Introduction

I predict within the next 5-10 years, the number of malware analyst, researcher, and reverse-engineer jobs is going to skyrocket. So what is a malware analyst, malware researcher, and/or malware reverse-engineer in the first place and why will they be in high demand?

What is a Malware Analyst/Researcher/Reverse Engineer?

First of all, the slashes are because these are essentially 3 job titles that are either extremely related or the exact same thing, depending on the employer.

Simply put, a malware researcher is someone who studies, reverse-engineers, and finds ways to block or modify the behavior of malware. There is actually a ton at hand here because an analyst needs to know: Operating system fundamentals, programming languages, assembly languages, software engineering principles, and other computer science fundamentals such as algorithms and data structures, binary mathematics, and even some cryptography. As the saying goes, in order to reverse engineer, one must first know how to engineer… Or at least it helps a great deal.

What is malware?

Malware stands for Malicious software. No matter what anyone says, software is simply a set (list) of instructions that a computer follows in order to do some work. Think of a program as a piece of paper with a recipe on it with instructions on how to cook an entree. The CPU follows these instructions and gets work done.

The reason why malware in particular is so bad is because it is controlling your machine(s). Malware has the same potential capability as legitimate software does, and sometimes even more since it’s specifically engineered often to include vulnerability exploits. Malware has the power to watch and record your every move on a device such as your computer, tablet, or cell phone, send it to criminals, steal your information, or even attack other devices without you even knowing. Malware can do many other things too, but this alone should be chilling enough – at any given point in time, you may have no clue that every conversation you have around your device is being recorded, all your passwords, bank info, your camera, and any private data that you’ve ever sent via email or that is stored on your device could be sent to a criminal. This can all happen completely silently and every time you turn your device on all the way until it is powered off.

How is this possible?

There are 3 main reasons why malware can do all of the above, and more:

  1. Computers were not built for privacy and security – As aforementioned, when a computer runs a program, it’s following a list of instructions which are stored in it’s memory. This means that the instructions must be visible to the computer. Due to this fact, the instructions in programs are also visible to bad guys and they can be manipulated. For example, criminals can search the instructions for a web browser such as Google Chrome and find vulnerabilities in it. Once they’ve done this, they can either sell the information to another criminal or they can create a program (malware) which exploits a vulnerability which allows the above behavior to happen. It’s as simple as that.
  2. Operating Systems give a lot of power to programmers – The average joe probably has no idea how much power is given to computer programmers by the operating sytems – especially Windows and Linux. The same power which allows amazing applications like Adobe Photoshop and Call of Duty to be created, also allows programmers to do things like create software which secretly infiltrates other, legitimate software on the computer and hides malicious instructions inside of it. There are almost an infinite number of ways that this can happen at this point. Bad… Very bad.
  3. Legitimate programs can be made to do malicious things – This is bad because detection is very very difficult and often completely impossible for a regular computer user. For example, an operating system program which comes with your computer and is meant to perform maintenance tasks can have malicious code placed into its instructions. This means there is absolutely no visible way that you or any computer user can detect it if the bad guys did a good job at programming it. If you were to open up your task manager or activity monitor, the malware would appear nowhere at all and you may see programs such as Mozilla Firefox running. However, the malware could be inside Mozilla Firefox, though it usually enters an important system process instead.

Internet of Things and the Cloud both unfortunately enhance the above

I want to make a special note here and explain that regardless of what joe blow tech company’s marketing department says, Internet of Things and the Cloud exacerbate the above situation even more and are frankly creating a heaven for criminals and so-called hackers. For one, they are encouraging people to connect more of their personal and sensitive data to the net in the first place and in the case of IoT, placing physical security in the hands of the net as well. If you have any doubts about this, it’s not rocket science. There’s a saying which says “The only secure network is no network at all.” Removing networking hardware from a computer altogether makes it much more secure.

This means that while becoming more “connected” offers some convenience, like, for example, being able to use your cell phone to unlock your front door, store your videos and photos on the cloud, and start your car with your Android, it opens up gigantic security holes as well. Unfortunately, these holes don’t sell tech products that the companies want you to buy, so they often get shoved under the rug.

