I have been hunting and fighting malware for more than seven years now and my skills are spread out, reaching beyond just malware analysis but also software development and intelligence analysis. I have also given a few talks on malware trends and taught Malware Analysis topics to government and private industry newbies. Prior to joining Malwarebytes as the Lead Malware Intelligence Analyst, I worked for FireEye and numerous government contracting agencies after getting out of the US Navy. I like to pretend fighting malware is like being a Ghostbuster in the Matrix.

I will do my best to answer your questions and if I don't know the answer I will ask someone who does. If you want to know more about how we fight malware than please ask away or have a question about how to get started in this field I would be happy to answer and elaborate.

Proof: https://twitter.com/Malwarebytes/status/334373497021267968

Update: Well thanks so much for your questions guys! I had a lot of fun and hopefully gave you all the answers you hoped to hear =D. If you want to chat with me more, look me up on Twitter @Kujman5000

Be sure to check out our subreddit at http://www.reddit.com/r/Malwarebytes

Comments: 133 • Responses: 63  • Date: 

ccims15 karma

In your opinion, what is the most difficult kind of malware to detect/deal with?

MalwarebytesResearch20 karma

"FIRSTIES" =D.

Difficulty really depends on your goal when it comes to malware analysis.

From a technical standpoint, when you want to reverse engineer malware, I would say Rootkits are the most difficult because they tend to use functions and libraries that are not well documented, making it difficult to quickly understand what they are trying to do. At the same time, rootkits like to hide by installing themselves as services and hooking into the chain of operations your operating system uses to do things like show you files and folders or what applications are running. By creating these hooks, rootkits are able to scan any information that is going to be presented to the user and remove any sign of registry keys, processes or files that belong to the malware.

When it comes to detection, any malware that modifies its operations based on the existence of an anti-virus or anti-malware application can be a pain because they are intentionally trying to subvert our detection and removal operations. Usually this kind of malware has been tested in a lab with numerous scenarios to make sure that regardless of what we do, they are able to get around it. However as soon as we get a sample of that malware and realize what it is doing, we quickly modify the way we detect it and usually end up taking down the malware and any variants of it.

Stepping back from the detection and just trying to remove some malware can be more difficult, especially if the malware existed before our application is installed. Take for example Ransomware, if a user had an antivirus or anti-malware product installed prior to the Ransomware infection application executing, it would have been detected and stopped. However if there is nothing stopping the Ransomware, it can install, infect, encrypt and lock the user out completely. It might even modify system files and will destroy the system if not properly cleaned.

From an intelligence point of view, malware that is released on a mass scale, say with a certain builder that was cracked, can be troublesome because it is difficult to determine the exact source of the attack. In addition, when you take malware like Zeus, that has been in production for years and now numerous variations of it exist, you might be able to track down the source of one or two different variants but when trying to determine the relationship between variants and more importantly, the cyber criminals behind the malware, it becomes difficult due to the large amount of cyber criminals using this malware for various reasons.

So at the end of the day, the idea of difficulty comes down to the overall goal of the analysis, whether it be deep technical analysis or trying to gather meaningful intelligence. Great question to start off with, thanks!

Websly9 karma

Have you ever analyzed fail malware? For instance one where the author forgot to use his encryption function or where he miss typed an IP address? :)

MalwarebytesResearch11 karma

Yes! Just like any novice programmers, some malware writers like to steal code from other pieces of malware but end up implementing it the wrong way. I've seen malware that couldn't figure out how to decrypt itself because of the wrong key. I would say 9/10 times these malware just end up crashing. Great question!

davedittrich8 karma

What ethical guidelines (i.e., specific ethical principles, not "I'm an ethical hacker") do you follow in deciding what to do with the information you derive from reverse and re-engineering malware, and how do you decide when you will/won't cross a line (e.g., taking over a botnet, collecting intelligence to analyze from inside someone else's computer, or taking down malware infrastructure using uncooperative means?)

Why should the public trust what you do?

MalwarebytesResearch6 karma

The ethical guidelines we follow are pretty much the law. We do not break into other peoples computers or take over botnets, we shut them down, pretty often too. When it comes to dealing with malware infrastructure, we always do our best to communicate with the offender, if they don't respond then we communicate with the host and all the way up, we have never attacked any server nor will we ever. We often blacklist offending servers/domains/applications because of their malicious intent but that does not spread past people using our product, anyone is free to dispute their blacklisting with us and will usually talk directly to the person who blacklisted them in the first place.

In addition, even the information we post on our blog follows pretty rigid ethical guidelines, we want to educate and inform our readers of malware threats and the operations behind them, while at the same time not providing users with a "tutorial" on how to be bad guys.

As far as why the public should trust us, I suppose that is entirely on each individual user. We are honest with our communications with the community and depend on them for our existence. In addition, we don't force our product on anyone nor are we able to. We just do our best to fight malware. =)

davedittrich4 karma

I don't mean this to argue with you, or attack you, but I asked if you could provide some specific ethical guidelines for malware researchers to follow and I don't see any in your answer. The law is not the same as ethical guidelines, and just saying "our blogs follows pretty rigid ethical guidelines" and then not saying what those guidelines are side-steps the question.

I ask this question, not to put you on the spot, but to help anyone reading this IAmA who is trying to learn something that they can follow to know that countering malicious actions requires not just technical skills, but knowing how to use them responsibly. I am very happy you mention you limit what you publish to avoid helping the bad guys (and gals!) get better. But sometimes "shutting down" malware infrastructure (you don't define what it means to "shut down" something, besides just blacklisting) helps spur bad guys (or gals!) into improving their malware.

