PDA

View Full Version : Is code analysis cost effective?


Sunk
May 12th, 2011, 14:04
As someone who is getting into malware analysis, I know that the people who create malware are aware it's only a matter of time before someone reverse engineers their code. I'm assuming that's why they create self-defending malware-- an attack not just on the analyst's skills, but their time.

If that's right, is code analysis becoming less relevant and too costly for victims when things like VirusTotal, ThreatExpert, jsunpack, Google, etc. may not be able to answer all the questions, but answers many in a matter of seconds or minutes?

I can compensate for self-defending malware attacking my skills by learning more, but employers will only allow me but so much time. So what do you do?

Darkelf
May 12th, 2011, 15:32
I'd say that depends. AV companies usually have a huge collection of skripts and tools to automate (hence speed up) a great deal of the analysis. Futhermore they exchange samples to keep themselves up-to-date. As an independent researcher you have neither the skripts (at least not in the beginning) nor the samples, so it's a lot more time consuming. The more time something takes, the higher the costs (inevitably). But I can't hardly think of any scenario where a company retains an independent researcher with malware analysis. I don't even see any reson for something like that. I may be be off base with that.
In general, just compare the (financial) damage some malware causes with the costs for analysing it. If the damage is higher the analysis pays off.

Regards
darkelf

Sunk
May 12th, 2011, 16:10
Thanks Darkelf!

I've been interested in anything to do with investigating attacks for a long time and found my way to malware analysis since most attacks involve malware. From what I can tell, malware analysis is becoming (if not already) a branch of digital forensics.

Although some very large companies have full time malware analysts, I don't plan on doing it full time. I just really like learning how to analyze different sources of evidence.

How do you tell how difficult self-defending malware is to analyze unless you actually go through with the manual analysis? It seems like it would be hard to do a cost-benefit analysis without knowing that.

The boss or clients will want answers, and during an incident I think they would usually want them ASAP. So you have to provide the answers ASAP, and I don't think you'd know how difficult the malware is to analyze unless you start analyzing it. You'd go down a rabbit hole you don't know how deep it is.

Sab
May 12th, 2011, 19:10
Sandbox techs really are not that great and have ways to go. The more useful they become the more malware will evade them.

"If that's right, is code analysis becoming less relevant and too costly for victims when things like VirusTotal, ThreatExpert, jsunpack, Google, etc. may not be able to answer all the questions, but answers many in a matter of seconds or minutes?"

It is good for doing rapid reports and categorizing certain characteristics. For virustotal your just doing a lot of av scans... any unknown malware or fud wont be picked up. Actually, these type of services have become even more useful to make fud runtime/ondisk.

"But I can't hardly think of any scenario where a company retains an independent researcher with malware analysis. I don't even see any reson for something like that. I may be be off base with that." extremely off base. maybe for symantec they wont, but dont forget to google "company" and see how many results you get...

"n general, just compare the (financial) damage some malware causes with the costs for analysing it. If the damage is higher the analysis pays off." hard to quantify damage. Sony is sustaining unlimited damage, and I assure you the 3 teams they have doing foresnics now, even at maximum $/hr are still not even scaving the tip of a fingernail shaving of what they have lost. Quantifying damage can be: intellectual property, uptime, reputation, and client data. Most companies and firms dont quite grasp this until its too late...

"I can compensate for self-defending malware attacking my skills by learning more, but employers will only allow me but so much time. So what do you do? ." If you are on this board, then you RE as a hobby and not just work. Someone who loves what they do will do it at home and in their free time... Do you really have to be paid to want to look at a unknown zero day found in the wild? Start integrating challenging tasks , or revisiting historic tasks with manual analysis as part of your work flow.

Sunk
May 12th, 2011, 20:32
Good points, Sab. Working extra for free certainly didn't cross my mind when creating this thread. However, if it comes down to it, I really don't like leaving important questions unanswered so I guess answers might be enough reward for me. Thanks!