MalwarebytesResearch

"FIRSTIES" =D.

Difficulty really depends on your goal when it comes to malware analysis.

From a technical standpoint, when you want to reverse engineer malware, I would say Rootkits are the most difficult because they tend to use functions and libraries that are not well documented, making it difficult to quickly understand what they are trying to do. At the same time, rootkits like to hide by installing themselves as services and hooking into the chain of operations your operating system uses to do things like show you files and folders or what applications are running. By creating these hooks, rootkits are able to scan any information that is going to be presented to the user and remove any sign of registry keys, processes or files that belong to the malware.

When it comes to detection, any malware that modifies its operations based on the existence of an anti-virus or anti-malware application can be a pain because they are intentionally trying to subvert our detection and removal operations. Usually this kind of malware has been tested in a lab with numerous scenarios to make sure that regardless of what we do, they are able to get around it. However as soon as we get a sample of that malware and realize what it is doing, we quickly modify the way we detect it and usually end up taking down the malware and any variants of it.

Stepping back from the detection and just trying to remove some malware can be more difficult, especially if the malware existed before our application is installed. Take for example Ransomware, if a user had an antivirus or anti-malware product installed prior to the Ransomware infection application executing, it would have been detected and stopped. However if there is nothing stopping the Ransomware, it can install, infect, encrypt and lock the user out completely. It might even modify system files and will destroy the system if not properly cleaned.

From an intelligence point of view, malware that is released on a mass scale, say with a certain builder that was cracked, can be troublesome because it is difficult to determine the exact source of the attack. In addition, when you take malware like Zeus, that has been in production for years and now numerous variations of it exist, you might be able to track down the source of one or two different variants but when trying to determine the relationship between variants and more importantly, the cyber criminals behind the malware, it becomes difficult due to the large amount of cyber criminals using this malware for various reasons.

So at the end of the day, the idea of difficulty comes down to the overall goal of the analysis, whether it be deep technical analysis or trying to gather meaningful intelligence. Great question to start off with, thanks!

Ransomware that actually spoke in the voice of some Russian guy but claimed to be from the FBI. =P

It's incredible that there are people actually willing to exploit people in that fashion. Its a mad world out there.

You might be and you don't know it yet. Why give up before you try =D

Yes! Just like any novice programmers, some malware writers like to steal code from other pieces of malware but end up implementing it the wrong way. I've seen malware that couldn't figure out how to decrypt itself because of the wrong key. I would say 9/10 times these malware just end up crashing. Great question!