 So welcome to our second episode of Ask an Analyst and today we have again Sarah and Fabian. Welcome. Hello. Hello. And today's topic is our job and our daily work. Yeah, what our workday looks like. And that's also one of the first questions from Sebastian. What is it like to work for malware analysis? And what do you do at work? So Sarah, what do you do? Well, usually I work part-time. So I usually do kind of a mix of things when I have time. So usually I sometimes write signatures. I've also added like malicious URLs. I've written a blog post before. Let's buy it. And you Fabian? Well, I'm technically not an analyst. My job looks a lot different. Mostly because MZsoft is a very small company, kind of. And our teams are very small compared to, well, much bigger antivirus vendors. So my job is a whole lot more diverse, I would say. I mean, I do back end stuff, like setting up feeds, all the intelligence gathering, sample gathering, stuff like that. I do a little bit of analyzing. I don't do most of the detections. I usually concentrate on the behavior-based detections because those are code-based. I do a ton of normal development work, like on the scan engine, on the behavior blocker, on the real-time protection, and stuff like that. So you're actually also a developer? I'm mostly a developer. And the analysis part is just on the side in my free time. He does run somewhere when he's not doing other things because I make him do it. Yeah. She's whipping me. Help. I need help. And yeah. So I'm primarily a developer. But as I said, we are very small companies. So our, the roles in our team aren't as clear-cut as they are in many other teams, that you only do analysis or that you only do development, for example, but it's just a mix of everything pretty much from operations over development to analysis and stuff like that. Then there's also the occasional press gig, I would say, like giving interviews or coming up with a blog post, trying to teach marketing people how to do malware stuff properly because they have no clue. They are all marketing people. And yeah. You just offended every marketing person that totally watches these videos? Oh, they are used to that. They are definitely used to that. You can ask every single marketing person out there about their relationship to developers and sales people and they get insulted by everyone. So I think it's fine. All right. I'm probably then more the typical malware analyst. We have about, GData has about 400 people. So we are a little bit bigger than I mean we sell them. Yeah. We have like 30. But we are still very small compared to Kaspersky. I mean Kaspersky has a few hundred malware analysts. We have nine and yeah. Well, what do I do? We have kind of a pool of tickets and there's a sample attached to every ticket and they have one of four or five different priorities. So if there are several samples of the highest priority, I can choose what sample I like to analyze. So I have a little bit of freedom to choose what I do. And yeah. Then I take the sample. I analyze it. Is it malicious? Is it pub? Is it clean? Is it junk? And then I if the sample is not detected, then I write a detection signature. And that's I think the most part of my work. But also sometimes I write blog articles or help with blog articles. Sometimes we talk to journalists and sometimes also to law enforcement. So German law enforcement. Yeah. And we started that recently with joining the No More Ransom thing. Yeah. Like it's it's kind of kind of insane. I'm not sure how how your experience with law enforcement has been so far. Not much. Not much. I just got a call once about ransomware. But that's it. Yeah. So I talked to like a Dutch police officer recently. And it's just and it's just insane how how computer literate some of them are. Like I had to explain to them what is an IP address and what is a port and what is an ASN and what is voice and pretty much what is everything like I gave them a written report about a ransomware server that Sarah and I found in within tour like like we deep anonymized in and found figured out there. Yes. And figured out there they're clean at IP. And we got back like a list of questions of like 50 questions with most basic thing you can imagine. It was it was pretty insane. So there are there are definitely lots of deficits on the law enforcement side when it's come when it comes to these things it seems. Yeah. Something else that we do is we have on call. We have security response on call. So it could be in a very bad case that we detect an important system file. And in that case someone would call me in the middle of the night wake me up and say please fix that. So that's also something I do. It's I have I don't have to do it. So that's my choice. I just earn a bit more money with that. And another thing we also do a little bit of development. We have our own internal tools that we develop that we use on a daily basis. And so every analyst also does a little bit development. Yeah. Not the engine. I think that's I think that's the case for a lot of antivirus vendors though that the analysts do a little bit of development. In many cases it's like just simple automation of simple tasks like simple scripting and Python for example. But yeah that's that's pretty common actually for analysts to do like a little bit of development because I mean they they do this all day long. Right. They know what tools they need and what is helpful for them. Yeah. Having like a script to do it. Some of it. Definitely. Yeah. We also do sometimes proof of concept codes that the developers then built into the engine. So yeah sometimes that's a very good way to to create new things. And it's also how a lot of like engine developers or well if we want to call them then they often start off as malware analysis and analysts that then slowly transition into engine development because they did a lot of proof of concepts and stuff like that. Right. Let's go to the next question from Corey. What made you get into the industry? That's actually two questions. And if you could do anything else you wanted for a job what would it be? So what made you get into the industry Fabian? I think I already mentioned that before. Right. In the last episode like we kind of covered it last time. You can you can not say second bit I think. Yeah. Yeah. Just just to quickly reiterate I got infected by Tequila ages ago when I was like 10 or 11 or so and I didn't have an AV at hand. So I just took it part and I just like doing it pretty much. So that's how I got into. If I wouldn't have gotten into it I would have probably finished school and then become a teacher and then just make everyone's life miserable because I can't tolerate stupid people. A teacher for which subject? Probably probably maths and probably one of the other sciences probably physics or chemistry I think or maybe maybe philosophy. I think I could be a good philosophy teacher just because I like talking to you doing that. Yeah. It's kind of interesting and I think what most people don't know is that I actually learned kindergarten teacher before I studied computer science. Oh you did? Oh wow. So I really love kids. I love working with children but I am not capable of doing that for a long time. Let's say on a daily basis because I'm not multi-tasking or able. Oh yeah. You totally need that because... Yeah you kind of keep attention like every single kid because as soon as you take your eye off one of them they're going to get into like some kind of situation. Unless you are like kind of a private nanny I guess where you can concentrate on just one kid. Now even with one kid it's exhausting. I don't know. I don't have kids. You don't have kids. You wouldn't know. But yeah if you are an introvert and if you are very much on one let's say not not able to multitask then it's really exhausting to have this kind of job and I have high respect of everyone who's able to do that. I'd rather switch to computers and that's something I can do better and they are easier to understand actually. Yeah they're pretty binary you could say. Yeah it's such a great pun. Amazing pun. So Sarah what would you do if you couldn't do malware analysis? Well I do chemistry as part of my A levels and I would probably go into like synthesizing organic chemistry like organic chemistry and synthesizing organic chemicals because I find that really fascinating. Wow that sounds interesting. She would essentially like build a real life viruses I guess. Oh drugs okay. Yeah viruses would be more like you go into biology like chemistry. Yeah I guess I guess both probably yeah. But yeah you could make you can combine them and make drugs for like certain viruses and bacteria. Yeah that's pretty cool. Have you ever sort of complaining computer science and biology or chemistry? I think that would be cool but I'd rather like focus on the analyzing and then maybe if I want to change go and like study chemistry at uni later on just like expand my knowledge because I think that would be pretty cool. Yeah that's to answer the question from me I considered that I considered combining medicine and computer science or biology and computer science and when I was doing my bachelor's thesis I had the opportunity or I almost did my bachelor's thesis in artificial neural networks and using them for image processing of MRI images so magnetic resonance imaging images and it didn't work out sadly because my supervisor guard was placed in a different area suddenly so I had to choose another topic for my bachelor's thesis which was a bit sad but that's something that really interested me on the direction I might have pursued if the mother analysis had not worked out. Okay next question is from Micha what tools do you use on a daily basis and what tools do you never use on the Y? Sarah? Personally I use sublime as like a text editor that's a really good text editor by the way. I also use a hex editor just for like checking out encrypted files malware binaries etc when I'm doing analyzing I usually use process hacker wire shark and like network sniffing tools and then also red shop is quite useful because it shows you all the changes that like for example a pub can make on a system so they're my main tools and you Fabian? Well for me it's like a whole bunch of tools like virus total, sublime text, 010 editor as an hex editor, idop pro a lot like a lot. Yara? Yeah it's always idop pro and visual studio like with a couple of instances. Then dnspy for all the net stuff lots of python, fire shark, VMware, like rack shot then. Sarah already mentioned api monitor, yeah X64 debug as a debugger and yeah like a couple of like internal tools that we have. Tools I never knew are usually the tools that I simply don't know about which is probably a ton. I don't get around much when it comes to tools I just stick to the stuff I know. I don't think there's like any tool that I would outright refuse to use. I mean if it fits like the purpose then I will probably use it at one point. Yeah also makes sense if some tool doesn't work we just use another right? Yeah I mean I don't know maybe maybe yeah I think I refuse to use notepad plus plus because it's an awful text editor and sublime is just so much better and yes I just started an editor war. I guess I should I should try sublime once because I use notepad plus plus. Does it even have like a linux port? No I use windows for that because but I mean sublime has linux port I think. Yeah it does but you being like a linux person at least in real life like in private life I would have expected like emax or vim or something like that. On linux I use vim but for the daily work. Oh no you started another war. For the daily work we have to work on windows machines so I have to use something else. I mean there is vim on windows right? Yeah of course. So you could use that. No no try try sublime it even has like a vintage mode so you can use all your nice vim skills to do stuff and like that like all the keyboard hackery. You can use it in sublime as well so you don't have to learn like another editor. Yeah the tools I use are yeah similar to yours. I also use idar I use vmware Hxd, dnsway, jara, portex analyzer so sysinternals via shark as well and our own internal tools. Yeah same as fabian I can't say which tools I never use it's just there are so many to choose from and I just can't try all of them. Yeah and sometimes you have to use ones or twice in a year. Yeah some special malware like I don't know like lisp malware. Yeah okay four octets asks do you as a professional focus on one family of malware or whatever is put in front of you? I think I answered that question a bit already because I have to analyze everything I get but since I have some kind of way or some freedom to choose the samples if I get ransomware samples I usually choose them at first so yeah how about you Sarah do you specialize or do you do everything? I really specialize in a certain family but I have written occasional like I think we followed apocalypse quite apocalypse ransomware quite closely me and fabian so that was one such family but usually like when I'm just adding signatures I just work on whatever there is which is either malware or pubs. Fabian? Well I am like in a little bit more privileged position I guess so I can pretty much choose whatever I want to to work on since like analysis isn't my day-to-day job. I think like if you are like a normal analyst then you will pretty much just work on whatever is in front of you but there's almost always like almost a natural transition to specialize in a certain area like yeah you just happen to do ransomware a lot and then suddenly you become like the ransomware guy in the lab and they will they will just shuffle all the ransomware into your direction because you you're just used to dealing with them and you are just a lot quicker analyzing and taking them apart than the other guys but yeah I think it's important to handle a lot of different malware though as an analyst so you have like a broader spectrum that you can draw from when you have to deal with especially with like more complicated malware or malware that uses something or uses techniques that are new and uncommon at the point of time when you when you analyze it so yeah don't try to specialize too too soon or too quickly. Yeah it's actually also quite interesting to have a very wide range of different types of malware but as you said we also have like the guy for potentially unwanted software we have the guy for scripting malware those are just people that like to do these types of malware or samples more than others so they usually do the work but every one of us has to deal with everything if necessary. All right next question is by Corey what is the most frustrating thing about the industry that's an interesting question and I think Fabian you have to you might have some interesting answers. Well I would say like all the marketing bullshit it's just marketing people no yeah yeah I well I don't hate them I just don't know how to defeat them and get rid of them yeah yeah I guess it's not so yeah for me it's definitely marketing bullshit all the all the next gen stuff I just want to strangle them so bad so bad like whenever like a new next gen vendor props up and says oh yeah antiviruses they all use signatures but we use something else then you just behavior blocking or machine learning and stuff and it's not like every single well most antiviruses don't use that already. Yeah and have been for like the last 15 years or so I mean the the the last pure signature base scanners were back in in the DOS age and even in the DOS age they already had behavior blockers right that was like 20 or 25 years ago I think like learning from like viruses and stuff. Yeah I mean like like Bayer's filtering for example has been in use for quite some time and I mean it's it's not exactly machine learning like in the in the same sense that we use the term nowadays but it's kind of in in that direction and I'm pretty sure that even the current and modern machine learning algorithms has have been in use like for a very very long time. Yeah that's also my point that I think the wrong understanding about how AVs work is just frustrating because it's not only the marketing people but I think the marketing people just give that knowledge to everyone else that's false understanding. Yeah anything else Sarah? No I think it was already covered. Yeah surprise all the tech guys hating marketing very big surprise at this point. Well I don't hate it I just yeah but you get annoyed by it right? Sometimes yes. Yeah it's just frustrating. All the people that say AVs are useless. Don't run an AV you're gonna get infected by zero day targeting antivirus. Yeah which literally never happens right? I think there isn't a single documented case I think. I don't know kind of environment where there's a lot of sensitive data I don't think you're going to be like targeted by them people. I'm pretty sure that yeah but in those cases in those cases the systems tend to be very restricted in like sandbox like and they don't run AV anyway. Yeah another question to you Fabian by Corey with all the decryptors you have written what is the best reaction you have gotten from the malware authors? Oh that's easy I have documented it on my Twitter feed that's it's all rage. I mean it's it's like particularly funny when they actually make my job easier by raging at me like the Radamund guys for example they got so upset at me for breaking their ransomware over and over again that they wanted to insult me so badly that they stored their insults in some variables that were previously uninitialized and by doing that they actually made my decryptor a lot more reliable and a lot quicker because I had like I just honestly you can you can put as many insults at me as you want into your