And if the lack of an answer illustrates there is no consensus on what "ethics" are, or how to talk about them, hopefully this dialog makes it clear that part of what readers need to do beyond just learning how to disassemble malware and exploit vulnerabilities in C&C servers is to learn where the ethical AND legal limits are and be able to make good decisions that they can clearly justify. Your list of things that someone should learn in response to p3aceout -- and I agree with all of them -- does not include learning about ethics (or the law, which you say is your guide). I'll offer this as a place to start: https://staff.washington.edu/papers/ieee-snp-ethics-2011.pdf

Just talking about "fighting malware" does not provide guidance on what someone should/shouldn't do, or when some action will cause more harm than good. For example, there is a group out there who believes "malware must die" and uses imagery and language suggestive of a religious battle (to the death, in the real world model on which they base their message), but no guidance on what is acceptable to do in the name of the "crusade." Good intentions, and wanting to "fight" the good fight, are not enough to prevent harming innocent people by going too far with the desire to "kill" malware, which is going to get us all in trouble.

MalwarebytesResearch8 karma

davedittrich, your argument is valid. =P

The number one rule of ethical hacking and/or any ethical guidelines when it comes to computer security is that you NEVER do intentional harm to a system that does not belong to you. The link you posted is also a great resource to learn about what ethics we should all follow in pursuit of a malware free internet, I had trouble getting to it with your link so I will post what worked for me:

http://web.eecs.umich.edu/~mibailey/publications/ieee-snp-ethics-2011.pdf

Let me answer your questions in more detail:

"I asked if you could provide some specific ethical guidelines for malware researchers to follow and I don't see any in your answer. "

Answer: As I stated above, the number one goal is to defend users and not do any harm to them or their systems. While attempting to achieve this goal, issues to arise where we have to take ethical stances against posting information that may be harmful if put in the wrong hands. When this comes in to play, we always decide against revealing that information.

However, keeping users in the dark about very real threats is something we do not approve of. Computer security starts and ends with the user, they are the greatest strength a system has and at the same time the greatest weakness. So by revealing that we have detected a new type of exploit or a new type of malware variant that has been finding ways of getting around traditional detection methods, we tell them about it. We do that in order to give them the proper education and tools to defend themselves. Will it tip off the malware authors and cyber criminals that we are on to their scheme? Yes. Will they change their operations because it is now common knowledge? Sometimes they do, sometimes they don't. Basically, we don't think that not telling the user about a shark swimming in their pool will prevent the shark from attacking them.

However, the means that we go to gather intelligence and prevent the spreading of malware does not cross into the line of harming computer systems, that is not what we do. If there is an issue that cannot be settled with discussion between the offender and us then we talk to someone who can do something about it, be it the host, an ISP or even law enforcement. We have never and will never hack cyber criminal systems or allow malware to be executed on innocent victim systems for the sake of seeing what happens.

As a recap, here is a list of ethics that all security professionals should adhere to:

  • Do not harm a system that does not belong to you

  • Do not resort to the tactics that are used by cyber criminals in an effort to stop them

  • Never re-purpose malware for the sake of using it to get back at cyber criminals

  • Never intentionally hide information from the users under the guise of their own safety

  • Be honest, be thorough and always aim for the goal of defending the users but do not cross the line that turns you into a criminal yourself

"You don't define what it means to "shut down" something, besides just blacklisting"

Answer:

When I said Shut Down I mean discuss with the proper authorities the prevention of further malicious activities by the offending server. By proper authorities I mean Host -> ISP -> Law Enforcement. Malwarebytes does not attack web servers for the sake of preventing further malware, we simply advise and suggest based on collected evidence. As far as blacklisting goes, it is our way of protecting our users from malicious domains and if it turns out that said domains are no longer used for malicious purposes, we happily remove them from our blacklist. We attempt to be as targeted as we can so that legitimate web sites hosted on the same server, are not made unavailable to users. In the case where this does happen, as soon as we are aware of it, we fix the problem.

I hope this sheds a little more light into my vague answer above and it is important that while learning the technical aspects of malware analysis, it is just as important to learn how to conduct yourself with these new found skills so you don't end up on the side we are all fighting against and/or in jail. Thanks again davedittrich.

davedittrich5 karma

Oops. Left out part of the path, but you found a copy! https://staff.washington.edu/dittrich/papers/ieee-snp-ethics-2011.pdf

Great answer. Thanks!

MalwarebytesResearch5 karma

Thanks for pointing out the importance of ethics, I really appreciate it =D.

Xoils7 karma

What is the funniest thing you have ever came across while analysing malware?

MalwarebytesResearch16 karma

Ransomware that actually spoke in the voice of some Russian guy but claimed to be from the FBI. =P

FinanceITGuy6 karma

I don't have a question for you, but I wanted to doff my cap and thank you for providing an excellent product without the horribleness of so many anti-malware vendors. Well done, sir!

MalwarebytesResearch6 karma

Thank you very much for your kind words, I know the entire team appreciates all the praise we get from our loyal users for so many years and will continue to fight for you guys. Thanks so much! ^

Lykenx5 karma

Most dangerous piece of Malware you've come across? What did it do and how?

MalwarebytesResearch7 karma

That is a tough question. It is a tie for me between Ransomware that shows child pornography on the desktop, demands hundreds of dollars and encrypts the file system and Remote access Trojans like BlackShades that are able to control your webcam, steal your files, passwords and privacy then share it on underground forums.

Lykenx2 karma

Incredible what some people can come up with! Thanks for the reply.

MalwarebytesResearch12 karma

It's incredible that there are people actually willing to exploit people in that fashion. Its a mad world out there.

xpose4 karma

How has the modern web browser such as Chrome changed malware? Is malware as easily infectable and widespread today as it was 5 years ago?

MalwarebytesResearch7 karma

I think that the spread of malware is due to having more people playing the game rather than the technology allowing for more. Drive by exploits, malicious browser plugins and the like obviously make it easier to deliver malware to the user, however the technology has also made it much easier for anyone from JR High punks to guys in their 40's to spread malware and steal peoples data.

The browsers are doing a good job though so far, every time a new threat comes out, they work very hard to protect their users from that threat and its admirable to see how hard they work for this cause.

p3aceout3 karma

For someone who is interested in getting to your position, what material should a person be familiar with? Or what requirements are needed.

MalwarebytesResearch10 karma

Well you need to know something about malware, first of all. This means becoming familiar with the history of malware, what it is capable of and what common threats are, a subject that is ever changing. Beyond that, technical ability is a must and I recommend:

  • Learning a programming language, you could stick with scripting (PERL, Python, Ruby) if you don't feel like learning C/C++, though I recommend you do.
  • Become familiar with different analysis tools used in malware analysis, this ranged from Sandboxes to system and network monitors to setting up things like web servers of modifying system files.
  • Learn about the operating systems, as many as you can, the more you understand about how the OS works, you the more you can understand the goal of malware.
  • Depending on the level of analysis you want to go, it might be a good idea to learn Assembly, which is what ever reverse engineer analyzing x86 malware needs to know.
  • Learn about traditional malware operations. This might come from experience more than anything but there are lots of good books, tutorials, videos and papers on malware operations at the code level. Learning about what API functions signal certain types of operations (for example, if you see WSAStartup while searching through file strings or watching the log of a system monitoring tool, it means some network operations will be happening)
  • Never Stop Learning! Malware analysis is seriously an ever changing field and the more you become comfortable with constantly changing how you see things and sorting out new data in your mind, the easier it will be for you.

The one thing that cannot be taught, in my opinion, is the passion. You may spend hours staring at logs or chunks of code and it might take you just as long before you even realize the the malware is trying to rename a file (at first, it gets easier) so you need to keep yourself optimistic, observant and passionate about the work, otherwise it will totally drain you.

In addition to that, seeing between the lines and "thinking outside of the box" is a requirement when working with malware, especially intelligence. This is something that I am not sure everyone can do, but if you try to look at the world from different sides, see behind the surface of people and things, you might be able to come to conclusions that someone else, with only the surface information, might come to.

As for my position, taking the technical to non-technical is a must. Every blog that I write, interview I do or operation I explain usually consists of taking a highly technical concept (and lets face it, malware analysis is not the same as setting the clock on your VCR) and bringing it to a level that the average person, not versed in this stuff, can understand. You might want to test out your ability to do this by taking something technical and explaining it to a child, your grandparents or your spouse and see if they understand what you are talking about. You will find that without the basic knowledge we all have working in this field, it gets pretty difficult to explain the higher level stuff. Thanks for the question and good luck!

Admiral_Blender3 karma

What process do you use for reverse engineering? I'm looking to set up a sandbox environment and study, do you have any suggestions on good resources? Favorite book on the subject (or website)? I am done with a digital forensics certificate and working towards the degree, and would way rather get into this than having to catch perverts and testify. You actually have my dream job at the moment, any advice to get to where you are would be appreciated.

MalwarebytesResearch4 karma

My process goes like this:

  • Get the Malware

  • Perform static analysis on the malware (Grab file properties, hashes, sizes, do open source research on it, dependencies, imports, exports, etc)

  • Perform Dynamic Analysis on the malware (Execute it in a sandboxed environment running system/network/registry monitoring tools and see what it does)

  • If necessary, reverse it Reversing requires:

  • OllyDbg and IDA Pro, running in different VMs. Use IDA as a roadmap that you can modify and take notes in as you step through the code in Olly to grab any dynamic values, watch the flow.

  • Map out what you know, find the function calls that you recognize and see if they are being executed in important functions, if so, make a note and trace back to the entry point.

  • Take lots and lots of snapshots to save your progress. Save Often.

As far as the setup, I usually use VMWare with at least 2 Win XP VMs, a linux VM (for setting up fake web servers) and Windows 7 or 8 VM for testing. Make sure you design your analysis VMs with every possible scenario in mind and load it up with lots of analysis tools before taking your base snapshot, it is a pain to install new software every time you analyze a new sample.

As far as getting to where I am, make sure you can convert the technical to non-technical and start your own blog or help other people with learning about malware analysis. Once someone notices that you can both work at a highly technical level and write at one that other people understand, you will be in =).

Experience, detail and passion go a long way in this field so if you don't have one, make sure you make up for it with the others. Good luck!

k0ng01 karma

Dang u asked my question. @MalwarebytesResearch u do have my dream job too. I guess practice practice. I have the basics and I believe I am pass the beginner stage. Now to put out some good analysis and get that job.

Thanks for doing this.

MalwarebytesResearch5 karma

Not a problem =). Yeah Practice is key, you will eventually get better and better at it until one day you can stare at the code and just see "Blonde, Brunette, Redhead" =P

fiqar3 karma

How much money does an expert of your level make? How much do you think the top malware writers make?

MalwarebytesResearch2 karma

Most experts in this field probably make something close to $70k-90K or more. I think the top malware writers make a lot more than that, lol.

fiqar1 karma

I wish I was smart :(

MalwarebytesResearch12 karma

You might be and you don't know it yet. Why give up before you try =D

joecatch3 karma

Thanks for taking the time to inform us. I have lots of questions about malware, how it works and your program. But to ask just 3:

  1. how do you keep your program protected from malware that may try to change or disable Malware Bytes?

  2. how does Malware Bytes scan actually work? Does it look at each file on my computer and how much of the file does it inspect before it says it is ok? Does it look for the actual virus code or does it do like a checksum checK?

  3. and what about virus that change over time, how do you detect those?

Thanks!

MalwarebytesResearch3 karma

  1. We have various countermeasures for malware that detects our software, for example Malwarebytes Chameleon will execute Malwarebytes Anti-Malware on a system that blocks us, usually by modifying the way we look (filename, icon, location, whatever it takes)

  2. Our scanning method usually doesn't need to tear apart a file to know its malicious, we use very creative methods of detecting malware and its usually done in a way that catches more than one variant of that malware. I don't want to go into too much detail but our scans are fast and we are able to do that because of how quickly and efficiently we can scan files for maliciousness.

  3. Like I said before, our methods of detection might catch entire families of malware because a lot of them use things like builders or encrypters and leave footprints behind for us to detect. We have obviously come in contact with malware that has changed itself to counter our detection methods and when that happens, we modify our detection methods to grab those too.

stirry3 karma

I recently received some help from a Malware expert on your company's Forum and I was incredibly grateful for his help. Thanks to your entire company for doing great things for the community at large.

MalwarebytesResearch4 karma

Thanks! We do our best!

hatchetboy2 karma

Which sites are the worst for spyware and malware?

MalwarebytesResearch7 karma

Ones that use untrusted ad networks and/or are setup by novices. Blogs, religious web sites, fan web sites, etc. Some of the more obscure porn sites. Staying to what you know is usually a good rule of thumb if you can help it.

Brawldud2 karma

Out of curiosity: Why would web sites set up by novices likely have malware? And why religious websites in particular?

MalwarebytesResearch4 karma

Web sites set up by people who have little experience in securing a web site leave it open to potential exploitation by cyber criminals. They might use standard passwords or leave vulnerable applications open to anyone who knows how to exploit them. Once a cyber criminal obtains access to a web server, they can implant malicious iFrames into any web page they want, allowing for drive-by exploits of the sites visitors. Obviously this isn't the case 100% of the time, but in cases where a novice is required to secure their own web server...

As far as the religious sites, I am not sure why they are such a big target for cyber criminals but we have seen our fair share. Maybe its because of cyber criminals who have religious affiliation, maybe its because religious websites are often visited more than other web sites. I only mention it because of how often it becomes an issue.

thiefshot52 karma

How does it feel to be the "go-to" standard when people get malware?

MalwarebytesResearch3 karma

It feels great. The crazy thing is, we haven't really changed the way we do things since Malwarebytes started, it was developed as a great tool and is still and will always be a great tool for fighting malware.

bolzano_19892 karma

I have read this paper: www.loria.fr/~athierry/docs/Recon2012-recognition-binary-patterns.pdf

Could you tell me how do you identify common subroutines come from standard libraries that do not need to be reversed in a malware sample? How do you do that in IDA or other tools?

MalwarebytesResearch2 karma

IDA usually fills in a lot of stuff on its own, which is great. I often use known subroutines to get an idea of where I am going in the code or what the malware might be trying to do. Even without putting it in Olly or IDA you can tell what routines are being used with tools like PE Explorer, or just looking at the file strings. Being able to extract function names from Standard Libraries that IDA doesn't automatically fill in for you is a neat feature but in my opinion, it is easier to spot a function written by a malware author and assume the function of the unknown legitimate subroutine than it is to try and figure out which each one is. Great question!

bolzano_19891 karma

Usually, how do you spot functions writen by a malware author :) ? What are the difference or signs for you to regconize?

MalwarebytesResearch2 karma

Well the style is a definite give away, legitimate functions are much more professional, written to maximize on smaller code size and efficiency, while functions belonging to malware authors are usually more sloppy, in addition to being less mobile, using hard coded values, and of course if I have already been doing some deep analysis, I will recognize functions / values that I have already labeled.

I can't say that it doesn't require a bit of experience and knowing what you are looking for but when you are following the flow of execution with the goal in mind that malicious activities are being done, you can tell what belongs to that operation and what is just being done on the side. If that makes sense.

effin_clownin2 karma

I may or may not receive an honest answer from you for the obvious reasons but I'll ask anyways.

What is the best antivirus/anti-malware program that is out right now aside from Malwarebytes? My definition of best is the same as yours :).

MalwarebytesResearch1 karma

Well even though you said besides our own, Malwarebytes Anti-Malware is the BEST anti=malware solution out there. As far as Anti-Virus, well based on numerous comparison tests done by both paid firms as well as independently, I would have to say Kaspersky is the best antivirus solution out there. Honest answer, just based off of the stats.

rbsh1232 karma

What are some misconceptions about malware on computers such as when downloading files from the internet? Also what is the difference between malware and virus?

MalwarebytesResearch1 karma

The severity of some malware can be blown out of proportion sometimes, which is the biggest of the misconceptions I can think of. Honestly, most of them stem from truth but the media likes to hype up the threat. For example, last year a lot of people thought that a certain type of malware was going to destroy the internet, but it didn't. However, some things that seem like they might be a bit far fetched, like being suspicious of even a link you get from a friend via Skype, are legitimate countermeasures.

A virus refers to software that has the intent to destroy or disrupt a system. Malware is more broad than that and while viruses usually fall into the category of Malware, so does spyware, Ransomware, data stealing Trojans, and anything else that attempts to ruin your day =).

Websly2 karma

1st:Is most malware today written in C or C++? And is there any real difference between C and C++ written malware when analyzing?

2nd:Do most malware analysts come from forensics, programming, or some other field?

3rd: What obfuscation technique has impressed you the most?

MalwarebytesResearch2 karma

1st: Most malware is written in either, though once malware is compiled and then decompiled to be reverse engineered, things like objects don't always come through like they do in the original source code. I don't really think there is a difference.

2nd: Yes, all of those. Basically its people who have technical ability for some reason and really really hate malware. Either way, you will eventually be learning other skills while becoming a malware analyst (networking, programming, etc.)

3rd: Custom packers that decrypt with values found on systems with certain types of hardware. Those suck.

rudxai2 karma

  1. How many hours do you work a normal day?
  2. How many 'normal' days actually exist? Do you have a lot of work?
  3. I know this is a little personal but, how much do analysts, with not many years of experience, get paid?
  4. Did you have the chance to take a look at famous rootkits such as Stuxnet, DuQu or Flame? Which one impressed you the most?

MalwarebytesResearch3 karma

  1. Depends, usually more than 8 though. I work remotely so I am never at home or at work since I am in a constant state of both. (Like Schrödinger's cat)

  2. There is always a lot of work because there is a lot of malware. At the same time there is a lot people don't know about, such as basic security practices. Usually if there isn't a huge malware threat on a particular day, I am working on something that helps people stay safe from future malware threats. I try to have some normality in my life but I know guys that I swear never sleep.

  3. It really depends on what part of the country you work in and who the customer is. Though I think $50k-$70K is probably a good range.

