Interested in Malwa...
 
Notifications
Clear all

Interested in Malware Analysis - need advice

11 Posts
7 Users
0 Likes
671 Views
(@tstar49)
Posts: 6
Active Member
Topic starter
 

Hi, I am currently a student at George Washington University's High Tech Crime Investigation Masters program. I'm not sure what path I want to take yet within the field. However, I am interested in looking into Malware Analysis track. But I don't know what steps I need to take. This is my academic and professional background

Bachelor of Science in Information Systems from a StonyBrook University in NY (I spent a good amount of time programming mainly in Java).
7.5 years of Software Quality Assurance where I've held the following roles QA Tester, QA Manager, QA Director, Sr. QA Analyst, Lead QA Analyst. During my QA years, I did little programming.

Now, I am trying to learn Python and work on a couple of personal projects to help me get back into coding. I plan to obtain source codes of malware if possible and learn to read them so I can understand. However, I would like to know what else I can do? Are there certifications that I would need to go for? Technically, I know I am behind and would need a lot of work. Any advice is greatly appreciated!

Thanks,
Truc

 
Posted : 24/05/2012 8:17 pm
(@jgarcia)
Posts: 25
Eminent Member
 

You might want to start by picking up copies of Malware Analyst's Cookbook & Practical Malware Analysis. They are both getting excellent reviews. I own both, but I am only up to Chapter 2 in PMA. So far, so good.

If you can afford it, the SANS Institute Reverse Engineering Malware course is excellent. I had taken it with Lenny Zeltser and he is a fantastic instructor. Lenny is also the lead author for the course. Mandiant also has Malware Analysis courses, but they do not list their prices on their site. Might be worth looking into also.

Hope this helped you a little.

Joe G.

 
Posted : 29/05/2012 8:32 pm
(@tstar49)
Posts: 6
Active Member
Topic starter
 

Thanks very much! During my research, I came across the names in your post. I will definitely take up on your advice.

 
Posted : 30/05/2012 11:31 pm
 Timu
(@timu)
Posts: 1
New Member
 

Malware analysis is typically done at the assembly language level. I'd recommend getting the free version of the IDA disassembler, and getting to understand disassembled code if your really keen on malware analysis, because generally your not going to have the source code of a particular piece of malware available when it comes time to analyse it, your only going to have the executable binary. Reversing is a really sought after skill in the in the Malware and AV world, Ive found that if you have any skill in it at all, there will be companies willing to take you on and help you develop those skills.

But I would definately say, start playing with disassemblers.

 
Posted : 01/06/2012 7:30 am
(@tstar49)
Posts: 6
Active Member
Topic starter
 

Thanks a lot for your advice! It's all very overwhelming but I'm looking forward to it.

 
Posted : 02/06/2012 7:51 am
(@trewmte)
Posts: 1877
Noble Member
 

tstar49

One aspect you may no doubt encounter during your degree involves rootkits and how tests may need to be carried out under 'virtual machine' and 'physical hardware' conditions. You may find it useful to know at this stage that malware investigations examined under virtual machines have been shown not to emulate intricate hardware nuances in a faithful manner that can result in some malware (Storm Worm and Conficker) failing to activate on a virtual machine. This can be a useful tip to remember when balancing the relevance of 'live forensics' operational testing as opposed to 'post-imaging' operational testing. Two useful references are

T. Garfinkel, K. Adams, A. Warfield, and J. Franklin. Compatibility is not transparency VMM detection myths and realities. In Proceedings of the 11th Workshop on Hot Topics in Operating Systems (HotOS-XI), May 2007.

B. Zdrnja. More tricks from Conficker and VM detection. http//isc.sans.org/diary.html?storyid=5842, 2009. This webpage from Sans is still available.

As malware and mobile phone examinations may also have a presence within the scope of your degree, very little has been done in the area of python programming and malware investigations on mobile phones. To understand how python can be used with mobile phones you may wish to have a look at the "wammu" and "gammu" projects which are python based.

- http//wammu.eu/
- http//wammu.eu/gammu/

Good luck

 
Posted : 03/06/2012 9:03 pm
(@tstar49)
Posts: 6
Active Member
Topic starter
 

Thanks so much for your advice, trewmte!

A question for all. Is there such thing as malware forensics? I think what I would like to eventually do is fuse malware analysis with digital forensics. Any great courses I can take that is more affordable for someone who is not working at all?

 
Posted : 14/06/2012 2:57 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

tstar,

Why would you need a course?

If by "malware forensics", you are looking to determine the effects that malware had on the system that it had infected, there are a number of resources available on the subject that don't require you to attend a course.

For example, there are two very good malware analysis books that have come out recently that go into some detail regarding monitoring or determining the effects of malware as it interacts with it's "eco-system". In my blog, I've provided a number of posts where I discuss malware characteristics and how to use those to develop an understanding of malware.

These are just a few of the resources available to you.

With some free and open source tools, some time, and some effort, you can build up quite a bit of capabilities and expertise in this area, without paying for a course.

 
Posted : 14/06/2012 4:18 pm
(@heferyzan)
Posts: 1
New Member
 

If you don't mind crossing a bridge, there is an excellent Malware Reverse Engineering course (CFRS 761) being taught at George Mason University in Fairfax, VA through the Computer Forensics Master's program. You could sign up as a non-degree student and take it during the evenings in the Fall or Spring semester, then (depending where you are in your GW program) transfer the credits when you're finished.

 
Posted : 26/09/2012 6:56 pm
(@tstar49)
Posts: 6
Active Member
Topic starter
 

Thanks very much! I will definitely look into this.

 
Posted : 26/09/2012 8:38 pm
Page 1 / 2
Share: