My Malware Analysis Journey and eCMAP
On March 19th, 2022, I passed the eCMAP(eLearnSecurity Certified Malware Professional) exam. In this post, I’m going to talk about my journey and what you the reader can do to become a malware analyst and pass this exam if you are interested.
I have been interested in studying and researching malware since I was 11 years old. The first time I discovered my interest was when I infected the family laptop with a spyware named “SpySheriff”. This was an accident because I was looking for free games. I didn’t really know any better. I infected the family desktop again later when I downloaded a Trojan from Limewire. After those times, I became interested in what exactly malware is. I stumbled upon some YouTube channels that showed what happens when you run “Trojan.vundo”, and “SpySheriff”. The good ol’ days when nobody really spoke in their videos and just played “Human Rights” by “61 Rus” in the background or “Sandstorm” by “Darude”.
This was between 2008–2009. I was fascinated by these videos. So I decided one day to try running malware in a VM. I didn’t know exactly what a VM was back then, but I watched a couple of tutorials and downloaded what used to be “Microsoft Virtual PC” and what I believe is now “Windows Hyper-V”. I ran the VM in “XP Mode”. I ran a copy of SpySheriff in the VM and I loved to watch all the popups and how it interacted with the OS. My interest kept evolving when I cam across the YouTube channel, “Danooct1”. A malware historian who focuses on malware from DOS, Windows 95, and XP days. He does some Windows 10 malware now as well, but older malware is still his primary focus.
I watched his videos back-to-back and they really piqued my interest. I eventually found my way to Lenny Zeltser’s blog. Lenny is the author of SANS FOR 610 “Reverse Engineering and Malware Analysis” GREM certification. His blog is a treasure trove of information on malware and how to get started. This helped me to build a lab using VMWare Workstation with his VM “Remnux”. He also points out several sites where you can get the malware from. I began to learn how to use the proper tools for analysis. My favorite site for malware samples became, “MalwareBaazar”. For awhile, I used Remnux and “MalwareBaazar” to do mainly dynamic analysis. This is what I did throughout high school as well. As I began my career, I one day found out that there was another VM template that could be used. Mandiant’s “FlareVM”. With Flare, I started learning static analysis and reverse engineering using IDAFree, and now I use “Ghidra”. It comes built in with so many great tools for all different types of malware you need to analyze including mobile malware.
I came across a site called “crackmes.one” to begin practicing reverse engineering. I would download these and put them into my “FlareVM”, and practice finding all the “flags”. I kept moving to harder challenges until I got the hang of using my primary debugger, “x32dbg” and “x64dbg”. I then turned my attention to the book, “Practical Malware Analysis”. “FlareVM”, comes loaded with the labs from the book. I learned the basics of Assembly Language with this book and a little bit of C as well. It was an excellent read. I highly recommend this book.
Almost two years ago, I started my career as a Security Operations Center Analyst, with the goal of specializing in Malware Analysis. eCMAP was on my radar, and when I was able to afford the premium INE plan, I took advantage of that. I was introduced to an amazing course by the incredibly knowledgeable Ali Hadi, who teaches this and many other courses. It took me about three months, it may take others less, but I tend to take my time when I’m learning things. This course helped me fill in a lot of gaps. It teaches interesting subjects such as process injection, hijacking, and creating YARA rules with signatures from the malware.
The course comes with labs that contain actual malware samples. I got to reverse-engineer a few ransomware samples which was a lot of fun! Once I got through this course, I feel like to be an even greater analyst, I needed to face my fears of programming languages. I used to find them intimidating because I had trouble with math back in school. I decided to take the leap and learn C/C++ from scratch. I started with a Udemy course, “C Programming-Master the C Language”, which is an excellent course. Plenty of exercises to do to retain information. Then I read three other books and worked the exercises in those. “C Programming for the Absolute Beginner” by Greg Perry. Then, C Programming: A Modern Approach by K.N. King, and of course, The C Programming Language, 2nd edition”, by K & R. After working through these, I decided to go back and refresh my understanding of x86 and x64 Assembly Language. I took an Assembly course, “x86 Assembly Language Programming from the Ground Up” by Isreal Gbati on Udemy. Once I had these fundamentals, I took the courses, “Reverse Engineering and Malware Analysis Fundamentals” by Paul Chin, and “Reverse Engineering and Malware Analysis Intermediate” by Paul Chin. All these courses along with Ali Hadi’s course, prepared me for the exam.
My “eCMAP” voucher that I had purchased was about to expire so I needed to go ahead and start the exam. They give you 8 days to complete the analysis and upload a report. You must connect to a VM over a VPN and that’s where you will conduct your analysis. You are given sets of questions for each section of the analysis to answer with proof and step-by-step details of your analysis, creating a report to complete. For this exam you must know the following:
· The phases of malware analysis
· Identify Hashes
· Identify if a malware sample is packed
· Understand x86-x64 Assembly Language
· Understand the C Programming Language
· Anti-Sandbox/Anti-Debugging techniques used by malware.
