Malware programming

[NeghVar]

Before you jump to conclusions, I am working on a degree in digital forensics and I recently saw a job offer in the field with specialization in malware reverse engineering and decompiling. What programming language is commonly used to write malware? I am concidering taking a few courses in the languages get a general understanding of how they are written.

 

[robvas]

Learn in-depth, advanced Windows programming in C - systems-level stuff like threads, DLL's, etc. Learn assembly language and how to use debuggers like OllyDbg so you can determine what malware does and how it works.

 

[Dogs]

Most of the malware I've actually seen in the workplace and bothered to mess with was written in, funny enough, Visual Basic.

However, for your purposes, you're probably better off learning a low level language like C++, and you probably should be learning some computer architecture as well. Look for classes on these, because classes on these at a good school will usually have you learning how to use debuggers and disassemblers.

Of course, my greater concern is that you're not going to acquire the skills necessary for a job in 'malware reverse engineering and decompiling' just by learning a couple of languages and taking a couple of classes. Does your degree offer the ability to complete a cognate or minor in computer science? Does your school hire students as part-time programmers or IT techs on-campus? Can you look for internships or co-ops in programming or software development? Certainly there's no need to dedicate your entire education to computer science, but if you're interested in that job you should be interested in doing more than just learning a couple of programming languages.

Most jobs are just looking to see if you have a good foundation in that area (i.e., are you trainable), and will train you into complete proficiency, however, reverse engineering malware is something that you're going to want a lot of theory and practice with. I don't believe, for example, that simply learning Visual Basic or some other language is going to give you any advantage in understanding how viruses are written, especially if you're not learning said language to a deep extent.

 

[robvas]

There are a lot of books to get you started:

 

[Spun Ducky]

This is the area I work in now a days related to malware involving video games. It is very difficult to get into and learn because it is taboo with some people and most schools do not have courses directly in reversing.

The languages that matter the most for reversing currently is x86 assembly, C, and C++. ASM being the most important of all of them because it is the common language holding it all together on the windows pc side of things.

The 2 power house tools that you will use the most are OllyDbg and IDA Pro. IDA Pro being the main as running malware isn't always the best idea with some of them having payloads. The list of tools goes on.

The knowledge of data structures, design patterns, and computer architecture are a must as well as windows API. A good start would be to write your own simple programs and reverse them. This sounds easier than it is when first starting out.

 

[NeghVar]

I'm not really looking to get the position I mentioned above, but I think it would be useful to have some intermediate knowledge of certain things to look for or am looking at in code found on a suspect's computer.

 

[tridge]

Sorry for the necro.

I just want to say that I'm a Cyber Security Analyst for a fortune 50 and malware deconstruction is hardly worth anything unless you plan on going into working for a major player in the field... Most, if not all companies that have the resources to have even a Cyber Security "team" or individual do not spend any time decompiling malware to find out what it has done. There are so many other systems in place (or at least should be) that can tell what was exfiutrated from the network, such as packet level logging, SSIM applications and any IDS/IPS devices on the network. The most you are ever going to need to know is, what domains the infected machine reached out to externally and how much data was it. For 200$/h you can hire a professional to review the malware and give an extensive report. The cost of employing someone for the 1-2 times a year you actually need to go to the level of decompiling malware (most of it is off the shelf crimeware and not the APTs) doesn't equal the 80-150k/y salary of someone with those skills. IMO, if you are interested in this sort of field, I would say the money would be much better spent on network forensics, security architecture and data analysis and correlation using industry standard tools like SSIM and other network monitoring tools (Wireshark even).

I may be wrong here as I've never evaluated the market for malware deconstruction, I'm not looking for an argument. I just wanted to state my professional opinion and hopefully help someone out.

 

[stormy1]

I agree with the above poster, I don't know of anyone who does it in house. The big AV companies have packages available if you have enough seats that include 2 hour turn around on any file you upload for a full report.

 

[stormy1]

I have used wireshark in a transparent bridge mode on linux to find out what was going on and which machines it is coming from many times.
Sonicwall viewpoint can do the same thing for sonicwall routers.
Being able to tell what does not belong or what is suspicious is more of a black art than a science. Some people with min. training can look at the traffic and say that is wrong where others even with hours of training will never see it.

 

[Blackjack]

SNIP

This, I'm a Cyber Security Analyst at a major hospital and handle most of the incident response and forensics. The most i'll end up doing is run the malware through Wireshark to check for network activity and look to see what it does locally by running it on an isolated VM. We do this to get some indicators of compromise to make sure that we can detect and block it network-wide. 9/10 times, by the time we are done, Symantec has already released a new definition.