  4. Flame, hands down. It was the only one I actually considered malware since it could collect data, beacon back and with its modules, pretty much do anything it wants. Stuxnet and DuQu were too specialized but still pretty complex pieces of work.

rudxai1 karma

any open positions for a simple evil CS graduate? haha

MalwarebytesResearch1 karma

haha, well we are always hiring: http://www.malwarebytes.org/company/jobs/

rudxai1 karma

hmm..there's a tech support job that i feel like i have the requirements to apply for..better than nothing haha! I am a E.U citizen though (Greek) so I would need a visa/working permit..

MalwarebytesResearch2 karma

We have a lot of our researchers and developers in the E.U. so you wouldn't be the only one =).

wat_waterson2 karma

I did most my communication with Marcin regarding it, but thank you guys for sponsoring BsidesOrlando! I hope you got the board we sent you! You guys were actually our first sponsor :)

A couple of questions:

1) Seems to be a lot more people with eyes on malware lately, especially after Conficker. With the APT1 thing happening and all the other APT style attacks, it's getting harder for the little guy to keep up with his own research and publish before the big guys do. What do you think would be the best tactic for a little guy (like me) to be able to get research done faster and publish ahead of the curve? (Full disclosure, I'm not quite at that point yet, but it's discouraging to continue)

2) What are your thoughts with all this APT business going on?

3) Are any of you guys gonna be at DEF CON? I'd love to be able to buy you drinks :)

MalwarebytesResearch1 karma

1) Think of it this way, most big firms have loads of malware to sift through and are usually preoccupied with detecting and removing the threat rather than doing deep research on it. While you may never be able to keep up with those firms that have deals with corporations or governments on the newest and sexiest samples, I think there is a lot of value in examining malware that everyone has to deal with, at a deeper level and using that information to see things in a different light. Being part of an organization might actually limit what some researchers can do, but an independent one might have a better time gathering Intel or new samples since they can meld in with the actual crowd that are developing the threats.

2) APT or Advanced Persistent Threat is a valid concern and I am certain is has been going on for much longer than it has been in the media. Frankly, countries spy on other countries and corporations do the same. APT is not a person or organization but rather just a term that means targeted attack by a well funded and persistent adversary. I hope that if the announcement of APT by the media does anything, it will help governments/corporations take further steps in computer security.

3) A bunch of us should be going, not sure who yet but if you drop me a link on Twitter I will let you know if I am coming or not =).

MoHashAli2 karma

I don't have a question, but I'd like to say thanks, you've answered everything with great detail, and I've learnt a lot. Again thank you. :D

MalwarebytesResearch1 karma

No problem, thanks for the comment! I am glad you have enjoyed it =).

lalalalamoney2 karma

Is malware written in C# (or any other .net language) harder to detect then malware written in a low level language like ASM or C? It seems to me that it might be harder to tell apart from legitimate programs.

MalwarebytesResearch1 karma

It is not harder to detect than malware written in lower level languages and it isn't even necessarily harder to reverse, just takes a different approach.

schepter2 karma

Do you ever try track the origin of the malware? As in, figure out who created it and forwarded the information to the proper authority? Or have you ever come in contact with a malware that had an obvious author? Ie, a novice mistake.

MalwarebytesResearch1 karma

All the time! However this is really much more difficult than it sounds. As I have stated before, code reuse, mass implementation and usually malware authors doing a decent job at covering their tracks can make it difficult. The biggest breaks we get when it comes to attribution are usually when the authors come out and say "Hi, I am the author" though that doesn't happen all the time. lol.

Admiral_Blender1 karma

I can probably look this up, but is Malwarebytes just based off fingerprinting/hashing or does it work heuristics/behavior? Any plans to go to behavior if not? Would that just bloat the software?

MalwarebytesResearch1 karma

We use a mix of fingerprinting and behavioral / heuristics with very creative approaches to detection in our definitions that allows us to stay light and still effective without bloating the software or bringing the OS to a halt.

Websly1 karma

What skills/experience should someone have before you would hire them as malware analysts?

Also, what might be signs that a malware sample was built for a targeted attack?

MalwarebytesResearch1 karma

Well skills and experience include familiarity with malware analysis, knowing how to perform static and dynamic analysis as well as see things from multiple points of view (we get creative at Malwarebytes). Reverse Engineering is not required for all positions but it is always nice to have, or any kind of advanced skill such as work with exploits. Another thing is some past experience fighting malware, either with your own blog or malware database, even contributing meaningful samples to the Malwarebytes forums would be a great way to get noticed =).

Targeted attacks are usually only found in small areas and are easier to spot when you consider the infection vector rather than the malware itself. However, some malware does check for specific types of hardware/software being installed on the system and if those values are unique enough, it could be a sign that the malware is using a targeted approach.

Stygeros1 karma

[deleted]

MalwarebytesResearch2 karma

1: Being malicious. We don't block legitimate software from executing so often we detect, based on the executable itself rather than what it tries, that it is malicious and then take measures to quarantine the file.

2: Same thing as what you described. We try to figure out what it does, why it does it and in most importantly for me, who it belongs to. Sometimes you can't derive that from reverse engineering and sometimes you can, end of the day, as long as you can obtain some information into what it is and maybe even associate it with other "known" malware, you are telling the rest of the world that this file is bad.

3: Honestly, most malware authors focus on Windows because of the mass use of Windows in corporations, governments, etc. If Windows or Linux was the primary OS of the people with the information and the money, bad guys would be developing more malware for those systems. Also considering the fact that security applications don't exist in the same form for Mac/Linux as they do for Windows and you have a slightly defenseless target. As we have seen over the last couple years, people are using Mac more and more and in turn we have seen more and more malware being developed for the purpose of infecting OSX systems.

djlastword1 karma

I'm a somewhat experienced home user. I keep my computers updated, use a firewall with default settings, keep cloud-backups of my important stuff, don't click shady links, open spam or download weird stuff etc.
Is there any real reason for me to invest in a separate anti-malware software if I'm on, either a PC running Windows 8, with the built-in anti-malware operating, or a Mac?

