How to Become (and Remain) a Malware Researcher
I am writing this post as requested by Peerlyst. In this post, I will present my unique take on both becoming and remaining a Malware Researcher.
我應 Peerlyst 要求寫這篇文章，內容將包含如何成為並持續當一個惡意軟體研究員。
The Two Most Important Ingredients / 兩個最關鍵的要素
My take is that there are two most important ingredients to becoming a malware researcher:
Obsessive Passion to learn “how things work” no matter the time commitment and effort required; aka insatiable curiosity.
Ability to enjoy working at a solitary job where much of it is between you the code
- 對於事物的運作原理有著異常的癡迷，無論需要多耗時費力; 又稱無止盡好奇心
The fact is, malware research requires a lot of specialized knowledge, skills, and can be very challenging. It is far from impossible, but the type of challenges and work required will naturally weed out people who are not really into it or passionate about it. However, obsessive passion and curiosity will drive an anaylyst to crack anything eventually. So step 1 is, set up an analysis environmnet, grab some malware from a repository, and give it a shot. Is this something that you really enjoy ? Is it something you could see yourself doing all day every day and for countless hours on end ? The answser for me was that I would start analyzing malware and the next thing I knew, I’d look at the clock and it would be 5-8 hours later and I still didn’t wnat to stop. This was an important factor in my decision to pursue malware research professionally.
How to learn / 怎麼學
So let’s say you share the passion and you are now wanting to know exactly how I would recommend taking further steps. Here are the steps I recommend:
If you don’t already know how to program software, you should learn. I recommend learning Pyhotn, C, and x86-64 assembly or ARM if you wnat to do phone malware. If you can fully understand and use just those three languages, you will understand general software very well.
- Analyze malware in a lab using the common tools
- Read books on malware (and “virus”) analysis, programming, and operating systems both general and specific
- Read technical blogs and follow other researchers on Twitter, keeping up with their work
- Attend conferences such as DEFCON and REcon
- Attend (or create) meetups in your area for malware analysis or InfoSec.
- Watch YouTube channels like L!NK, MalareAnalysisForHedgehogs, Colin Hardy, hasherezade, OALabs, and Gynvael Coldwind
- Help others and ask questions on https://reverseengineering.stackexchange.com
- Don’t forget to keep programming. Even if you don’t have to actually write code each day as a malware researcher, it’s important to keep those skills up so you can automate reversing tasks, and continue to think like a regular software engineer as well.
- 如果你還不會寫程式，我建議學 Python, C 跟 x86-64 組合語言，如果要研究手機惡意程式的話再學個 ARM。如果你能很好的搞懂這三個語言，那應該也可以很好的理解一般的軟體。
- 參加研討會像是 DEFCON 或 REcon
- 看 YouTube 頻道上的教學，像是 L!NK, MalwareAnalysisForHedgehogs, Colin Hardy, hasherezade, OALabs, 和 Gynvael Coldwind
- 在 https://reverseengineering.stackexchange.com/ 上問問題或是回答他人問題
In a nutshell, that all will get you very , very far and if dont right, it won’t cost you a whole lot of money. It will cost you lot of time though, so be ready for that. I don’t post out the specifics in this blog on which books to read because I’ve already listed resources in another post, so check it out.
Becoming a professional / 成為一個專家
In order to become a professional, it’s very helpful to show off some of your work. This both shows your quality of work and where you’re at, and it shows off your passion and love of malware analysis. One of the cool things about this field is that you can analyze as much malware as you wnat in your free time and create write-ups and videos, then post them up on a blog or YouTube. This allows you to effectively “work” even when you are not a professional yet and you can show off this work to using a programming language and put it up on GitHub. This will not only benefit the community and allow you to improve your coding skills, but it will gain you exposure and is more work you could show to a prospective employer. Certifications sometimes have their place, but I am not the only one who feels that demonstrated, tangible work like this is more valuable and the nice thing is it doesn’t cost $1,000-$5,000 either!
為了成為一個專家，顯擺一下你的成果是非常必要的，一方面顯示一下你的程度，一方面展現你對惡意軟體分析的愛與熱情。你還能在閒暇之餘隨心所欲的分析惡意軟體，並上傳至 YouTube 或是部落格上分享你的分析結果。你也可以把相關的程式碼上傳至 GitHub，儘管你還不是一個專家，這將對你的工作有相當的效益。這不只是對社群有助益，同時也能改善你寫程式的技巧與增進對潛在雇主的曝光度。不能說證照沒用，但我不是唯一一個認為實際操作經驗等是更為有價值的，至少他不會花你個一千五千的。
Remaining a professional and being skilled / 持續當一個熟練的專家
Malware Reasearch is a job that requires constantly learning and honing of skills. Not only is there a huge breadth of knowlege which applies, but there are often new trends, threats, and attacks which are introduced each year. Likewise though, it’s important to understand the foundational basics and refresh yourself on them so that you don’t get caught worrying too much about the trendy threats and let a 10-year-old attack technique slip right by you. For these reasons, plan on always reading books, blogs, and papers indefinitely, and honing your coding and reversing skills. The learning doesn’t ever stop.
I’ve found that it helps to take deep-dives on different subjects. For example, lately I’ve taken a deep dive on cryptography and the math behind it. While it in and of itself is not malware research, the current most popular and dangerous malware is ransomware which is completely based off of cryptography and the second most popular is bitcon miners, which also use cryptography. Examples of other subjects you could find yourself talking a deep dive on are specific exploits, operating system internals, specific malware types such as script-based malware, or research in the development of a tool. For example, Karsten Hahn from G-DATA wrote a master thesis on malware obstructing PE files in order to avoid detection and provided an accompanying software program to aid in analysis. So for this paper, there was a research compoment, a writing component, and a coding component.
我發現這能讓你更深入不同的領域，例如我最近把密碼學背後的原理跟數學都讀了一遍，雖然這跟惡意軟體研究沒有很直接的關係，但是現下最夯的惡意軟體就是勒索軟體，而勒索軟體完全就是基於密碼學的，第二熱門的比特幣挖礦程式也是基於密碼學原理的應用。其他主題可能跟特定漏洞、作業系統或是特定類型的惡意軟體(例如: 腳本型惡意軟體)，或是開發工具的研究。例如 G-DATA 的 Karsten Hahn 寫了一篇關於惡意軟體利用PE結構來避免被偵測的論文，並提供了相關的工具來幫助在分析中定位。在這篇論文中，有著研究部分、寫作部分及程式部分。
Another similar example is the work of Ange “Corkami” Albertini. Albertini is a Reverse Engineer at Google and he wrote papers and programs in his reasearch on the PE File Format. This research has been heavily used in the malware research community because malware often abusses this format to do its dirty work.
另一個相似的例子是，Ange “Corkami” Albertini 的貢獻，Albertini 是在 Google 工作的逆向工程師，寫了數篇有關於PE結構的研究論文，該研究背廣泛應用在惡意軟體研究，因為惡意軟體常常透過濫用PE格式來做些壞壞的事情。
Other subjects that you could dive into include deobfuscation of malware code, unpacking malware, devirtualizing VM-protected malware, using machine-learning algorithms to analyze malware, building a malware analysis sandbox like Cuckoo Sandbox or Joe Security Sandbox, etc …
Endless fun! Hope this helped.
其他你可以涉足的領域像是對惡意軟體的解混淆、脫殼、反虛擬化、使用機器學習演算法來分析惡意軟體、建造一個像 Cuckoo 或 Joe Security 的惡意軟體分析沙盒等等 … 好玩的不得了，希望這些對你們有幫助。