Malware Analysis for Beginners
Hello everyone, malware analysis is a hot topic lately as the threats we work against in the cybersecurity industry become more advanced with each passing day. This creates demand for these types of skills in the industry. I’ve mentored and taught many malware analysts and what I’ve learned from this experience do not align with certifications. Although certifications are helpful, they are not what I’d recommend starting with from scratch. This guide aims to get you started in malware analysis without having to pay anyone any money. 😄
I would like to indicate that this is not a reverse engineering guide, this is simply a malware analysis guide to get beginners started on their longer journey. It will not cover every aspect of malware analysis either. Again, this is only to provide a starting point for those who are having trouble starting in the first place.
Before we get started learning malware analysis, you must know what malware analysis is as a high level concept.
Malware Analysis - The study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor. - https://en.wikipedia.org/wiki/Malware_analysis
This gives us a few pointers as to what malware analysis is. It describes it as the process of determining functionality of malicious software. For those of you who are completely unaware, malware can be simply defined as malicious software. In order to understand if anything is malicious or not, we need to understand the software’s intent. This is a much more complex subject than most would think, sometimes the intent is clear, encrypt all files and don’t provide user with a password, other times it is much more complicated. This complication can occur where you have software that can execute remote code and that is it’s only feature. This exists in legitimate software as well as malicious software. It really comes down to the observed usage of the software and the intent of its operators. Typically, we would associate a software like this as malware if we observe it as part of a malicious campaign run by threat actors.
Regardless of the philosophy behind what can be considered malware and what is considered goodware (legitimate software). This should help clarify to those who are starting to look at this field, that sometimes the most simple questions have no clear-cut answer. This world of analyzing potentially malicious software is at times shades of grey.
Avoiding Common Mistakes
Now that you have the fundamental concepts of what malicious software is and its limitations. I’d like to discuss some of the most common mistakes I see beginners make when trying to enter this field in cybersecurity.
When having conversations with those interested in malware analysis, they will ask about what certification to buy. They will be looking at very expensive certifications right away. This should be avoided as they have no idea if they even enjoy the work. It costs you nothing to use your own existing computer to download VirtualBox and spin up a Windows VM with internet disabled. With this you can start using some initial resources to get yourself started. There are plenty of resources online to help with this. I will be providing a list of resources to help get you started. Again, experimenting before you spend your hard-earned money is very easy in this digital age.
The vast majority of beginners I’ve worked with over the years will state they are going to start malware analysis. I tell them that’s great, then when we talk a month later and I ask them how it’s going they state they have not started yet. Most of them will then indicated they have no idea how to get started. They usually will not even have a VM created or anything started at all. In order to get properly started, you must first take that leap into the deep end. If you have a busy life like I did and having to learn all this while holding a full time job and having children, use a calendar, set alarms to remind you to spend dedicated time. Without proper time management, it will be difficult for anyone to make progress.
Malware analysis and reverse engineering is hard. You need to mentally prepare yourself to fail a lot. Even to this day, I will encounter puzzles as part of reverse engineering or analyzing malware that take me a very long time to solve. These failures are okay, the worst case will be really just rolling back a snapshot and trying again. I use this quote about traveling to the moon for inspiration.
We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone. - President John F. Kennedy
Replace moon with malware analysis, and it shall get you ready to go!
Failure’s not an option. It’s just a step. - Dwane Johnson
Realizing that failure are only steps on the path to success is very important to keep reminding yourself.
The academic industry is very hell-bent on having students remember facts and take tests. The inherent problem with this is most people will completely forget what they did. Going through my own self study, I learned that I learn best when I work on something practically. While the theory is good, it makes much more sense to work on applying that theory in the real-world. This gives you experience which connects to reason, which in-turn enables remembering concepts. This is very important as again, we have mostly been taught to only remember points of facts, without reason attributed to those facts, they will have a very short shelf life in your brain. For inspiration I like the following quote.
If you give a man a fish, you feed him for a day. If you teach a man to fish, you feed him for a lifetime.