MalwarebytesResearch1 karma

You could stick with your current setup but that is like driving a car without a seat belt or airbags. Anti-Malware software provides you with additional protection against malware that exploits unknown vulnerabilities in your operating system and applications. There is a method of infection that utilizes ad serving networks to distribute malicious advertisements on legitimate sites, they are known as Malvertisements and can be used to infect your system even if you don't click on shady links, open spam or download weird stuff.

Windows 8 is brand new and definitely has a fair amount of unknown vulnerabilities that are bound to be found by cyber criminals and used against you, circumventing the built in anti-malware functionality. As far as for a Mac, over the last few years we have seen a significant rise in the amount of malware being developed for the Mac operating systems. At the end of the day, there is nothing about Apple products that keep it malware free other than malware authors were not writing malware for systems that aren't widely used. However now that more and more people are using Apple products, they are becoming a target just like Windows and I can guarantee that over the next few years the spike in Mac malware will continue.

You do however, already have one of the most important aspects of computer security down-secure computing practices. A lot of users depend on their software only to protect them when in reality, being vigilant and prudent in your day to day usage of your computer can mean a world of difference as to if you are susceptible to zero day attacks.

Thanks for the question!

djlastword1 karma

Thanks for your detailed response!
Quick follow up, are using saying that Windows Defender in Windows 8 is not an anti-malware product in the same sense as yours or other companies' like Kaspersky and Symantec? Or are you saying that it has similar functionality but of a lesser quality?

MalwarebytesResearch0 karma

Well our product is not the same as Kaspersky or Symantec, we aim to catch what they miss and do it in a different way than they do. Microsoft Security Essentials is a nice product in its design but based on detection testing, it doesn't really do a great job in comparison to other AVs in the same category such as Kaspersky or Symantec.

djs861 karma

How is it that my Nortons antivirus was hacked twice over 2 years by the bad guys? Trying Kaspersky now along with Malwarebytes. Thought keeping av updated would prevent Trojans. Is a one time fee for life what Malwarebytes charges if you want other than their free version? Lastly, what is advantage to paid software if they have freeware? Thanks for answering and to Malwarebytes for providing freeware!!

MalwarebytesResearch1 karma

Zero Day Malware, commonly spread by drive-by attacks might be able to detect and disable antivirus software, that is probably why your Norton was taken down. Try disabling Java in your browser and keep your OS, Browser and all applications like Flash, Java, etc. Up to date to patch any vulnerabilities found within them. It is a one time fee for Malwarebytes and beyond just being a scanner, Malwarebytes Anti-Malware PRO will block you from visiting malicious sites and prevent execution of malicious files, I think it is definitely worth the $25. Thanks!

Zouave3211 karma

Is it possible to get infected by simply visiting a website? even if I disable javascript ?

MalwarebytesResearch1 karma

Flash exploits are still common so yes, it is still possible to get infected by visiting a website. However, if you disabled Java, Flash, use an Ad blocker, pop up blocker and keep all of your plugins updated as well as OS and Anti-Malware/antivirus software up to date, you should be pretty well protected from anything the web can throw at you =).

FatDeliSlice1 karma

Since analyzing malware code is pretty much a code review, do you mentally or actually score the code quality as you process it? Do you find signatures or patterns that point to a particular programmer that you can track?

MalwarebytesResearch2 karma

Well malware code analysis usually provides only up to what assembly the original compiler created. This means that we can only go as far up as to the compiler level and if a malware author wrote entirely in a higher level language such as C, the compiler would decide how the assembly was organized, meaning that scoring the code is more difficult if for example a different compiler was used or if the code was rewritten.

In addition, code reuse is common among malware authors so you might see the same code used in dozens of different malware from different families, however this does not mean they were all created by the same author.

There are numerous tactics however, to determining relationships between different malware, such as function hashing or even small values left behind by the executable builder or encryption application. This can include hex codes only found in certain sections of the code or full strings that reveal relationships between malware. This kind of relationship detection is what I believe to be the most commonly used in the AV industry, as well as behavioral heuristics, naming schemes and registry entries.

Unfortunately, most malware does not have a label in it that says "I was written by BadDude123" so we often rely on these forms of relationships determination that allow us to say that Malware X was most likely created by the same developer as Malware Y.

As I have stated previously, there are many more people spreading malware than there are creating it and usually those individuals stay out of the operations aspect of the malware. So the major goal is usually to determine who is spreading the malware and if they are related to a certain organization such as cyber crime syndicates or government organizations or if they are just script kiddies trying to steal someones Runescape password. We determine these relationships often with details of the infection vector, such as drive-by exploits as opposed to malware masking as a cracked game installer on a file sharing site.

Great question though, I can attest that over the last few years a lot of work has been done in the field of malware attribution and relationship determination, just because of the mass amount of variants being developed every day of numerous types of malware and the desire for accurate vendor naming as well as attack source attribution.

FatDeliSlice1 karma

Great answer. I just thought that after deep study, some hunters could see signatures and patterns like WWII spymasters and their spies. The morse code listeners could detect the 'hand' and recognize different senders.
I guess optimizing compilers make complete decompilation back to high level language still impossible.

MalwarebytesResearch1 karma

I like to think that an experienced malware analyst might be able to determine the likely country of origin based on how the malware is organized. lol.

Decompilation to high level languages is possible as there are decompilers out there, however it converts the assembly into C and uses generic function names so you will most likely not get the original source code back.

oneofus3331 karma

This may sound quite generic, but what is your educational background/experience? You mention that you were in the Navy which piqued my interest.

MalwarebytesResearch1 karma

Well I have a Bachelors Degree in programming, started doing malware analysis while in the US Navy as a CTN (cryptologic tech: networks) and got a lot of training through them on everything from malware analysis to programming and networking, then after about 6 years I got out and started doing analysis for government contractors for a few years.

Tired of the bureaucracy, I left the government world and did some side work with companies like ANRC and FireEye before joining Malwarebytes. I have been doing that every since. =) I have been doing the whole malware fighting gig for about than 8 or 9 years now and am going to go back to college pretty soon here for a Masters degree.

I have CEH, Linux+, GREM, CREA, MCTS and CISSP certifications and have given multiple talks as well as developed and taught a few courses in basic malware analysis concepts.

rudxai1 karma

Which one would you recommend for a starter as a jr. pen tester? CEH, CISSP, OSCP, other ?

MalwarebytesResearch1 karma

CEH would be a good one. GIAC has a Pen Test cert which might be a good idea to get, its called GPEN.

Malnard1 karma

How long did it take to prepare for being Anti-Malware Man?

MalwarebytesResearch2 karma

Haha, well it took a few hours to make the logo (then have it redone), go out and buy a black shirt and printer paper that I could iron on. Print out the logo, iron it on the shirt, spraying my hair blue was easy and I already had the goggles. I would say, taking away the time it took me to think of it, about 2 hours total because I had to go buy the stuff and maybe 20 min of actual work, lol.

thebeatmix1 karma

Whats it like working @ Malwarebytes?

MalwarebytesResearch3 karma

It is fantastic! I work with a very broad group of people from all over the world and we all have a passion for taking down the bad guys and eating tacos!

CecileMBAM2 karma

Please expand more on these tacos... :P Are there taco days I don't know about?

MalwarebytesResearch3 karma

Secret taco meetings do happen often, although you need the proper credentials.

7thoughts3 karma

I like this guy. Glad I chose to buy the software _^

MalwarebytesResearch3 karma

Thanks!

CecileMBAM1 karma

What are the steps you take to hunt malware?

MalwarebytesResearch1 karma

It usually starts with checking the normal repositories, malware reporting sites etc. Believe it or not, while it might seem like only big companies are doing something about malware, there is a very large subset of the web that focuses their free time on finding new malware and telling people about it. In addition to that we have our own guys who go out and poke everything that moves, looking for malware or collecting exploits.

celee71 karma

What would you recommend to run alongside MBAM to be protected from malware and the likes?

MalwarebytesResearch7 karma

We have always told our users that MBAM should be run as an additional product to some other security solution. If you want to run Kaspersky, McAfee, even Microsoft Security Essentials, go for it and then run us as well to be extra protected.

Basically, if you were driving a car, you would wear a seat belt to protect you from any kind of disaster, this is what the AVs do for you. However you would use your air bag when the bad stuff actually happened, and that is what we do. Air bag stuff. =)

nestersan1 karma

Do you contact AV makers, like Norton whose installer demands that your product be removed ?

Will MBAM have a tool to upload samples like some other products do ?

I have done quite a few to a competitor using their internal tool and it's very handy ( I come across loads of malware during any given day)

MalwarebytesResearch3 karma

  1. Yes, we do contact those vendors and show them that we do in fact work very well beside them. Anyone who blocks us from installing or running is probably doing it for marketing reasons.

  2. We're experimenting with a few things but there's nothing concrete.

Our official method of submitting malware is through our Forums, where you can submit malicious files to us if we don't already detect them. http://forums.malwarebytes.org/

k0ng01 karma

Hey what music, if any, do you listen to when doing analysis? In addition what is your overall preparation when RE'ing malware. Do you work in chunks of hours or all-nighters?

MalwarebytesResearch1 karma

When Reversing, Techno, Electric, Trance, etc. When writing, something classical. My prep required reverting to a clean snapshot on all my VMs, loading up the tools and files required and then getting to it.

Depending on the urgency I might work in chunks of hours though I have pulled a few all-nighters too.

Aidong1 karma

First of all, thank you very much for doing this AMA. It's been very very interesting for me to read. I've always been very intrigued by malware and how it operates. I remember when I was younger i used to go through Symantecs website and have a look at Symantecs Malware database until the early hours of the morning.. (http://www.symantec.com/security_response/)

Just a couple of questions though.

One. Which family of malware would you consider to be the most damaging to both business and corporate structures?

Two. Has there been a case of any malware spreading throughout the office? I remember reading an article on malware utilising the autorun function when Flash drives are inserted into a machine.

Three. What are the specifications of your machine? I imagine you would have a high-end machine for running multiple VM's. I use VM's to create APP-V packages to deploy across the network, and i couldn't imagine assigning any less than 4 gigabytes of ram and two cores to a single VM. It's just to slow for me.

Thank you very much for taking the time to read my questions :)

MalwarebytesResearch1 karma

  1. Enterprise concerns are really focused around targeted attacks such as spear phishing or watering hole. Those attack in turn unleash zero day malware onto the secured network where intel gathering and/or destruction can take place depending on the intent of the attacker. You will most often not hear about these attacks as companies are not always comfortable letting everyone know that their security sucks. From a public view however, banker trojans like Zeus have always been a pain.

  2. BYOD or bring your own device, is one of the big "benefits" of modern corporate environments, however it exposes untrusted devices such as cell phones, tablets and laptops onto sensitive and previously secured enterprise networks. I think it is a horrible idea but then again this job makes me a little paranoid. USB spreading malware was a big issue back in 2007-2008 and has still been a good reason for corporations to ban the use of USB drives on corporate systems, though it certainly still happens (as we saw with Flame last year).

  3. My personal rig uses a 3.40 GHZ Intel i7 with 4 cores, 16 GB RAM, 3 TB of HDD and 5 monitors. My other work systems use sSDs for quickly accessing my VMs. Do you need a monster like my system to do analysis? No way. I have been able to run numerous VMs on a $900 Acer Aspire back in 2005 with 4 GB RAM. Analysis VMs do not need to have the same power as your host system, you really only need to run the base system with some anaysis tools and then of course the malware, which is usually designed to be as compatible with all types of setups as possible. I usually keep the RAM low for my VMs and ony 1 core. The newer operating systems might need more. Either way, its not like you are going to be multi-tasking with photoshop and call of duty on a VM =).

Thanks for the questions, they were great and I hope I answered them for you. Have a great day!

Admiral_Blender1 karma

Ever ran across malware that can affect multiple operating systems? What do you do about a program that has random permutations?

Anything that is just not solvable at the moment?

