The (Cyber) Circus: Malware Reverse Engineering In Reality by Michael Goedeker

Everyone by now is hearing about the attacks on Ukraine's critical infrastructure, using our research and also free framework (https://socprime.com/en/blackenergy-disrupt-matrix/), Tor detection and research to protect against the attacks that we researched and found as well as documented here and in various forums and security conventions long before Cys Centrum, iSight, etc. regurgitated old research and sold it as new....

With some of the reports and incorrect information I read recently I think it makes sense to discuss what really happens in Malware Research and Reverse Engineering because I am seeing way too much fluff on the topic lately. I also want to set the correct expectations on anyone saying they do this but use dubious or highly unethical ways of collecting data.

When reading through reports and findings I always ask myself how people collect information, verify it, protect it against tampering and also discuss the findings. These are all aspects of a professional researcher, team and company. I think it makes sense to talk about how I get information and how I use it, this makes the most sense so that people can verify I know what I am talking about and I SET A STANDARD OF ACCEPTABLE EVIDENCE COLLECTION. I(we) talk to partners and customers that call us in and ask if we can find anything out. These discussions always start with getting information about anything and everything relevant about the company, its enemies, the locations, technology and processes as well as a plethora of other information. When I/we talk to these customers we ASK for information and ASK to obtain data and samples using COURT APPROVED and forensically solid methods of data collection. Why is this so important one may ask? Well if I go into a company, hook up some "black box" and firstly don't tell the customer what it is and how it collects the data, I am no better than the criminal that I am trying to find. If  I am a professional and ETHICAL investigator I take my customers hand and EXPLAIN exactly what and how I am extruding information, data and samples from the infected sites or computers / assets. This way I am not only helping the customer, I am also fully transparent about what and how I am collecting data and samples from them. We also sign an NDA so sometimes I can not talk about all the details. I can however talk about the findings without mentioning the company name. If I collect evidence the wrong way I make it worthless so it makes sense to do the right thing here otherwise the whole process is a waste of time for the customer...

Next I use open source tools to analyze the malware, I talk to people I trust and know in the security community that are also really good at what they do. We discuss the research, what's missing and what we have done and collected so far. It's a collective process not a black box, there really is no rocket science here from anyone! I obviously can not tell them which company or partner the sample is from but I can talk about details up to that point. As discussions and research continues a bigger picture starts to emerge from the data and research results, this tends to point in a few directions that needs further research and data to confirm. Usually we never have all the research or data so you need to make educated assumptions of what you THINK is going on and where you THINK it may be going to. Its basically an educated guess, no more, no less. 

When I get the samples I look at them and also submit them to sites like Virus Total (thanks guys!) or my friends and partners-in-crime at MalwareMustDie, etc. We work collectively with bigger teams to find out what the heck is going on here.

In conclusion: 

There are standards that apply to data collection and evidence, learn them, live by them, use them.

There are open source tools and methods for analyzing malware, understand this is a largely manual process, it takes time and a team with skills to do. (Also costs money ;-) 

No one, I mean no one has the rocket science solution here, not one single company. There are some promising ideas like our framework for IOCs and DarkEnergy but we are not there yet. For us to get there we need capital and angel investors that believe in the same mission and have the same dedication. (I am looking for you BTW).

If you can not explain what and how you are doing malware research, chances are you don't do it or may be missing a big piece of the picture. Its okay to not know everything but then you need to share the results, give the credit and do the hard manual research work...

If you don't talk at BSides and other conferences to share your findings chances are you are not known or respected in the community. You also state that you don't value the 100's of people worldwide that really kick butt and want to help. We are the solution to cyber threats, not the reason.

If you don't submit your samples in a timely fashion, you are no better than the person who created the sample you are analyzing. You become a 0-Day hoarder. 

Lastly Do No Harm, Be Transparent, Share your results, Don't lie.... No one single person or company does malware research or is the ultimate authority.

If you find this post interesting say so, if not well PM me. 

Your 1D1oT

Security Noob

This article was originally posted on LinkedIn: Here

Michael Goedeker is a CEO & Founder Auxilium Cyber Security.

"I am passionate about technology, teaching and people! My interests, passion and research includes: Cyber Security, Operations, Leadership and Training up to DoD/Mil level (includes every aspect of IT). Author and researcher at the front end of Cyber Warfare, Espionage and Crime, researching in Academia, Press and Security Professionals Globally. Entrepreneur with solid operations and financial background. Easy to work with, people person that sees talent, develops it and can establish rapport with almost anyone."

LinkedIn Profile