SANS Digital Forensics and Incident Response Blog

How to Get Started With Malware Analysis

Knowing how to analyze malware has become a critical skill for security incident responders and digital forensic investigators. Understanding the inner-workings of malicious code and the way malware on the infected system helps in deriving the indicators of compromise to locate malicious artifacts throughout the organizations. The process also allows security professionals to assess the scope, severity and repercussions of the incident, and may help the organization bring the parties responsible for the incident to justice.

Since I teach the Reverse-Engineering Malware course at SANS Institute and have been active in this field for some time, I am often asked how one could get started with malware analysis. Below are my recommendations.

Entering the Field of Malware Analysis

Malware analysts are in high demand in both government and private sectors. If you're not sure what the job entails, take a look at the typical malware analyst job description I put together, along with my tips on how to be successful in this field. The bad news is that most organizations only want to hire experienced malware analysts. If you're looking to get into the field, I recommend finding a job that is focused on other aspects of security, while at the same time exposing you to opportunities for reverse-engineering malware. Once you get some malware analysis experience that way, pursue a job that focuses on this aspect of information security.

On-line Malware Analysis Articles

You can learn a lot about malware analysis on-line. I wrote a number of articles on the topic, so allow me to walk you through them:

Malware Analysis Webcasts

I recorded several webcasts that can act as a good starting point for individuals getting into malware analyis:

Books on Malware Analysis

There are also a few books you may want to explore to dig deeper into the topic of malware analysis, including:

  • Practical Malware Analysis offers an excellent step-by-step walk-through of the steps and tools useful for examining malware. This book is good to read before as well as after taking the SANS FOR610 course on this topic.
  • Malware Analyst's Cookbook provides amazing tips and tools for malware incident response and analysis, but is best for the readers who have some familiarity with the topic beforehand.

If you have recommendations on how to get started with malware analysis, please leave a comment.

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.


Posted November 13, 2010 at 12:30 PM | Permalink | Reply


Great post for someone like me who is just discovering malware analysis, thanks! From what I can tell so far, it also seems like having a good understanding of assembly and how Windows works is important. Unfortunately, that's all new to me so that's where I'm having the most trouble. Can you (or anyone else) recommend any sites or books in those areas to add to the list?

Posted November 15, 2010 at 2:50 PM | Permalink | Reply

Lenny Zeltser

Jason, great question. I am still looking for the perfect assembly and Windows primer that's good for people looking to get started with malware analysis. In the mean time, I posted a few recommendations here:

Posted November 15, 2010 at 7:52 PM | Permalink | Reply


Interest article ''" thanks.
One thing that always puzzles me is that there is so much info available on delving into the malware binary, but few good articles on how you identify the malware on a computer with 100,000 files in the first place!
Without an accurate infection date/time and with dozens of auto start locations on Windows, poor hash libraries etc ''" just finding the stuff in the first places is you first challenge! Do you just trust AV scanners to find it all? Perhaps you could address this in a future post.

Posted November 16, 2010 at 12:10 AM | Permalink | Reply


Lenny, now I've got some good reading material for tonight. Thanks for pointing me in the right direction!

Posted November 19, 2010 at 8:07 AM | Permalink | Reply


Thanks for the information. For my current Malware Reverse engineering my final exam is to reverse one out of four pieces of Malware given to me by the professor. Lets just say I am in a better position after visiting the multiple links provided by Lenny and almost done with with my report. The code analysis section is the only part of the project that I am struggling with.
The Analyst Cookbook and DVD has been a great addition to my learning also.

Posted November 20, 2010 at 8:03 PM | Permalink | Reply


Great post Lenny. There are many books that don't deal specifically with malware analysis, but that can help you a great deal with understanding how malware works. I made a list of them here:

Posted November 21, 2010 at 3:06 AM | Permalink | Reply


Hi Lenny, thanks for the recognition.
Malware recognition has been very important in the world of RCE. I hope everyone who visits the woodmann sites can pick up a few tips to help them.

Posted December 16, 2011 at 2:52 AM | Permalink | Reply


Like to throw in my two cents regarding JOBS in Malware Analysis. For those wishing to get into the field of Malware Analysis, you should start in a field that can lead you into the position. For example, I worked in a SOC for 7 years as a network analyst. Started off taking snort based IDPS alerts. Considering that many of the alerts were related to Botnet traffic, worms propagation etc. My curiosity and studying of Malware Analysis naturally came with it. I wrote snort signatures for our IDPS product and in an attempt to stay ahead of the game, would set up honeypots, research blacklisted domains and would set up virtual labs all in an attempt to learn more and more about Malware. My attempts paid off in that my last 2 years with the SOC I was promoted to being an Exploit Research analyst where the company paid for my taking of Lenny's course (GREM). Which was fantastic!
I presently work as a Senior Malware Analyst for IBM Global.

Posted April 24, 2012 at 6:43 AM | Permalink | Reply

Viet Nguyen Chan

You should add the book "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" into Books on Malware Analysis. It's really great !

Posted February 7, 2013 at 9:19 AM | Permalink | Reply

Darryl Lane

Lenny this is the first book I read and felt it gave good understanding of Assembly "Hacking: The Art of Exploitation Book/CD Package 2nd Edition".
I agree with Viet, I've only just started reading "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software" and I'm finding it a great read.

Posted November 26, 2013 at 10:46 PM | Permalink | Reply


I am getting started on Malware Analysis. Do you have a recommendation on a good primer assembly and Windows?
Thank you

Posted December 2, 2013 at 2:42 PM | Permalink | Reply

Lenny Zeltser

Dave, take a look at a few recommendations I posted at