MalwarebytesResearch1 karma

There is malware out there that can swap modules depending on the operating system that it is running on, this could technically be referred to as cross platform malware. I think that the main threat when it comes to cross platform is the delivery mechanisms that are being developed and used in conjunction with Java exploits and the like. They detect the operating system and depending on what they find, download infection functions to do what they want on the system.

Nothing is not solvable, sometimes we run into problems when we don't have all the pieces of the puzzle, but that doesn't mean it's impossible. =)

Chaular1 karma

What antivirus or protection software would you recommend that someone use alongside Malwarebytes? Also which free protection software would you recommend? Thanks for this AMA!

MalwarebytesResearch1 karma

As I told effin_clownin, based on the stats, I think Kaspersky would be the best antivirus to run along side Malwarebytes Anti-Malware. I also recommend using Adblock software plugins for your browsers, just in case you come across a malicious advertisement and to keep fake download buttons away from you.

As far as free, Avast and AVG are good applications that will help compliment Malwarebytes Anti-Malware. At the very least I say run Microsoft Security Essentials, it is completely compatible with Windows and updates regularly.

K4tlpr0d1 karma

Do you ever hesitate before categorising a sample as PUP/PUA?

MalwarebytesResearch1 karma

All the time, we hesitate quite often and double check that an application truly fits into that category before labeling it as such.

sparcos1 karma

Hey! I have this problem with my web browser. Every time I google something, when I try to click the links that come up, some virus takes me to some BS ad website and not the web link I just clicked. Thoughts on how to fix this? I run on Firefox, and I use malwarebytes and CCleaner

MalwarebytesResearch2 karma

Hi Sparcos, I recommend heading over to http://forums.malwarebytes.org/index.php?showforum=7 and posting your issue there. Our support specialists will be able to help you fix your problem, free of charge.

[deleted]1 karma

[deleted]

MalwarebytesResearch1 karma

Well we detect all malware we know about, lol. If we knew about undetected malware, we would then take measures to detect it, don't ya think?

Identify_the_feel1 karma

Not really a question, but I just want to say I have purchased malware bytes for every computer in my home, and I have been using it for years. It had never failed me once, love your product!

MalwarebytesResearch2 karma

Thanks so much for your feedback, we completely appreciate the loyalty of our users. Thanks again!

the_bigwiggle1 karma

I don't have any questions, I simply want to say thank you for what you do.

MalwarebytesResearch1 karma

And I want to thank you for the thank you!

jtl9990 karma

Thanks for doing this AMA.

I am currently working on reverse engineering Valve Anti Cheat by using similar methods to yours such as debugging and am experimenting with technology similar to Chameleon for bypassing the anti cheat.

Also I was wondering why you guys don't have a dedicated toolbar remover for things like Babylon. I have been planning to write my own remover for quite a while now.

MalwarebytesResearch1 karma

Toolbars are a touchy subject as they can be installed legitimately, some people even like them. As for things like Babylon, there are a lot of resources out there on how to remove them, including some help on our forums. I will see what we can do about making a video removal guide for Babylon that we can post on the blog or something.

Good luck making the remover, sounds promising!

effin_clownin-1 karma

Answer my question dammit. Oh yea i have another, are you a spurs fan?

MalwarebytesResearch2 karma

I am not a huge Basketball fan, but if I was, I would be a Spurs fan.

budtske-2 karma

Have you ran into any malware that has "busted out" of your VM while trying to analyze it ?

I've seen some papers but don't know if it's actually been done in the wild before.

PS: I've been kind of running an illegal version of your PRO product for the last 3-4 years. Kind of expected the product to transmit ID and serial and cut me off from updates at some point... Sorry

MalwarebytesResearch3 karma

I have never actually seen it done in the wild either. I think the most likely, real world application of malware breaking out of a VM is if it was using active shared folders back to the host, allowing the malware to store malicious files outside of the VM. However, I have seen plenty of malware that freaks out as soon as it realizes its in a VM. lol.

Also, thanks for being honest about our product.

scd250-4 karma

How does it make you feel that your profession is pretty close to useless?

There are so many ways to get around antivirus detection. Determining whether code is a KNOWN virus--not just a virus but a KNOWN virus--is an NP-complete problem. That means it occurs on a complexity too vast to be solved by any reliable means.

So basically the best you can do is run a piece of code to see if it's obviously malicious...but half the time that won't work either. So really antivirus doesn't protect from a whole hell of a lot.

What do you predict as far as solving these types of problems in the future?

MalwarebytesResearch6 karma

I don't agree that it is close to useless, if anything it is more vital than it has ever been.

It is true that new malware comes out that can circumvent current antivirus detection, when that happens the industry responds accordingly and protects against what we know about. We will always be working on methods of protection beyond just what we know about and as we do, the malware authors will develop new types of malware to circumvent that, it never ends.

To say that it doesn't protect a lot is a misconception IMHO. Gun developers are constantly making new guns that can get through current protections, so does that mean people should stop making bullet proof vests or glass? Criminals are constantly finding new ways to commit crimes, does that mean it's not worth it to protect peaceful citizens from theft or murder?

In addition, your argument is based on the idea that every piece of malware is unique when in reality, the majority of malware currently in the wild are just variations of other malware that has already been seen, repackaged and re-purposed for the cyber criminal consumer. These days it doesn't take a genius to figure out how to execute a phishing attack or purchase a botnet online, the only developers of unique threats are professional malware authors and there are much fewer of them than there are cyber criminals spreading the malware.

Also, while there might be an infinite amount of different methods to circumvent protections at the initial phase of infection, there are a finite amount of ways to actually infect a system.

I predict that in the future, we will see antivirus/Anti-Malware scanners that use some serious heuristics, execution authorization by the users for every operation and maybe even some smart scanners that learn and evolve based on the current threat landscape. Either that or a completely secured operating system, that would most likely seriously limit the interaction ability of the user for the sake of security.

If you did a bit more research into commonly seen malware, how it is distributed and especially how it is reproduced, you would find that the AV industry is very much essential to users today and for the next X amount of years.