Does Writing Malware Help With Malware Analysis?

Рет қаралды 3,768

Күн бұрын

Пікірлер: 12

@nezu_cc Жыл бұрын

Writing malware doesn't make you a good researcher, but being a good researcher you have a huge headstart in writing good malware. You have already seen the good, the bad, and everything in between. You know what evasion techniques are painful to reverse engineer, you know what is easy and what is hard to detect using existing solutions.

@nezu_cc 8 ай бұрын

I got pinned 1 year later LOL

@flrn84791 2 жыл бұрын

So as a counter-example: I did write malware before, even mentioned it in the interview that I took Sektor7 courses, and was hired by you-know-which-company :D BUT. And I guess maybe you can comment on why you thought those skills were interesting as an interviewer, I'll just explain to your viewers why I had those skills, how I acquired them, how they are useful, and why they are not everything. I worked in pentesting and red team before, used custom Cobalt Strike beacons in engagements, wrote C++ and C# droppers as well, made basic shellcode in assembly, Linux and Windows for eCXD, I even remember writing a ransomware PowerShell script which wasn't detected by a certain EDR vendor. That's very different to writing and releasing malware in the wild as was proposed by that comment, in the sense that it was legal and ethical. I did not write detections for those droppers, sure, but they did end up on VT, as do a lot (most) of the droppers and general malware people write while studying for OSEP for example. Releasing or using malware in the wild is obivously a big no-no. I find those skills useful in the analysis of PE files, like understanding how the code for a dropper would look like, why malware uses GetProcAddress and GetModuleHandle all the time, understanding of injection, reflection, etc. My pentesting experience also comes in very handy for the analysis of webshells etc. BUT (here it comes), I find writing detections for PE files still pretty difficult, struggle with unpacking sometimes (most of the time lol), and many topics from the detection industry are still very new and sometimes confusing. As you say, the breadth of knowledge a malware analyst must have compared to a malware writer is obvious once you get on the blue side of things. So in my case, with my experience, I would say it helps, a bit, for some concepts and behind-the-scenes of how malware is actually written, BUT there is so much more to malware analysis that it's almost irrelevant I think, and can be dangerous as you mentioned. That being said, the more you know of the red team side, the better you are in a blue team :) (and the other way is also true!)

@MalwareAnalysisForHedgehogs Жыл бұрын

Hi :D. Thank you for your detailed and honest view on this subject. I think I would rather answer some aspects of this in private. Where I got hung up in 2 of these comments is the recommendation to release malware into the wild. That does not mean an upload to VT and does not include pentesting where you have a contract and act ethically. I should have been more nuanced with some my comments and should have said instead that you do not get hired if you tell people you illegally released malware into the wild. But if you developed malware in an ethical context that is a different thing, albeit not necessarily a huge plus. It also opens up the question why you suddenly want to switch career paths, but it seems you could explain that well. In general the motivation is more important than previous experience. Finding experienced people is a rare occurance, so we need to train almost everyone anyways. So I do not think that the pentesting experience had any deciding factor in hiring you but rather your WHY. Why you want to work as malware analyst and not as pentester (You can ask your team lead about it, if you want to know for sure) I think it is true that having different view points and experiences in different technical subjects is helpful in general. E.g., if you were a compiler developer before, you highly benefit from that while reversing as you are familiar with compiler optimizations and how they influence the assembly code. In the same manner you also benefit from knowing how malware and injection works in general. I even think that a previous job that required social skills is beneficial for your work because we need people who can communicate with the other teams. I do not believe that the malware developer experience is something special here. Another aspect is that we as malware analysts have to work with the detection technologies that are there. We do not develop the detection technologies. We can only suggest what might help. I sometimes get the feeling that people imagine analysts as the ones responsible for the detection technologies. Many of the limits we face with malware detection are none we can directly influence. E.g. if a malware developer uses a brand new injection technique that antivirus products cannot see, that viewpoint from the side of the malware developer would be more beneficial for the antivirus developer. Thank you for your views!

@Pos44Dami Жыл бұрын

Malware is such a complicated topic, but as a programmer is very fun to build a socket who's communicate with a server and send some information .. but that's not even a malware just a simple program . dynamic injection encryption are very complicated stuff .. its crearly science fiction to me

@MalwareAnalysisForHedgehogs 2 жыл бұрын

I answer the question whether malware writing is necessary or beneficial to learning malware analysis. Do antivirus companies hire malware writers? What is the skill overlap between malware writing and analysis? Buy me a coffee: ko-fi.com/struppigel Follow me on Twitter: twitter.com/struppigel