Deadlines enhance the above

Unfortunately, companies don’t necessarily get paid any more money for triple-checking their applications for vulnerabilities, and they also often have strict deadlines imposed from above. This means that unfortunately, software is often hustled out the door, with gaping security holes and vulnerabilities just waiting to be discovered by criminals.

Advances in technology also enhance the above

There was a time when I remember as a young boy, when I installed malware on my machine, it was quite easy to detect because if frankly slowed the computer down to a crawl and often popped up strange error messages. In modern times, processors are fast enough to run hundreds of programs at once, many in the background, without slowing the computer down at all. So the prospect of malware secretly and creepily running silent in the background are very real and this happens every day.

But I have Antivirus and/or Antimalware

Anti-virus and antimalware are great tools to have and the truth is, they can help you protect your and your organization’s devices more than any alternatives. If you are extra worried, using several of these products can be helpful. However, there are a few caveats:

  1. Anti-malware and Anti-Virus is programmed to look for either malware which has already caused damaged to some people or specific patterns that are common to malware. This means that if the malware has not yet been checked and identified by an analyst and/or the malware utilizes a new, unknown method to do its dirty work*, it’s going to cause some serious damage before it is detected.
  2. Even “advanced” antimalware which uses “AI” and machine-learning algorithms can be defeated in this way. In fact, as much as 1/3 of all malware has been found to go completely undetected by the security products1. As an analyst, I’ve personally seen dozens of antimalware products fail to detect extremely dangerous malware. If you have some malware you would like to test, upload it on https://virustotal.com to see for your own eyes. Malware will sometimes get a flag rate of 5 or 10 out of 60, meaning 50-55 antimalware products flagged the malware as safe.
  3. The exploits can affect the antimalware or the operating system itself – of course antivirus, antimalware, and the operating system itself are just other programs… Which can have vulnerabilities and be exploited. For example, if a Windows system vulnerability is discovered, it may allow malware to control or shut down antivirus before unleashes its attack, and there is little a security vendor can do about it until Microsoft fixes the problem with the OS. For example, in March of 2017, there was a vulnerability called DoubleAgent which was discovered by Cybellum Labs2 which defeated and completely controlled Norton, McAfee, Avast, AVG, Trend Micro, Kaspersky, ESET, BitDefender, Malwarebytes, and more, and this was after the absolute latest update was installed in all of these programs. This was because the exploit was with the Windows operating system and was out of the control of these companies as mentioned above.

This is what the CIA, NSA, FBI, hackers, and other intelligence organizations do

Media hype aside, WikiLeaks activity this and last year such as CIA’s Vault734 and NSA’s5 hacking tools have essentially confirmed that the three letter agencies and intelligence community are finding zero day vulnerabilities, exploiting them, and not telling anyone. This means that unless someone at the software development firm, or another programmer reports the vulnerability, there is no way for anyone else to know it exists and it can thus continue to be exploited by some agency or hacker without anyone knowing because it is completely undetected by any current anti-malware or anti-virus product. In fact, sometimes it is completely invisible to the operating system itself.

Malware is the worst kind of hacking

By now you should be seeing a pattern – from the iPhone’s NSO Pegasus6 which was discovered last year to the new Android Chrysaor malware7, to the WikiLeaks about the intelligence agencies… In fact, even Stuxnet8 which was the program known to delay Iran’s nuclear program by 2 years was malware. The biggest and worst attacks we hear about in the media, that journalists just call “hacking” are usually attributed to malware. Even many of the data breaches with millions of stolen records are caused by malware spying on company systems or endpoints such as credit card readers and cash registers. With folks now “connecting” their household doors and lighting, automobiles, airplanes, trains, power plants, traffic signals, surveillance cameras, and even nuclear reactors, it should be crystal clear that malware is about to become a whole lot more life-threatening if things continue the way they are headed. So, what can be done? Enter the Malware Analyst.

Why do you and/or your organization need a Malware Analyst?

