How to get started with Malware Analysis

So it’s been a while since I last posted anything – I’ve been extremely busy with exams season coming up, but I had a bit of spare time so I decided to post something. Expect more regular posts over the holidays, and I hope to revamp the website a bit so it looks cleaner (and finally get it it’s own domain!). I originally wasn’t sure what to post, as the reverse engineering/malware analysis posts take a while to do, until I started to get some messages about getting into malware analysis and the best resources out there, and therefore this post will be about how I got started with Malware Analysis and learnt the basics of Assembly, and how you can too. So let’s get into it!

I originally began to teach myself about offensive security a couple years back, which is how I got into the cyber security field. As per usual with a lot of newcomers to the field, I downloaded Kali Linux and started to learn how to use the tools that were pre-installed, such as Metasploit and NMap. I also began to write Python scripts to automate tasks, which is one of the most useful skills I have to date due to the wide range of functionality Python can have on everything. Over time, I developed an interest in malware, and as I didn’t have a huge pentesting lab (there was only so much you could do with Metasploit and a Windows VM), I started to write my own (terrible) malware in Python, and then eventually I advanced to C. This helped me to learn both languages, especially in C where I learnt about different API calls. At this point, it was 2017 and the WannaCry incident was occurring. I took an interest in this and began to read up more about ransomware and the leaked NSA framework. After hearing about how Marcus (MalwareTech) was able to prevent any new infections by registering a domain, I checked out his site (here) and began to venture into Malware Analysis.

Through doing so, I found multiple websites and YouTube channels that helped me progress further and further. Here is that list:

Let’s say you have a solid understanding of Malware Analysis, but you’re struggling to find resources to learn Assembly for Reverse Engineering as the majority of resources are aimed at writing Assembly. Well here is a list for you:

Maybe you want a physical product that you can read and apply whether or not you have a strong internet connection? Check these out:

Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation

Reversing: Secrets of Reverse Engineering

Perhaps you know Assembly already, but want some more help with understanding what tools to use when or how to master IDA Pro, and prefer a more physical tutorial rather than online PDF’s and videos. Here is a list of books that solve all of that and more:

Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler

Or maybe you have a solid understand of malware analysis and assembly, and you want to learn more about let’s say Network Protocols or Cryptography, or Forensics? I have all of these books and they each contain extremely useful information, I highly suggest you take a look at them!

Attacking Network Protocols: A Hacker’s Guide to Capture, Analysis, and Exploitation

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

Serious Cryptography: A Practical Introduction to Modern Encryption

Whether or not you have a solid understanding of malware analysis, I personally find the best way to learn something is by doing. I probably wouldn’t have come this far in my quest to learn each individual aspect of Malware Analysis if it wasn’t for VirusBay. As a less well known researcher, I was unable to get new samples, and so I was stuck with extremely out of date malware, and so I couldn’t get a good idea of the current techniques. That was until I found VirusBay. After getting accepted, I was able to view the latest pieces of malware, that were being uploaded by researchers all over the world. This catapulted me to the point where I could write posts on this site about new pieces of malware, APT level or not. As a result of this, I was able to get an account on Hybrid Analysis and a few other vetted malware researcher sites, allowing me to gain access to newly seen in the wild malware. All of this put together has increased my overall knowledge of malware analysis, and connected fields such as Incident Response. All of this may look like a lot, but if you persevere and have the motivation, you’ll be able to take it in in no time! As always, if you have any questions, feel free to contact me over Twitter (@0verfl0w_) or through this site! Thanks for reading!

Article Link: