Search
  • Videos
  • Enterprise Software
  • Windows 10
  • Cloud
  • AI
  • Security
  • TR Premium
  • more
    • 5G Guide
    • Build a Website
    • Hardware
    • Innovation
    • Best Smartphones
    • Executive Guides
    • Best VPN Services
    • Web Hosting
    • See All Topics
    • White Papers
    • Downloads
    • Reviews
    • Galleries
    • Videos
    • TechRepublic Forums
  • Newsletters
  • All Writers
    • Preferences
    • Community
    • Newsletters
    • Log Out
  • Menu
    • Videos
    • Enterprise Software
    • Windows 10
    • Cloud
    • AI
    • Security
    • TR Premium
    • 5G Guide
    • Build a Website
    • Hardware
    • Innovation
    • Best Smartphones
    • Executive Guides
    • Best VPN Services
    • Web Hosting
    • See All Topics
    • White Papers
    • Downloads
    • Reviews
    • Galleries
    • Videos
    • TechRepublic Forums
      • Preferences
      • Community
      • Newsletters
      • Log Out
  • us
    • Asia
    • Australia
    • Europe
    • India
    • United Kingdom
    • United States
    • ZDNet around the globe:
    • ZDNet China
    • ZDNet France
    • ZDNet Germany
    • ZDNet Korea
    • ZDNet Japan

Photos: A day in the life of a virus hunter

1 of 7 NEXT PREV
  • 40152080-1-malware-custom.jpg

    The anatomy of malware

    With hundreds of new pieces of malware being discovered every month, virus hunters are at the front line of the war on malicious software.

    Symantec threat researcher Candid Wüest's job is to rip apart the malware that the company discovers each day, look into its guts and pass on its telltale signatures to protect machines worldwide.

    Wüest laid bare the process of picking through the viruses and spyware that lands at the door of Symantec's 100-strong team of malware hunters in Europe.

    One of the first things that Symantec does is to peer inside the malware using a Hex editor, as seen here, allowing the researchers to start piecing together how it works.

    Here, for example, in the right-hand column the text strings show "MZ" indicating the malware is a Windows binary file.

    Further down the screen you can see PEC2, indicating it has been packed into a runtime packer, a method of compressing an executable program.

    Wüest and his team have to decrypt everything inside the malware and contend with the anti-reverse engineering techniques used by the malware writers, aimed at stopping the hunters in their tracks.

    Photo credit: Symantec

    Published: October 9, 2008 -- 16:02 GMT (09:02 PDT)

    Caption by: Nick Heath

  • 40152080-2-malware2-custom.jpg

    Next the team will unpack and run the malware on a computing platform to watch how it reacts.

    Then, the analysts examine the inner workings of the malware using methods such as a port sniffer to monitor network traffic and by studying the list of processes running on the machine.

    Photo credit: Symantec

    Published: October 9, 2008 -- 16:02 GMT (09:02 PDT)

    Caption by: Nick Heath

  • 40152080-3-malware2-5-custom.jpg

    Here you can see the malware trying to connect to an IRC logon, allowing the PC to be remotely controlled over a chat channel.

    The malware is also deleting NetShare on the machine to try and stop rival criminals from installing their malware on the compromised PC using network sharing.

    Wüest said that some malware writers even install their own antivirus software to keep their competitors in crime at bay.

    Photo credit: Symantec

    Published: October 9, 2008 -- 16:02 GMT (09:02 PDT)

    Caption by: Nick Heath

  • 40152080-4-malware3-custom.jpg

    Next it is passed through API Monitor, a programme that flags up all the interactions with the application programming interface and changes to the Windows registry.

    Here you can see a keylogger loading itself into the Windows Registry so it boots up with the computer.

    Photo credit: Symantec

    Published: October 9, 2008 -- 16:02 GMT (09:02 PDT)

    Caption by: Nick Heath

  • 40152080-5-malware3-5-custom.jpg

    Analysts will then break the malware down into its constituent programming code using a disassembling program.

    This can help uncover hidden dangers such as a time bomb, where the virus writer hides code within the malware to trigger at a certain time, for instance to wipe the hard disk on Friday the 13th.

    It also helps pinpoint the decryption routines that the malware will use to decrypt itself.

    Photo credit: Symantec

    Published: October 9, 2008 -- 16:02 GMT (09:02 PDT)

    Caption by: Nick Heath

  • 40152080-6-malwarefinal-custom.jpg

    Breaking the malware's operation down into flowcharts further simplifies the malware's make-up.

    For example, it allows analysts to identify the various IF processes that tell the malware how to react to different operating systems.

    Photo credit: Symantec

    Published: October 9, 2008 -- 16:02 GMT (09:02 PDT)

    Caption by: Nick Heath

  • 40152080-7-malwarefinal2-custom.jpg

    By following the code flow through the program, analysts can spot variants on existing viruses or spyware by identifying familiar patterns.

    Wüest said: "Coders usually end up rewriting code so they follow similar patterns and you can say this is another spybot.

    "By going through the code flow I can see how it works."

    Coders even leave obscene messages aimed at security companies like Symantec and suggest names that security analysts should call their malware hidden in the code.

    Analysts will then build a signature for the malware based on its code or behaviour, making sure it is generic enough to pick up variations but not so generic it generates false positives.

    The signature is then checked by quality assurance testers and run against clean files before it is submitted to a signature database and released to users over LiveUpdate.

    The analyst will then write a security report on the newly discovered malware.

    Photo credit: Symantec

    Published: October 9, 2008 -- 16:02 GMT (09:02 PDT)

    Caption by: Nick Heath

1 of 7 NEXT PREV
Nick Heath

By Nick Heath | October 9, 2008 -- 16:02 GMT (09:02 PDT) | Topic: Security

  • 40152080-1-malware-custom.jpg
  • 40152080-2-malware2-custom.jpg
  • 40152080-3-malware2-5-custom.jpg
  • 40152080-4-malware3-custom.jpg
  • 40152080-5-malware3-5-custom.jpg
  • 40152080-6-malwarefinal-custom.jpg
  • 40152080-7-malwarefinal2-custom.jpg

The anatomy of malware

Read More Read Less

The anatomy of malware

With hundreds of new pieces of malware being discovered every month, virus hunters are at the front line of the war on malicious software.

Symantec threat researcher Candid Wüest's job is to rip apart the malware that the company discovers each day, look into its guts and pass on its telltale signatures to protect machines worldwide.

Wüest laid bare the process of picking through the viruses and spyware that lands at the door of Symantec's 100-strong team of malware hunters in Europe.

One of the first things that Symantec does is to peer inside the malware using a Hex editor, as seen here, allowing the researchers to start piecing together how it works.

Here, for example, in the right-hand column the text strings show "MZ" indicating the malware is a Windows binary file.

Further down the screen you can see PEC2, indicating it has been packed into a runtime packer, a method of compressing an executable program.

Wüest and his team have to decrypt everything inside the malware and contend with the anti-reverse engineering techniques used by the malware writers, aimed at stopping the hunters in their tracks.

Photo credit: Symantec

Published: October 9, 2008 -- 16:02 GMT (09:02 PDT)

Caption by: Nick Heath

1 of 7 NEXT PREV

Related Topics:

Security Security TV Data Management CXO Data Centers
Nick Heath

By Nick Heath | October 9, 2008 -- 16:02 GMT (09:02 PDT) | Topic: Security

Show Comments
LOG IN TO COMMENT
  • My Profile
  • Log Out
| Community Guidelines

Join Discussion

Add Your Comment
Add Your Comment

Related Galleries

  • 1 of 3
  • The Nightmare in Silicon Valley: 8 horror technologies that should scare you to death

    Every night is fright night with what can happen once these scary technologies take hold in ways that you may not have imagined.

  • Julia programming language, cloud computing, cybersecurity worries: Research round-up

    All the facts and figures that matter to you and your business from the past month in technology news.

  • YubiKey 5Ci: USB-C and Lightning Security Key

    The world’s first Lightning-compatible security key

  • 10 Linux distros: From different to dangerous

    One of the great benefits of Linux is the ability to roll your own. Throughout the years, individuals, organizations, and even nation states have done just that. In this gallery, we're ...

  • 2019's tech, security, and authentication trends

    We take a look at the top tech, cybersecurity, and authentication trends as revealed today by the Duo Security's 2019 Trusted Access Report, which includes data from 24 million devices, ...

  • The world's most famous and dangerous APT (state-developed) malware

    A list of the most dangerous, effective, and most well-known malware strains that have been developed by the cyber-security units of various countries' intelligence and military ...

  • Best-paid tech jobs, malware warnings and shadow IT: Research round-up

    All the facts and figures that matter to you and your business from the past month in technology news.

ZDNet
Connect with us

© 2019 CBS Interactive. All rights reserved. Privacy Policy | Cookies | Ad Choice | Advertise | Terms of Use | Mobile User Agreement

  • Topics
  • All Authors
  • Galleries
  • Videos
  • Sponsored Narratives
  • About ZDNet
  • Meet The Team
  • Site Map
  • RSS Feeds
  • Reprint Policy
  • Manage | Log Out
  • Join | Log In | Membership
  • Newsletters
  • Site Assistance
  • ZDNet Academy
  • TechRepublic Forums