How to Become (and Remain) a Malware Researcher

I am writing this post as requested by Peerlyst. In this post, I will present my unique take on both becoming and remaining a Malware Researcher.

我應 Peerlyst 要求寫這篇文章,內容將包含如何成為並持續當一個惡意軟體研究員。

The Two Most Important Ingredients / 兩個最關鍵的要素

My take is that there are two most important ingredients to becoming a malware researcher:

  1. Obsessive Passion to learn “how things work” no matter the time commitment and effort required; aka insatiable curiosity.

  2. Ability to enjoy working at a solitary job where much of it is between you the code

要想當一個惡意軟體研究員,我有兩個關鍵的小撇步:

  1. 對於事物的運作原理有著異常的癡迷,無論需要多耗時費力; 又稱無止盡好奇心
  2. 可以忍受獨立作業,單獨面對冷冰冰的程式碼

The fact is, malware research requires a lot of specialized knowledge, skills, and can be very challenging. It is far from impossible, but the type of challenges and work required will naturally weed out people who are not really into it or passionate about it. However, obsessive passion and curiosity will drive an anaylyst to crack anything eventually. So step 1 is, set up an analysis environmnet, grab some malware from a repository, and give it a shot. Is this something that you really enjoy ? Is it something you could see yourself doing all day every day and for countless hours on end ? The answser for me was that I would start analyzing malware and the next thing I knew, I’d look at the clock and it would be 5-8 hours later and I still didn’t wnat to stop. This was an important factor in my decision to pursue malware research professionally.

研究惡意軟體需要非常多的專業知識與技巧,且非常具有挑戰性。這種挑戰可以自然的淘汰掉那些並不是真心投入或是沒熱誠的人。而那種無止盡的熱情與好奇心將驅使一個分析員將所有東西都拆過一輪。所以第一步是建立分析環境,搞點惡意軟體並試著玩弄一番。你真的能樂在其中?你真的能這樣搞他個三天三夜?我的答案是,當我開始分析惡意軟體通常都是五到八個小時起跳,並且我還停不下來。在追求惡意軟體分析專家的道路上,這是至關重要的因素。

How to learn / 怎麼學

So let’s say you share the passion and you are now wanting to know exactly how I would recommend taking further steps. Here are the steps I recommend:

讓我們假定你頗具熱情然後你想要讓我建議下一步該怎麼走,我的建議如下:

  1. If you don’t already know how to program software, you should learn. I recommend learning Pyhotn, C, and x86-64 assembly or ARM if you wnat to do phone malware. If you can fully understand and use just those three languages, you will understand general software very well.

  2. Analyze malware in a lab using the common tools
  3. Read books on malware (and “virus”) analysis, programming, and operating systems both general and specific
  4. Read technical blogs and follow other researchers on Twitter, keeping up with their work
  5. Attend conferences such as DEFCON and REcon
  6. Attend (or create) meetups in your area for malware analysis or InfoSec.
  7. Watch YouTube channels like L!NK, MalareAnalysisForHedgehogs, Colin Hardy, hasherezade, OALabs, and Gynvael Coldwind
  8. Help others and ask questions on https://reverseengineering.stackexchange.com
  9. Don’t forget to keep programming. Even if you don’t have to actually write code each day as a malware researcher, it’s important to keep those skills up so you can automate reversing tasks, and continue to think like a regular software engineer as well.
  1. 如果你還不會寫程式,我建議學 Python, C 跟 x86-64 組合語言,如果要研究手機惡意程式的話再學個 ARM。如果你能很好的搞懂這三個語言,那應該也可以很好的理解一般的軟體。
  2. 學會用一些常見的[工具]>(https://toddcullumresearch.com/2017/07/01/todds-giant-intro-of-windows-malware-analysis-tools/)分析惡意軟體
  3. 閱讀關於分析惡意軟體、病毒、程式與作業系統的書
  4. 閱讀部落格或Twitter上的技術文章,試著跟上他們的腳步
  5. 參加研討會像是 DEFCON 或 REcon
  6. 參加或是自己辦與惡意軟體或資安相關的小聚
  7. 看 YouTube 頻道上的教學,像是 L!NK, MalwareAnalysisForHedgehogs, Colin Hardy, hasherezade, OALabs, 和 Gynvael Coldwind
  8. 在 https://reverseengineering.stackexchange.com/ 上問問題或是回答他人問題
  9. 別忘了學寫程式。就算你不用每天寫程式也能成為一個惡意軟體研究者,但保持精進寫程式的技巧,像一個軟體工程師一樣思考,有助於自動化逆向分析工作

In a nutshell, that all will get you very , very far and if dont right, it won’t cost you a whole lot of money. It will cost you lot of time though, so be ready for that. I don’t post out the specifics in this blog on which books to read because I’ve already listed resources in another post, so check it out.

