How to Become (and Remain) a Malware Researcher

The Two Most Important Ingredients

My take is that there are two most important ingredients to becoming a malware researcher:

1. Obsessive Passion to learn “how things work” no matter the time commitment and effort required; aka insatiable curiosity.

2. Ability to enjoy working at a solitary job where much of it is between you and the code

The fact is, malware research requires a lot of specialized knowledge, skills, and can be very challenging. It is far from impossible, but the type of challenges and work required will naturally weed out people who are not really into it or passionate about it. However, obsessive passion and curiosity will drive an analyst to crack anything eventually. So step 1 is, set up an analysis environment, grab some malware from a repository, and give it a shot. Is this something that you really enjoy? Is it something you could see yourself doing all day every day and for countless hours on end? The answer for me was that I would start analyzing malware and then next thing I knew, I’d look at the clock and it would be 5-8 hours later and I still didn’t want to stop. This was an important factor in my decision to pursue malware research professionally.

How to learn

So let’s say you share the passion and you are now wanting to know exactly how I would recommend taking further steps. Here are the steps I recommend:

0. If you don’t already know how to program software, you should learn. I recommend learning Python, C, and x86-64 assembly or ARM if you want to do phone malware. If you can fully understand and use just those three languages, you will understand general software very well.

1. Analyze malware in a lab using the common tools

2. Read books on malware (and “virus”) analysis, programming, and operating systems both general and specific

3. Read technical blogs and follow other researchers on Twitter, keeping up with their work

4. Attend conferences such as DEFCON and REcon

5. Attend (or create) meetups in your area for malware analysis or InfoSec.

6. Watch YouTube channels like L!NK, Malwar Analysis For Hedgehogs, Colin Hardy, hasherezade, OALabs, and Gynvael Coldwind

7. Help others and ask questions on https://reverseengineering.stackexchange.com

8. Don’t forget to keep programming. Even if you don’t have to actually write code each day as a malware researcher, it’s important to keep those skills up so you can automate reversing tasks, and continue to think like a regular software engineer as well.

In a nutshell, that all will get you very, very far and if done right, it won’t cost you a whole lot of money. It will cost you a lot of time though, so be ready for that. I didn’t post out the specifics in this blog on which books to read because I’ve already listed resourcesin another post, so check it out.

Becoming a professional

In order to become a professional, it’s very helpful to show off some of your work. This both shows your quality of work and where you’re at, and it shows off your passion and love of malware analysis. One of the cool things about this field is that you can analyze as much malware as you want in your free time and create write-ups and videos, then post them up on a blog or YouTube. This allows you to effectively “work” even when you are not a professional yet and you can show off this work to prospective employersso they can learn about you. Another option to show work is to create a useful malware analysis tool using a programming language and put it up on GitHub. This will not only benefit the community and allow you to improve your coding skills, but it will gain you exposure and is more work you could show to a prospective employer. Certifications sometimes have their place, but I am not the only one who feels that demonstrated, tangible work like this is more valuable and the nice thing is it doesn’t cost $1,000-$5,000 either!

Remaining a professional and being skilled

Malware Research is a job that requires constantly learning and honing of skills. Not only is there a huge breadth of knowledge which applies, but there are often new trends, threats, and attacks which are introduced each year. Likewise though, it’s important to understand the foundational basics and refresh yourself on them so that you don’t get caught worrying too much about the trendy threats and let a 10-year-old attack technique slip right by you. For these reasons, plan on always reading books, blogs, and papers indefinitely, and honing your coding and reversing skills. The learning doesn’t ever stop.

I’ve found that it helps to take deep-dives on different subjects. For example, lately I’ve taken a deep dive on cryptography and the math behind it. While it in and of itself is not malware research, the current most popular and dangerous malware is ransomwarewhich is completely based off of cryptography and the second most popular is bitcoin miners, which also use cryptography. Examples of other subjects you could find yourself taking a deep dive on are specific exploitsoperating system internals, specific malware types such as script-based malware, or research in the development of a tool. For example, Karsten Hahn from G-DATA wrote a master thesis on malware obstructing PE files in order to avoid detection and provided an accompanying software programto aid in analysis. So for this paper, there was a research component, a writing component, and a coding component.

Another similar example is the work of Ange “Corkami” Albertini. Albertini is a Reverse Engineer at Google and he wrote papersand programs in his research on the PE File Format. This research has been heavily used in the malware research community because malware often abuses this format to do its dirty work.

Other subjects that you could dive into include deobfuscation of malware code, unpacking malware, devirtualizing VM-protected malware, using machine-learning algorithms to analyze malware, building a malware analysis sandbox like Cuckoo Sandbox or Joe Security Sandbox, etc…

Endless fun! Hope this helped.