into your shitty ransomware especially if it makes my job easier because all I had to do oh yeah now suddenly I know what those variables were so I know exactly if I got the right key and I don't have to do like hacky format-based detection stuff or something like that. That's funny yeah so yeah I was also once hunting malware on various total just searching for curse words for bad words so yeah I found a lot of stuff yeah I think you even set up a signature so if someone insults you then you kind of can see it yes I do it's the I am famous rule it's like a little yara rule that looks for several curse words and mzsoft and my name and stuff like that and it actually thinks quite a bit so yeah that's done but yeah the rage is pretty funny actually and I documented on my twitter feed so follow me on twitter yeah all right how long does it take you to analyze a sample on average Sarah um usually if I'm just doing generic signatures it will take not that long because I just run the malware wait for it to make its changes and then I check what changes made and then just write a signature which doesn't take that long so I guess five to ten minutes per malware sample less if it's just decides it's gonna quit and go crash yeah the amount of buggy malware samples out there is just insane so many so many I'm so often tempted to write a bug report yeah me too or like or like contact information so we can give them a bug report and tell them to fix their duty and include your whatsapp number or something like that inside the malware binary and we will submit bug reports I mean like the friendly police person will knock on your door and then deliver it personally I think but yeah that would be awesome so how long does it take for you for real I think it's it depends a lot on why you're analyzing that malware I mean if the purpose is just detection that it's just a couple of minutes pretty much like Sarah already mentioned um if you want to know exactly how it works and or if you want to reverse engineer like protocol details so you can create your own client for botnet to just scan the botnet and map out the botnet and stuff like that then it will take a lot longer I do mostly ransomware as everybody knows probably so I I think I know pretty quickly whether or not the ransomware is most likely secure or not yeah usually it's like I say half an hour yeah usually about the average time then getting all the details right like reversing final name obfuscation or figuring out how the encrypted file format is laid out exactly and stuff like that that can take like a couple of hours or even days like depending on how complex the whole thing is um I guess on average it takes probably like around eight hours for me to take apart a new ransomware family and then writing a decrypter if it's possible I would think eight hours sounds about Ryan Ryan yeah I would agree I also I have a hard time to put a number on that uh how long it takes me because that varies a lot even if it's just for signature detection we also write um algorithmic detections so sometimes um I might have to write a lot of programming code for for instance if there's a feature that we need but don't have yet I write functions for that myself and that might take a few days so uh it could be that I have to work a few days on a sample but the usual case is 10 to 30 minutes um including the decision if the file is malicious or not if it's a clean file it takes longer I really hate to analyze clean files because they are boring and I agree yeah and you have to do well it's hard to prove the absence of something so it's hard to prove that the file is clean yeah if you have a malware you can open it up in a hex that I don't see immediately that it is malicious often yeah in many cases you can in many many cases yeah so that's then the easier case so yeah security people ask how often do you see novel packing techniques Sarah um I don't think I've ever seen any but I haven't been like working on it for too long but I would say probably it's quite rare generally and you Fabian there are even there are novel packing techniques like that are like 10 years old I mean yeah it's like like all the other packing and obfuscation stuff is kind of kind of really really boring and you have to do it like all the time and it's really annoying because it doesn't really I mean it just slows you down a bit and for for most packing techniques if it doesn't like involve um a compiled time obfuscation or something like that or some some virtual machine somewhere and it only takes like a couple of minutes to to get around so yeah no you don't see it that often I mean I think one of the things that a lot of malware authors don't understand is the more you pack and obfuscate your files the easier they are to detect because yeah I mean not a lot of applications out there that are packed or obfuscated I mean there are a few um like DRM systems and stuff like that but yeah the more exotic you get and the more um the more your file kind of sticks out um from a large crowd of files the easier you will get detected yeah some vendors even flag certain packers oh yeah a lot of them do I mean just just take like like morphine and pack any file you want and you will get dozens of detection and I mean it makes sense I mean a lot of those packers are exclusively used by by by ransomware or well not only ransomware but malware in general so I mean why bother adding all the all the actual malware families or even write an unpacker if you can just reliably reliably detect the malware packers yeah but even for the commercial packers like tomato um some vendors just take the packer although it's by legitimate software as well yes and no um the way for the way it works there is that a lot of the commercial software protection tools embed like the license code or like a watermark who who essentially packed this uh this file and if you take licenses that have been leaked or that are just in