What's it like to work as a malware researcher? 10 questions answered

Just days ago, we looked at how you can jump-start your career in the broader field of cybersecurity, leveraging insights from ESET security researchers with decades of experience under their belts. Since today is Antimalware Day, a day when we recognize the work of security professionals, we thought it apt to ask a trio of ESET malware researchers to ‘pick up the baton’ and share their thoughts and experiences about what their daily tasks involve.

Perhaps solving riddles is your thing? Have an inquisitive mind that thrives on new knowledge? Or you’re already contemplating carving out a career in the fight against cybercrime, but aren’t quite sure if you’re cut out for it? Or ‘just’ appreciate the fine work of malware researchers and wonder why they chose this career path?

Whatever the reason (perhaps a little bit of everything?), you need look no further than our Q&A with ESET's Lukas Stefanko, Fernando Tavella and Matías Porolli to learn what the job of an expert in deconstructing malicious software is like.

First off, how did you get into malware analysis/research?

Lukas: It all started when I became more familiar with software reverse engineering and tried to understand how a piece of software works and behaves without having access to its source code. From there, curiosity took me further to gain an understanding how malicious software works, what its purpose is, how it communicates, and so on. It was a new experience that I hugely enjoyed – and still do!

Fernando: Most of all, I always liked the research part, whether it was focused on security or other activities. But after I actually started to work in security I realized that I liked reverse engineering best. This was because of its complexity and general allure, and so I started participating in capture-the-flag competitions (CTFs) and dived into various related topics. At one point, I came across a piece of malware and realized just how interesting it is to understand how it works using a low-level language, what kinds of obfuscation and evasion techniques they use, and how you can defend yourself against certain threats.

Matías: In 2011, I won the ESET University Award that is organized by ESET in Latin America and that consisted of writing a research article about topics related to computer security. I had no experience with malware analysis at that time, but I continued to deepen my knowledge in this field through self-study. In 2013, I started working for ESET and ‘got my hands dirty’ with malware analysis.

Is there such a thing as “a typical day at work” for you?

Lukas: Most days start the same – I check the latest cybersecurity news, my inbox, and Twitter. But some days take a dramatic turn, for example when we discover new or interesting malware samples or its traces that we think might put us on track to identifying new cybercrime or APT campaigns. This is one of the reasons why having good sources of information helps – they just save time during the malware analysis, as some of the tricks might already have been revealed.

Fernando: Actually, I don't think there’s a "typical day" in my job. Many new things happen every day and vary from one day to another. Not everything can be planned. Perhaps when I do some research into, say, a malware campaign in Latin America, and it turns out to be time-consuming, I’ll spend the day analyzing that particular threat – all while setting aside some 30 minutes in the morning to bring myself up to date on fresh security news. But generally, no two days are the same.

Matías: Although there are unusual days when we begin research into an ongoing attack, I do have some sort of routine that consists of two main activities. First, it involves ‘hunting’ for new threats in my information feeds, keeping track of groups of attackers and so on. Second, I analyze the malicious files that emerge from that hunting activity or from work with my colleagues, in particular reverse engineering and documenting these threats.

What’s the most exciting part of your job?

Lukas: It’s actually all those small things that together make up the malware analysis process, which begins with me ‘scratching my head with curiosity’. Each step along the way then helps crack the problem and create a clearer picture of it. This means static and dynamic analysis of Android malware that involves running it on an actual device and observe its behavior from the victim's perspective in order to understand its purpose. This analysis reveals, for example, who the malware communicates with and what kinds of data it extracts from the device. Look at its permission requests and you can take an educated guess at the capabilities of the malware. However, dynamic analysis is often not enough. To have a better picture of how a piece of malware works and what its functionality is, it is important to fire up an Android decompiler and ‘get my hands dirty’ with manual code analysis.

From there, I often begin to research and eventually disclose active malware campaigns, which the bad guys don’t really like. It appears that some are actually following my work rather closely. On several occasions, their code contained short notes intended for me. They aren’t always nice. For example, they name their classes or packages after me, sign the malware “on my behalf” or even register malicious domains that contain my name and afterwards communicate with the malware. However, I don’t take it personally.

