Most people know the process of software design, programming or scripting. They use their favorite IDE (Integrated Development Environment) to either program or script something up. They might even know how to read assembly language, a complex level just below most of the high level commonly used programming languages. What many do not know is how to do this in the opposite way. How to take a piece of malware and observe it as such that the original intent of its author is clear and visible to the world. Malware analysis and reverse engineering is how many popular pieces of malware have ended up being de-weaponized, such as the wildly rampant WannaCry. Malware analysts are the same as programmers in reality, just with an extra sprinkle of machine level knowledge.
In order to accomplish their goal, malware analysts work from the lowest layers of a machine to eventually get to the level of human readable code. While some may think that the career only involves software and other programming related items. The reality is that a malware analyst could work with anything from a PDF to a malicious web link. The main skill they would need is assembly language knowledge, as mentioned before. This is due to assembly language being the highest-level language that can be gained from binary. Malware analysts are working up from the 1s and 0s on a disk.
There are a variety of tools that those analysts use from day to day. Some are more well know that others, such as IDA Pro. The list of tools is numerous, although there are aggregation lists out there where you can see most of them all together such as at these two links here, with a popular network security forum as an added bonus:
- Andrea Fortuna’s Malware Analyst Resources List
- Github Awesome Malware Analysis Curated List
- Netsec Subreddit
It’s important to note, malware analysis and reverse engineering is a tough field to get into. Mainly because the knowledge needed is not typically that of an entry level employee. An in-depth knowledge of programming is the basis. To start, learn a language or two. Whether its Python or C++, the foundation you will receive is very crucial to understanding the assembly code that you’ll interface with. For a sample of what a malware analysis outcome looks like, you can take a look at this ESET blog where their internal researchers found the first UEFI (Unified Extensible Firmware Interface) rootkit found in the wild that was used in a cyberattack: