Profile of a Malware Analyst
Discuss the article at Agnitum blog
Vlad Borisenko, Malware Analyst at Agnitum, shares with us the ins and outs of his profession.
Tell us a bit about yourself, your education, what you do when you’re not working, etc.
Well, I think I’m a pretty ordinary guy, except that I happen to know something about computers and the threats that complicate our digital lives.
I graduated from St. Petersburg Polytechnic University with a degree in mathematics and have been involved with computer security ever since. I’ve been working at Agnitum for three years, initially supervising the expansion of the signature database for the Tauscan anti-Trojan software. Then, when we moved into spyware detection, I became a senior malware analyst. Now, it’s my responsibility to ensure that our customers get the latest malware definitions as quickly as possible. I also work on the ImproveNet initiative that helps users get newly-tested automated firewall rulesets.
When I’m not working, I’m a bit of a gadget-freak (no surprise there). I’m also a big fan of motor sports and reading. I like to travel when I can escape from the malware threats for a while, which has led to a strong interest in environmental issues. I don’t understand how a few people can own private jets while millions in Africa suffer from hunger and disease – maybe in the future I’ll participate in one of the UN’s programs to help people in need. But whether malware will be defeated in time for me to do this is still a big question.
How do you find time for all this, when you’re working night and day dissecting malware?
Everyone needs some balance in their lives. In this business, you need to be constantly on guard and active in order to stay ahead of the bad guys. Even though our team is on duty 24/7, I do try to dedicate my spare time to my personal interests and family. It’s always a challenge, because threats do tend to propagate on weekends when users’ vigilance is low, but knowing that we are helping to keep users safe online is the main thing that keeps me going.
There is an interesting TV program called “How It’s Made” that describes how products evolve from an idea to a finished product. Can you give us a “How It’s Made” overview of the anti-malware business?
Well, I could write pages about this subject, as you can imagine. But for simplicity’s sake, I’ll try to give a snapshot of the process without getting into too much technical detail (and without revealing Agnitum’s trade secrets, of course!)
The first step is the collection of samples - suspected malicious code for analysis and possible inclusion in our signature databases. We get samples from a variety of sources: user submissions through our website, partners, as well as other anti-malware vendors - whenever there’s an outbreak, everyone works together to make sure users can get detections as quickly as possible. We also use a system of automated web crawler tools that comb the web looking for traces of malicious code and embedded exploits and provide any such findings to our lab engineers for a more rigorous in-house evaluation. And if that weren’t enough, we also check our mail servers for incoming threats contained in spam. Every element of suspect code undergoes automated scanning and assessment procedures to enable us to verify unknown threats as early as possible in this complex process of threat analysis.
After this first stage is completed, the suspect code is checked for harmful activity and malicious behavior using Virtual Machines. These are copies of normal Windows installations placed on standalone test machines running special software that allows changes made since the execution of the code to be instantly rolled back. The researcher then tracks the changes made to a system and if malicious impact is found, the sample is immediately flagged as malware.
More sophisticated malware authors have mastered the technique of “sensing” virtualized environment and reacting to it by suppressing their malicious intent so they can’t be immediately detected. In these instances, we in turn apply our own more sophisticated tools.
The researcher needs to take a look at the original “plain view” code that constitutes the payload of the malware. To do this, the file is converted to a form suitable for human analysis using one of the following methods:
- Unpacking. The code may arrive in a packed (archived) form that necessitates the use of specialized “unpacker” utilities to reveal its contents.
- Decrypting. If the file is encrypted, the corresponding decryption key needs to be recovered and applied to decrypt the file and render it accessible to the researcher.
- Decompiling/disassembling. Decompiling means getting down to the source code of an executable file - this may be in any of the high-level programming language, such as Delphi, C or C++. Disassembling means translating an executable file to a lower-level assembly language. This process enables the researcher to take a look at the “raw” code and manually analyze it.
Once malware has been definitively identified, the signature database must be updated. We use a proprietary editor to manage threat signatures and in some cases prepare a dedicated heuristics analysis module that detects threats by behavior rather than code.
After the definitions are compiled, they are tested with the help of machines running different versions of Windows, different builds of Outpost and a broad range of third-party applications to ensure users won’t experience any problems when they install the updated definitions. The new definitions are then placed on our servers ready to distribute fresh signature updates to our users.
Fascinating, what tools do you use to do all this?
Aside from the virtual machine applications, most of our tools were developed in-house by the research team and engineers.
How do you think the computer security industry will evolve?
We’re seeing an increasing volume of blended threats – for example, Trojans and keyloggers hidden by very powerful rootkit functionality that enables them to stay hidden on a system. We’re also seeing malware targeting specific software products, particularly security software, to disable the software and give themselves a clear passage onto the user’s machine. All of this is a constant challenge, both from a research perspective and from a customer care perspective. The only way that we can be more efficient is to do more to prevent malware from getting onto users’ computers in the first place, so we, along with the Agnitum engineering team, are focusing heavily on developing techniques to monitor and block suspicious application behavior.
You’re referring to some form of Host Intrusion Prevention System (HIPS)?
Yes, the type of protection that monitors program behavior and makes sure applications don’t behave badly on a system. Users will see more emphasis on this type of protection in future versions of Outpost software.
That’s a great note to end on - any final words of advice for our readers?
Thanks for giving me the opportunity to talk directly to our users. I wish them safe travels on the Internet, remembering always that a combination of knowledge, safe surfing practices, and robust security is the best defense.