore to dig deeper into the topic of malware analysis, including:
- Malware: Fighting Malicious Code provides a foundation for understanding malicious software threats (I'm a co-author).
- Malware Forensics focuses on incident response that involves malware, but also includes some malware analysis details.
- The IDA Pro Book gets pretty deep into IDA Pro, which is a popular disassembler for compiled malicious executables, and is great for people who want to master this tool.
- Malware Analyst's Cookbook and DVD provides amazing tips and tools for malware incident response and analysis, but is best for the readers who have some familiarity with the topic beforehand.
Forums and Blogs for Malware Analysis
There are several on-line forums for malware analysis including:notes on malware analysis as well.
Malware Analysis Course
Last and not least, may I recommend the malware analysis course I teach at SANS? It has helped many professionals enter the field of reverse-engineering and malware analysis.
If you have recommendations on how to get started with malware analysis, please leave a comment.