· Windows Internals
· Process Injection/Hijacking
· Understanding PE files and their headers
· What IOCs are and how to create YARA rules
· Networking fundamentals
· Reverse Engineering using either IDA Pro or Ghidra.
During the exam you are tested on each subject mentioned here. You don’t have to take the INE course to attempt it, you can use other materials that you are familiar with or if you already have a good understanding of these subjects, you can attempt it. I will put links to all my materials and more at the end of this blog post. Once you are done analyzing and answering questions, you must deliver your final report in the allotted time frame. You will then have to wait for the examiner to pass or fail you. It can take up to 30 days, but it is must faster. I found out within a day.
Once I turned mine in, I found out that I had passed the exam. My report was what they were looking for. It was an amazing feeling. After years of pursuing the subject, I am now certified in Malware Analysis. The hard work truly pays off. I believe that anyone who has the passion and determination for a subject that they are interested in can pursue their dream goals. If you are interested in this path, I recommend this certification. Below are all the materials and courses I recommend you check out:
· Assembly Language Course: https://www.udemy.com/course/x86-assembly-programming-from-ground-uptm/learn/lecture/13314618#overview
· C Programming Course: https://www.udemy.com/course/c-programming-for-beginners-/learn/lecture/8795680#overview
· Modern x86 Assembly Language Programming: https://www.amazon.com/Modern-X86-Assembly-Language-Programming/dp/1484240626/ref=sr_1_3?crid=DGWNUCFSWVOH&keywords=assembly+language+book&qid=1647742081&sprefix=assembly+language+book%2Caps%2C93&sr=8-3
· Assembly Language for x86 Processors 7th Edition: https://www.amazon.com/Assembly-Language-x86-Processors-7th/dp/0133769402/ref=sr_1_16?crid=DGWNUCFSWVOH&keywords=assembly+language+book&qid=1647742124&sprefix=assembly+language+book%2Caps%2C93&sr=8-16
· Practical Malware Analysis: https://www.amazon.com/s?k=practical+malware+analysis&crid=129ZE04DBYXKC&sprefix=Practical+Malware+%2Caps%2C84&ref=nb_sb_ss_ts-doa-p_1_18
· C Programming for The Absolute Beginner: https://www.amazon.com/s?k=c+programming+for+the+absolute+beginner&crid=UVW82HPYKH2I&sprefix=C+Programming+for+%2Caps%2C82&ref=nb_sb_ss_ts-doa-p_5_18
· C Programming: A Modern Approach 2nd Edition: https://www.amazon.com/C-Programming-Modern-Approach-2nd/dp/0393979504/ref=sr_1_1?crid=2MKWB1UEPKVXN&keywords=c+programming+a+modern+approach%2C+2nd+edition+-+by+k.+n.+king&qid=1647742311&sprefix=c+programming+a+modern+approach%2Caps%2C68&sr=8-1
· Malware Analysis Course by Ali Hadi: https://ine.com/learning/courses/malware-analysis
· Mandiant’s FlareVM: https://github.com/mandiant/flare-vm
· Lenny Zeltser’s blog: https://zeltser.com/malicious-software/
· Lenny Zeltser’s Remnux VM: https://docs.remnux.org/install-distro/get-virtual-appliance
· Pentester Academy’s WinDbg Fundamentals: Kernal Mode Debugging: https://www.pentesteracademy.com/course?id=53
· Pentester Academy’s WinDbg Fundamentals: User Mode Debugging: https://www.pentesteracademy.com/course?id=52
· Pentester Academy’s Reversing Win32 Applications: https://www.pentesteracademy.com/course?id=41
· Pentester Academy’s Windows System Programming Fundamentals: https://www.pentesteracademy.com/course?id=51
· MalwareBazaar(Malware samples. Be careful!): https://bazaar.abuse.ch/
· VX-Underground(Malware samples. Be careful!): https://www.vx-underground.org/
· Paul Chin’s Reverse Engineering and Malware Analysis Fundamentals: https://www.udemy.com/course/malware-analysis-fundamentals/
· Paul Chin’s Reverse Engineering and Malware Analysis Intermediate: https://www.udemy.com/course/malware-analysis-intermediate/
· VirusTotal’s YARA: https://github.com/VirusTotal/yara
· NSA’s Ghidra: https://www.ghidra-sre.org/
· IDA Free: https://hex-rays.com/ida-free/
· The IDA Pro Book: https://www.amazon.com/IDA-Pro-Book-Unofficial-Disassembler/dp/1593272898
· Free courses: OpenSecurityTraining2: https://p.ost2.fyi/
· More free training: https://dfirdiva.com/
· Danooct1: https://www.youtube.com/c/danooct1
· OALabs: https://www.youtube.com/c/OALabs
You can reach me at my twitter: @MalwareMayCry1