簡而言之,這雖然還離你很遠,但這並不會花到你一毛錢,而是需要很多時間,我沒寫出要追那些部落格或書,因為我已經在這邊羅列過這些資源了,可以去看看。

Becoming a professional / 成為一個專家

In order to become a professional, it’s very helpful to show off some of your work. This both shows your quality of work and where you’re at, and it shows off your passion and love of malware analysis. One of the cool things about this field is that you can analyze as much malware as you wnat in your free time and create write-ups and videos, then post them up on a blog or YouTube. This allows you to effectively “work” even when you are not a professional yet and you can show off this work to using a programming language and put it up on GitHub. This will not only benefit the community and allow you to improve your coding skills, but it will gain you exposure and is more work you could show to a prospective employer. Certifications sometimes have their place, but I am not the only one who feels that demonstrated, tangible work like this is more valuable and the nice thing is it doesn’t cost $1,000-$5,000 either!

為了成為一個專家,顯擺一下你的成果是非常必要的,一方面顯示一下你的程度,一方面展現你對惡意軟體分析的愛與熱情。你還能在閒暇之餘隨心所欲的分析惡意軟體,並上傳至 YouTube 或是部落格上分享你的分析結果。你也可以把相關的程式碼上傳至 GitHub,儘管你還不是一個專家,這將對你的工作有相當的效益。這不只是對社群有助益,同時也能改善你寫程式的技巧與增進對潛在雇主的曝光度。不能說證照沒用,但我不是唯一一個認為實際操作經驗等是更為有價值的,至少他不會花你個一千五千的。

Remaining a professional and being skilled / 持續當一個熟練的專家

Malware Reasearch is a job that requires constantly learning and honing of skills. Not only is there a huge breadth of knowlege which applies, but there are often new trends, threats, and attacks which are introduced each year. Likewise though, it’s important to understand the foundational basics and refresh yourself on them so that you don’t get caught worrying too much about the trendy threats and let a 10-year-old attack technique slip right by you. For these reasons, plan on always reading books, blogs, and papers indefinitely, and honing your coding and reversing skills. The learning doesn’t ever stop.

惡意軟體研究是一份需要持續學習及磨練技巧的工作。並不僅止於廣泛的應用知識層面,且每年都有新的趨勢、威脅與攻擊樣態產生。同樣的,時常複習基礎知識是很重要的,這樣才不需要太擔心讓一些萬年老梗從你的面前溜過去。基於這些理由,無止盡的閱讀文章、部落格、論文,並磨練你的程式能力與逆向技巧。學無止盡。

I’ve found that it helps to take deep-dives on different subjects. For example, lately I’ve taken a deep dive on cryptography and the math behind it. While it in and of itself is not malware research, the current most popular and dangerous malware is ransomware which is completely based off of cryptography and the second most popular is bitcon miners, which also use cryptography. Examples of other subjects you could find yourself talking a deep dive on are specific exploits, operating system internals, specific malware types such as script-based malware, or research in the development of a tool. For example, Karsten Hahn from G-DATA wrote a master thesis on malware obstructing PE files in order to avoid detection and provided an accompanying software program to aid in analysis. So for this paper, there was a research compoment, a writing component, and a coding component.

我發現這能讓你更深入不同的領域,例如我最近把密碼學背後的原理跟數學都讀了一遍,雖然這跟惡意軟體研究沒有很直接的關係,但是現下最夯的惡意軟體就是勒索軟體,而勒索軟體完全就是基於密碼學的,第二熱門的比特幣挖礦程式也是基於密碼學原理的應用。其他主題可能跟特定漏洞、作業系統或是特定類型的惡意軟體(例如: 腳本型惡意軟體),或是開發工具的研究。例如 G-DATA 的 Karsten Hahn 寫了一篇關於惡意軟體利用PE結構來避免被偵測的論文,並提供了相關的工具來幫助在分析中定位。在這篇論文中,有著研究部分、寫作部分及程式部分。

Another similar example is the work of Ange “Corkami” Albertini. Albertini is a Reverse Engineer at Google and he wrote papers and programs in his reasearch on the PE File Format. This research has been heavily used in the malware research community because malware often abusses this format to do its dirty work.

另一個相似的例子是,Ange “Corkami” Albertini 的貢獻,Albertini 是在 Google 工作的逆向工程師,寫了數篇有關於PE結構的研究論文,該研究背廣泛應用在惡意軟體研究,因為惡意軟體常常透過濫用PE格式來做些壞壞的事情。

Other subjects that you could dive into include deobfuscation of malware code, unpacking malware, devirtualizing VM-protected malware, using machine-learning algorithms to analyze malware, building a malware analysis sandbox like Cuckoo Sandbox or Joe Security Sandbox, etc …

Endless fun! Hope this helped.

其他你可以涉足的領域像是對惡意軟體的解混淆、脫殼、反虛擬化、使用機器學習演算法來分析惡意軟體、建造一個像 Cuckoo 或 Joe Security 的惡意軟體分析沙盒等等 … 好玩的不得了,希望這些對你們有幫助。