We humans are not walking dictionaries or databases, the knowledge we retain has to be trained like a machine learning algorithm with a ton of failure on the way to success. Also, if you ever learned to drive a bicycle do you only learn theory about it then have to succeed the first time you ride it? No, you don’t, it’s the same concepts. You study the theory, then go you practice it for real and fail many times on the way to success.
Now that I have discussed with you the common mistakes beginners make in learning malware analysis. I’m going to do by best to lay out tools which everyone can use because they are open-source. Again, to get into this field all you need is the modivation, drive and time to do it. Please keep in mind this is not an extensive tutorial, it is a high level guide. Be resourceful and use Google if there is any of the steps you are having trouble with.
Focusing on the Purpose
As in any field of practice there is the fun part of the job, then there is the not so fun part of the job. Just analyzing malware without purpose benifits no-one except yourself. If you plan to make malware analysis a career you need to also focus on the purpose of the analysis you are performing. Typically, this purpose is to do the following.
- Write Detection
- Write Automated Extraction Tools like mwcfg
- Writing Technical Reports
If there is no goal or purpose to your work, no-one will pay you money for it. 😄
Creating your Virtual Machines
- Download VirtualBox
- Install VirtualBox
- Download Windows ISO
- Create Windows VM
- Create a Remnux VM (VirtualBox OVA)
I would recommend your first sample to be ransomware as it usually makes itself obvious and has clear behaviors for beinners to identify. There are a variety of sources you can get malware samples from, and I’ll list them here.
- AnyRun (public sandbox)
- HybridAnalysis (public sandbox)
- Triage (public sandbox)
- Cape (public sandbox)
When obtaining malware from different sites like this, download to your host machine but as an encrypted ZIP file. Once downloaded, if you have VirtualBox Guest Additions you should be able to drag and drop the file to your malware VM.
Performing your First Analysis
To get started there is no need to make it complicated.
- Execute Malware in a public sandbox
- Execute the malware in your VM
- Monitor with Procmon, Sysmon and Wireshark
- Identify the same behaviors highlighted by the sandbox in your own VM
- Write a report indicating key behaviors observed from start to finish
When you write your report, I recommend writing it in markdown format to start.
Once you have completed your report, save these and start building your own portfolio.
Establishing a Portfolio
Employers are always looking for value in your abilities, when employers are able to see that there is immediate value to your work through a portfolio. This makes their decision much easier and the easier their decisions the higher the probability you will get noticed for an interview.
To start your portfolio I’d recommend GitHub Pages. This will make it easy not just to have a place you can put your code for your portfolio but also have a website or blog as your portfolio.
The great thing about creating your own reports in markdown is that you can directly use those with GitHub Pages, and it will get converted into HTML for you.
Obtaining New Challenges
Helping the community is another great way to learn, most of us are sharing indicators of compromise and behaviors on Twitter. I would recommend signing up and looking for hashtags of different malware families from Malpedia and when someone needs help, try downloading the sample and helping them.
One of the things I like to do is to build my portfolio while also helping the community. This can be done simply by doing quote tweets with links to your analysis.
The great thing about doing this is that you will be able to help the community while also giving your portfolio a boost. Everyone wins!
If you wish to learn more about creating a more advanced malware lab, please refer to my KVM Malware Lab Guide.
If you have performed the tasks laid out from a practical standpoint, and you are enjoying yourself, now is the time to consider certifications. Not all certifications are created equally. I would recommend that you search for ones that have a good reputation but also have a practical component.
- John Hammond
- Niel Fox
- AhmedS Kasmani
- Colin Hardy
Malware analysis can be a daunting career to get started, as someone who taught myself from scratch with very little money to scrape together. If I was to do this all over again, this is exactly how I’d do it. Again, learning malware analysis requires you to actually start doing the work. Even if you don’t know anything, use this guide to give you the basic fundamental knowledge and resources and pivot into your journey from there. If this helps you and others are wondering how to get into the industry feel free to share this with them.