Photos: A day in the life of a virus hunter

1 of 7
  • 40152080-1-malware-custom.jpg

    The anatomy of malware

    With hundreds of new pieces of malware being discovered every month, virus hunters are at the front line of the war on malicious software.

    Symantec threat researcher Candid Wüest's job is to rip apart the malware that the company discovers each day, look into its guts and pass on its telltale signatures to protect machines worldwide.

    Wüest laid bare the process of picking through the viruses and spyware that lands at the door of Symantec's 100-strong team of malware hunters in Europe.

    One of the first things that Symantec does is to peer inside the malware using a Hex editor, as seen here, allowing the researchers to start piecing together how it works.

    Here, for example, in the right-hand column the text strings show "MZ" indicating the malware is a Windows binary file.

    Further down the screen you can see PEC2, indicating it has been packed into a runtime packer, a method of compressing an executable program.

    Wüest and his team have to decrypt everything inside the malware and contend with the anti-reverse engineering techniques used by the malware writers, aimed at stopping the hunters in their tracks.

    Photo credit: Symantec

    Caption by: Nick Heath

  • 40152080-2-malware2-custom.jpg

    Next the team will unpack and run the malware on a computing platform to watch how it reacts.

    Then, the analysts examine the inner workings of the malware using methods such as a port sniffer to monitor network traffic and by studying the list of processes running on the machine.

    Photo credit: Symantec

    Caption by: Nick Heath

  • 40152080-3-malware2-5-custom.jpg

    Here you can see the malware trying to connect to an IRC logon, allowing the PC to be remotely controlled over a chat channel.

    The malware is also deleting NetShare on the machine to try and stop rival criminals from installing their malware on the compromised PC using network sharing.

    Wüest said that some malware writers even install their own antivirus software to keep their competitors in crime at bay.

    Photo credit: Symantec

    Caption by: Nick Heath

  • 40152080-4-malware3-custom.jpg

    Next it is passed through API Monitor, a programme that flags up all the interactions with the application programming interface and changes to the Windows registry.

    Here you can see a keylogger loading itself into the Windows Registry so it boots up with the computer.

    Photo credit: Symantec

    Caption by: Nick Heath

  • 40152080-5-malware3-5-custom.jpg

    Analysts will then break the malware down into its constituent programming code using a disassembling program.

    This can help uncover hidden dangers such as a time bomb, where the virus writer hides code within the malware to trigger at a certain time, for instance to wipe the hard disk on Friday the 13th.

    It also helps pinpoint the decryption routines that the malware will use to decrypt itself.

    Photo credit: Symantec

    Caption by: Nick Heath

  • 40152080-6-malwarefinal-custom.jpg

    Breaking the malware's operation down into flowcharts further simplifies the malware's make-up.

    For example, it allows analysts to identify the various IF processes that tell the malware how to react to different operating systems.

    Photo credit: Symantec

    Caption by: Nick Heath

  • 40152080-7-malwarefinal2-custom.jpg

    By following the code flow through the program, analysts can spot variants on existing viruses or spyware by identifying familiar patterns.

    Wüest said: "Coders usually end up rewriting code so they follow similar patterns and you can say this is another spybot.

    "By going through the code flow I can see how it works."

    Coders even leave obscene messages aimed at security companies like Symantec and suggest names that security analysts should call their malware hidden in the code.

    Analysts will then build a signature for the malware based on its code or behaviour, making sure it is generic enough to pick up variations but not so generic it generates false positives.

    The signature is then checked by quality assurance testers and run against clean files before it is submitted to a signature database and released to users over LiveUpdate.

    The analyst will then write a security report on the newly discovered malware.

    Photo credit: Symantec

    Caption by: Nick Heath

1 of 7

The anatomy of malware

Read More Read Less

The anatomy of malware

With hundreds of new pieces of malware being discovered every month, virus hunters are at the front line of the war on malicious software.

Symantec threat researcher Candid Wüest's job is to rip apart the malware that the company discovers each day, look into its guts and pass on its telltale signatures to protect machines worldwide.

Wüest laid bare the process of picking through the viruses and spyware that lands at the door of Symantec's 100-strong team of malware hunters in Europe.

One of the first things that Symantec does is to peer inside the malware using a Hex editor, as seen here, allowing the researchers to start piecing together how it works.

Here, for example, in the right-hand column the text strings show "MZ" indicating the malware is a Windows binary file.

Further down the screen you can see PEC2, indicating it has been packed into a runtime packer, a method of compressing an executable program.

Wüest and his team have to decrypt everything inside the malware and contend with the anti-reverse engineering techniques used by the malware writers, aimed at stopping the hunters in their tracks.

Photo credit: Symantec

Caption by: Nick Heath

1 of 7

Related Topics:

Security Security TV Data Management CXO Data Centers

Related Galleries

    • 1 of 3

  • The FBI's most wanted cybercriminals

    For the past few years, the FBI has been keeping a separate list of the US' most wanted cybercriminals. Time to take a look at who's still on it -- in no particular order. ...