in distribution because um of various or because uh yeah as I said someone leaked the license then they um detects the digital signatures and the watermarks that these specific versions leave behind in the file I don't think I mean I I do have like um uh thymider if it's if it's pronounced that way I have no idea a thymider license and I'm pretty sure if I would pack like uh with my personal license uh notepad stuff like that I won't get too many detections but if if I would use a pirated version of thymider or a version that is in circulation within um malware forums for example or hacking forums I would get it a lot more and that's based on the little digital watermark that these versions leave behind in the packed files yeah and now the the last set of questions is questions is I think the most interesting code and I saved it for for the end of our podcast um it's a sexy lady asked what part of your job do you find the most interesting and hasher is zada I'm also not sure how it's pronounced I'm sorry if it's wrong um what do you like the most malware what excites you about this job and you Sarah you added the question what's the thing you enjoy most about your job why do you like analyzing malware so it's basically I would say three questions so what's the most interesting what's the thing you like the most and what's the most exciting part um of your job Sarah um I think the thing I like the most is being like able to kind of detect a whole bunch of like malware and then seeing that actually like being detected when I go to scan the files myself so I feel like I'm kind of contributing um the exciting part is probably finding new ransomware um making sure that we look into it like seeing if it's interesting has anything new and then if it's like decryptable getting a decrypto made so that's quite exciting um the most interesting part is probably just learning about malware generally it's kind of like a puzzle so kind of trying to figure everything out certain types of malware so yeah euphobian I think I just like those little critters I mean they are I like taking them apart like breaking them if I can um I even like coming up with like new or novel ways of preventing them and before I got into malware analysis I even enjoyed just collecting them and um yeah kind of like people collected stamps I mean nowadays it's not really feasible for like a single person to have a huge malware collection because we are in the hundreds of terabyte region right now well if you were to collect as well yeah but like in in the good old DOS days when they were like a handful of viruses it was pretty fun just collecting them all like pokemon I mean like a more nerdy and probably shittier version of pokemon but yeah I still collect interesting malware though yeah I I I also do like I have like my my my special ransomware collection that we use for regression testing of our behavior blocker for example and stuff like that in a bit neat and yeah it's it's awesome if you have OCD or just just the nerd like I am um so yeah so essentially it's all just one huge puzzle to me and I really really like puzzles and yeah it's one puzzle with seemingly an endless amount of pieces so I just like like doing it yeah uh for me um but uh it's similar to Sarah that I like the most this the satisfaction of detecting malware when I write a signature and I get the feedback that it prevented infections for a lot of people it's just an amazing feeling like oh wow now this person didn't get infected because of my work and that's something I really like um exciting part is also for me hunting malware like you said pokemon that's exactly what it is you hunt uh malware and if you find something new it's um yeah it's quite quite interesting and exciting yeah um sometimes seeing um new languages programming languages used or new techniques used can be very exciting uh and also when I started out I mean I started two years ago so it's not that long ago I'm still kind of a beginner um if I correct something difficult or something that had been difficult for me um I also get this adren and lean rush yeah so it's really amazing um what's the most interesting part yeah learning new things getting in touch with new file formats new languages um yeah and also the connecting with fellow researchers is and talking to them about oh and early stuff is quite amazing yeah so people is quite good yeah and the entire malware analysis part kind of forces you to do that as well right I mean if you're an introvert and you have like a hard time connecting to people I mean at least you have something to talk about and um usually um the other side is just as enthusiastic and um knowledgeable about the topic that that you are also you have like a common base to connect with people it's it's kind of interesting plus since the area is so diverse with different types everywhere you are kind of forced to to learn new stuff all the time which is kind of interesting if you if you are like like learning and like improving yourself so yes and asking the experts for help is also something you usually do if you don't get anywhere um if you have a sample that you can't crack then just ask your colleagues and yeah and no one or at least I made the experience that no one um is so arrogant and in their response or something they are all very helpful and uh yeah just help out maybe ask you back for the things you are the expert in yeah yeah yeah that's that's already everything for today so um it's very very well I'm not sure what to say it's it's great talking to you and um it's interesting then you have so or that our views of what's interesting and citing are so similar um yeah and then next uh in the next podcast we will be covering the career how to become an analyst and how to balance learning and other things um so this will be a very interesting topic as well and I hope to see you soon okay so bye bye bye yeah thanks for watching thanks for having us thanks