Miscellaneous

How to get started with Malware Analysis

So it’s been a while since I last posted anything – I’ve been extremely busy with exam season coming up, but I had a bit of spare time so I decided to post something. Expect more regular posts over the holidays, and I hope to revamp the website a bit so it looks cleaner (and finally get it it’s own domain!). I originally wasn’t sure what to post, as the reverse engineering/malware analysis posts take a while to do, until I started to get some messages about getting into malware analysis and the best resources out there, and therefore this post will be about how I got started with Malware Analysis and learnt the basics of Assembly, and how you can too. So let’s get into it!

I originally began to teach myself about offensive security a couple years back, which is how I got into the cyber security field. As per usual with a lot of newcomers to the field, I downloaded Kali Linux and started to learn how to use the tools that were pre-installed, such as Metasploit and NMap. I also began to write Python scripts to automate tasks, which is one of the most useful skills I have to date due to the wide range of functionality Python can have on everything. Over time, I developed an interest in malware, and as I didn’t have a huge pentesting lab (there was only so much you could do with Metasploit and a Windows VM), I started to write my own (terrible) malware in Python, and then eventually I advanced to C. This helped me to learn both languages, especially in C where I learnt about different API calls. At this point, it was 2017 and the WannaCry incident was occurring. I took an interest in this and began to read up more about ransomware and the leaked NSA framework. After hearing about how Marcus (MalwareTech) was able to prevent any new infections by registering a domain, I checked out his site (here) and began to venture into Malware Analysis.

Through doing so, I found multiple websites and YouTube channels that helped me progress further and further. Here is that list:

Let’s say you have a solid understanding of Malware Analysis, but you’re struggling to find resources to learn Assembly for Reverse Engineering as the majority of resources are aimed at writing Assembly. Well here is a list for you:

Maybe you want a physical product that you can read and apply whether or not you have a strong internet connection? Check these out:

Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation

Reversing: Secrets of Reverse Engineering

Perhaps you know Assembly already, but want some more help with understanding what tools to use when or how to master IDA Pro, and prefer a more physical tutorial rather than online PDF’s and videos. Here is a list of books that solve all of that and more:

Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler

Or maybe you have a solid understand of malware analysis and assembly, and you want to learn more about let’s say Network Protocols or Cryptography, or Forensics? I have all of these books and they each contain extremely useful information, I highly suggest you take a look at them!

Attacking Network Protocols: A Hacker’s Guide to Capture, Analysis, and Exploitation

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

Serious Cryptography: A Practical Introduction to Modern Encryption

Whether or not you have a solid understanding of malware analysis, I personally find the best way to learn something is by doing. I probably wouldn’t have come this far in my quest to learn each individual aspect of Malware Analysis if it wasn’t for VirusBay. As a less well known researcher, I was unable to get new samples, and so I was stuck with extremely out of date malware, and so I couldn’t get a good idea of the current techniques. That was until I found VirusBay. After getting accepted, I was able to view the latest pieces of malware, that were being uploaded by researchers all over the world. This catapulted me to the point where I could write posts on this site about new pieces of malware, APT level or not. As a result of this, I was able to get an account on Hybrid Analysis and a few other vetted malware researcher sites, allowing me to gain access to newly seen in the wild malware. All of this put together has increased my overall knowledge of malware analysis, and connected fields such as Incident Response. All of this may look like a lot, but if you persevere and have the motivation, you’ll be able to take it in in no time! As always, if you have any questions, feel free to contact me over Twitter (@0verfl0w_) or through this site! Thanks for reading!

Enjoy my blog posts and wish to support me and the site? I now have a Patreon 🙂
You can find it here

Author

0verfl0w_

Comments (6)

  1. Setting Up a Safe Malware Analysis Environment - 0ffset
    3rd January 2019

    […] on with the previous post of getting started with malware analysis (you can find it here), I’ve had requests to do a write up on how I setup my environment for analysis. This guide […]

  2. Steve
    21st January 2019

    Informative deposition.

  3. saltwrx
    22nd January 2019

    Nice collection of resources. Thanks!

  4. Versace
    11th June 2019

    How much time did you take to fully comprehend assembly as much as you were comfortable with writing in assembly?

    I understand it all depends on on your grasping power but I really am struggling to understand how much time is too much and what pace is too slow.

    • 0verfl0w_
      12th June 2019

      Hi! So it all depends really on if you want to be able to write assembly – I pretty much always program in C or Python, and don’t actually touch assembly, so I only really know how to read it and understand it, rather than write it. For malware analysis I wouldn’t say it is necessary to write assembly, but it is important to be able to understand it if you want to be able to reverse engineer the samples ???? And everyone has their own pace as well, I personally would focus on getting the basics done, so knowing the registers, how memory works etc. and then move onto actually reverse engineering samples – this gives you a more practical approach as you’ll learn about assembly from looking at assembly in malware, meaning everything is relevant.

  5. Jason Anderson
    12th November 2019

    Hi.
    First of all thanks so much for nice resources and information.
    I’m totally a beginner in reverse engineering and binary exploitation.

    Can you plz give me a roadmap {0 to 100},
    How can I become really good in reverse engineering and binary exploitation, understanding the memory structure, the memory vulnerabilities, buffer and heap overflow and etc.

    Plzzzz help

Comments are closed.

The Remastered
Beginner Malware Analysis Course

Pre-registration is now open

Don’t miss out! Add your email to get notified of course updates, and grab a 15% discount as well as 1-week early access!