SANS Digital Forensics and Incident Response Blog

Malicious Code Analysis: Michael Murr Explains How and Why

Michael Murr authored the malicious code analysis section of SANS' FOR610: Reverse-Engineering Malware course. In his brief interview, he shares his perspective on the role that code analysis plays in the reverse-engineering process, and how one might get better at this aspect of malware forensics.

What role does code-level reverse-engineering play in comparison to analyzing how malware behaves in a laboratory environment?

Analyzing the code for a specimen allows you to get a much greater understanding of what is actually happening behind the scenes. If anti-analysis tactics are used (e.g. VMware detection) you can find them by examining the code. You can also get a much better idea of the capabilities of a specimen, such as the commands it may support if it allows remote control. The biggest drawback of code-level analysis is that it can be quite time consuming.

When I chat with IR and forensics professionals interested in malware analysis, they often express concerns regarding their lack of programming background. How important is it for a malware analyst to have a software development background?

I believe all knowledge is useful. :) With that in mind, a software development background is useful, but really not necessary. I find what helps most people are two things: a basic understanding of computer architecture, and a basic understanding of computer assembly. One book that I recommend to everyone starting off is Kip Irvine's Assembly Language for x86 Processors. You don't have to read the book before coming to the FOR610 class, but it's a good idea to at least be familiar with the concepts it covers. The book is a textbook and covers all of the material necessary to get a solid footing for reversing code.

What are some of your favorite tools for analyzing malicious code?

I try to keep it simple... I'm a big fan of IDA Pro and Python. IDA Pro is a commercial tool, but if you reverse code on a regular basis it's definitely worth the investment. Python is nice because it integrates well with IDA Pro, and there are a fair number of Python scripts for reversing code [ and exploit development :) ]

Honestly a lot of what I end up writing code to do is to automate repetitive tasks

How big of a problem do packers pose for analysts looking to examine malicious code?

Generally packers aren't the major issue. Using a combination of code-level analysis, memory analysis, and behavioral analysis techniques we can usually get to what we need fairly well. There are some packers that are more difficult, which usually just boils down to more time.

What are some of the tips you might offer for security professionals looking to get into or improve their malicious code-reversal skills?

  1. Practice: there is no shortage of malware to analyze
  2. Read what other people have done: there are some really smart people in this industry, and by keeping an eye on their blogs, papers,and presentations you can learn some really nifty stuff
  3. Persistence: don't give up, sometimes it can get difficult (especially when you're under a time crunch). Consider asking others for feedback. Don't forget that code-level analysis is just one type of analysis. When you're reversing malware the key is to use whatever you need to, such as both behavioral and code analysis, to get the job done. :)

Thanks to Michael for sharing his thoughts on analyzing malicious code. To better understand how this process fits into the overall reverse-engineering process, see an earlier post 3 Phases of Malware Analysis.