Malware analysts have the tools and ability to locate, track, remove, and in some cases, reverse the damage of malware that is currently undetected by even the best and most up-to-date anti-malware and anti-spyware programs. Analysts are able to detect malware that is completely invisible to the normal computer user and even other IT professionals. There is no substitute for a Malware Analyst; even AI and other automated software cannot perform the job in the same way, in the same amount of detail, that a human analyst can. Malware analysts use a unique combination of skills, methods, and intuition that even many computer programmers are not familiar with in order to protect your organization’s systems in both proactive and reactive capacities. During times where there are no active incidents or investigations, a malware analyst will be researching the current methods that criminals are using to infect systems with malware and how to detect, stop or reverse them. He/she will also be researching weaknesses in your organization’s systems and possible vulnerabilities, as well as weaknesses in malware which pose threats to the organization’s systems. If there is a suspected or known infection or event, analysts have the skills and tools necessary to analyze the malware’s behavior and programming code, exposing what damage the malware has done or is capable of doing, in ways that automated tools and “sandboxes” cannot.

In some cases where an attacker makes a mistake, a Malware Analyst may even be able to uncover evidence that could lead to prosecution of an attacker. For example, if an attacker leaves personally identifiable information somewhere in the malware such as an email address, IP address, social media link, etc… Last but not least, part of malware research involves having a reading list of blogs and Twitter feeds of many other members in the community, providing immediate alerts of newly discovered threats in real time that may otherwise go unrealized by an organization for days, weeks, or months.

Conclusion

Malware is a threat which is here to stay and get more severe as long as computers are around. With 1/3 of malware going completely undetected, hackers and the government using and selling zero-day exploits, and folks connecting more and more devices to the Internet, I stand by my prediction that Malware analysts will be a hot commodity as financial and physical damages from networked devices infected with malware become more severe. For more information, questions, or if you would like a malware analysis, please contact me at todd@ the domain listed in your address bar above or leave a comment on this page.

*New, unknown methods of doing dirty work are often referred to as zero day (0-day) exploits. These are exploits that allow an attacker to get around security measures or force a legitimate program to do something that it was not intended to do. At first, this may not sound so bad, but when you realize that the software which is controlling the actual physical computer hardware as well as the entire cloud services can and often do have zero days, it may make the picture more clear. In fact, these exploits can be chained together to create an entire attack suite.

Bibliography

1.
Seals T, Seals US/North America News Reporter, Infosecurity MagazineEmail Tara T. One-Third of All Malware Goes Undetected by AV. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/onethird-of-all-malware-undetected/. Published March 31, 2017. Accessed April 9, 2017.
2.
DoubleAgent: Taking Full Control Over Your Antivirus | Cybellum. Cybellum. https://cybellum.com/doubleagent-taking-full-control-antivirus/. Published March 22, 2017. Accessed April 9, 2017.
3.
Vault7 – Home. WikiLeaks. https://wikileaks.org/ciav7p1/. Published March 7, 2017. Accessed April 9, 2017.
4.
Khandelwal S. WikiLeaks Reveals CIA’s Grasshopper Windows Hacking Framework. The Hacker News. http://thehackernews.com/2017/04/wikileaks-cia-malware.html. Published April 7, 2017. Accessed April 9, 2017.
5.
Nakashima E. Powerful NSA hacking tools have been revealed online. The Washington Post. https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html?utm_term=.c591bc565b41. Published August 16, 2016. Accessed April 9, 2017. [Source]
6.
Perlroth N. How Spy Tech Firms Let Government See Everything on a Smartphone. The New York Times. https://www.nytimes.com/2016/09/03/technology/nso-group-how-spy-tech-firms-let-governments-see-everything-on-a-smartphone.html. Published September 2, 2016. Accessed April 9, 2017.
7.
Cimpanu C. Google and Lookout Discover Highly Advanced Android Spyware. BleepingComputer. https://www.bleepingcomputer.com/news/security/google-and-lookout-discover-highly-advanced-android-spyware/. Published April 4, 2017. Accessed April 9, 2017.
8.
Zetter K. An Unprecedented Look at Stuxnet, the World First Digital Weapon. Wired. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/. Published November 10, 2014. Accessed April 9, 2017.