An overview of becoming a Malware Analyst

An overview of becoming a Malware Analyst

Henry Dalziel | Information Security Careers | November 20, 2012

This is part three of our career advice for those interested in getting a job within the information security space. The other two were about becoming a Forensics Investigator and a Security Analyst.

OK! So what is a Malware Analyst and how do I get started in this career?

A malware analyst works, hardly surprising, in the field of information and network security. The main purpose of their job is to examine in a forensic fashion, and be able to understand ever-evolving advanced persistent threats. By Advanced Persistent Threats we mean viruses, bots, worms, rootkits, and Trojan horses. An appreciation of social engineering is also important to this role since in most cases malicious code and threats are very often entwined with a social element.

Needless to say, malware is bad for hardware and software – it disrupts business and affects the bottom line. Every organization in the world is affected by malware and the demand for defense it enormous. Owing to the fact that malicious code comes in many different forms, a malware analyst has a similar role to that of a penetration tester in the sense that they must thoroughly understand both interpreted and compiled programming languages. Having a natural curious mind is vital to this role since the malware analyst will have to reverse-engineer viruses and all types of threats to better understand and defend against them.

Salary expectations

The salaries are very similar to that of a Forensics Investigator and Security Analyst. Expect (in the US) somewhere in the region of $70,000 with experience. A starting salary would be around the $45,000 mark – with necessary certifications. Relevant information security certs like Certified Ethical Hacker (CEH), Security+, CISSP, CISA, SSCP, CPTC (mile2) or the GIAC Reverse Engineering Malware would all certainly assist you with getting yourself the career.

Learn to use a malware specific Linux distro!

We always refer everyone to our pentesting distro post but seriously – if you want a career in this lucrative space then it would be prudent to learn how to use a malware specific distro whilst you get certified. REMnux seems to be the best Linux distribution for assisting malware analysts in reverse-engineering malicious software and threat. Like many other pentesting distros, this distribution is based on Ubuntu. (You might want to also take a look at CAINE – again refer to our blog post linked in this paragraph.

REMnux includes many tools designed to check for software for any nasty malicious code. Here is a quick list of some of the programs and categories that are bundled with the distro:

Analyze Flash malware: SWFTtools, flasm, RABCDAsm and
Interacting with IRC bots: IRC server (Inspire IRCd) and client (epic5)
Observe and interact with network activities: Wireshark, Honeyd, INetSim, fakedns, fakesmtp , NetCat, NetworkMiner, ngrep, pdnstool and tcpdump
Decode JavaScript: Firefox Firebug, QuickJava and JavaScript Deobfuscator extensions, Rhino debugger, JS-Beautify, SpiderMonkey, V8, Windows Script Decoder and Jsunpackn
Explore and interact with web malware: Firefox Tamper Data and User Agent Switcher extensions, TinyHTTPd, Burp Suite Free Edition, Stunnel, Tor , Jsunpackn and torsocks.
Analyze shellcode: gdb, objdump, Radare, shellcode2exe, libemu’s sctest
Examine suspicious executables: upx, packerid, bytehist, DensityScout, xorsearch, xortool, TRiD,, ClamAV, ssdeep, md5deep, pescanner and Pyew
Analyze malicious documents: Didier Steven’s PDF tools, Origami framework, PDF X-RAY Lite, Peepdf, Jsunpackn, pdftk, and Hachoir

Leave a comment or reply below...thanks!