Figure 1. Some malware authors seem to follow Lukas’s work pretty closely

Fernando: It’s the static analysis of a threat, reverse engineering, the ability to see all the code at a low level and from there gain an understanding of the threat’s behavior and its most interesting functionalities so that I can then document them.

Matías: What I like best is that I rarely apply the same methods to various research projects. Attackers use various platforms and technologies, and oftentimes you encounter specific problems that require creative solutions. For example, how you automate the extraction of malware settings for thousands of malicious files or how you implement the deobfuscation of files that have been modified to hamper analysis.

Which research or projects are you most proud of?

Lukas: I would probably say it’s one of my latest research projects – the analysis of vulnerabilities in Android stalkerware. I spent months working on it, poring over 80 stalkerware apps and eventually discovering a combined 150-plus serious security and privacy issues in them.

Fernando: I am most proud of the research I did together with Matías into the espionage campaign in Venezuela that leveraged the Bandook malware. It was one of my first research projects, but I was able to carry out a comprehensive technical analysis of the threat affecting the country.

Matías: Any research involves a lot of work ‘behind the scenes’ that never gets published. I’m still very proud of it, though, especially because of what I said earlier about the need to be creative when getting to grips with some problems. But if I were to highlight one specific research project, I would say Evilnum. Little was known about the malware at the time, and practically nothing was known about the group behind it. ESET managed to put the group’s malicious arsenal in context, uncover its purpose and see ‘the big picture’.

Do you work closely with other teams in the security realm?

Lukas: Yes. Besides in-depth research, our main goal is to protect users of our products and detect threats in the wild. This means not just sharing them with our internal teams, but also with other cybersecurity companies and so help improve general awareness of recent threats.

Fernando: I have worked with folks in incident response, mainly to help them understand the behavior of any threat they have seen during an incident.

Matías: We constantly work together with other professionals. One case worth mentioning is when I worked with the Netherlands Computer Crime Unit to dismantle servers used by Evilnum and perform forensic analysis on them.

What are some essential hard skills for your job?

Lukas: As far as Android malware analysis goes, I would say you need to understand the basics of the operating system, including the application life cycle, and have the ability to read decompiled Java and Kotlin source code. It also pays to keep current on the latest discoveries, tools published recently, and even operating system and app updates. For example, such updates may come with new features that are convenient for users, but may also help create opportunities that the bad guys would take advantage of. Fortunately, most updates hamper malware writers in their work, rather than help them.

Fernando: I think having programming knowledge is very important, though not necessarily write code. Rather, you need to be able to read and understand it. Also, knowledge of operating systems, cryptography, computer and network architecture (be it network protocols or traffic analysis) are the kinds of skills that the more the person knows, the more prepared they are to analyze malware and not get frustrated or give up trying.

Matías: In terms of technical skills, you need to be well-versed in many fields of computer science, including networking, operating systems and programming. My job requires that you have a detailed knowledge of reverse engineering, especially for Windows platforms.

Is there any non-technical aspect of your job you struggle(d) with? Did your job require you to improve any such skills?

Lukas: Yes, there is. Each year, I try to improve one of my non-technical skills, such as writing blog posts, pushing myself into public speaking, improving my presentation skills, speaking to the media, giving interviews, and the like. Most of them are not easy to acquire for an introverted technical person and require me to step outside of my comfort zone, which is easier said than done.

Fernando: I’ve had to improve my writing skills. While there is a team that reviews our writing, it’s important for every researcher to use the right words and be able to express themselves well since their output reflects all the work that may be behind that particular research effort. So I think that being able to express yourself and convey your findings clearly is almost as important as just about anything else.

Matías: It’s important to know how to communicate the results of our analyses, be aware of who we produce our reports for, and then adapt the content accordingly. It’s also important to know how to tell a story, rather than just stuff a piece of content with technical descriptions.

What personality traits or soft skills should a malware researcher have?

Lukas: I believe that enthusiasm to solve problems and willingness to learn new things are the driving forces here. Everything else can be learned along the way.

Fernando: I think there are two very important characteristics that a malware researcher must have: the ability to learn on their own and curiosity.

Matías: Curiosity, the ability to focus on a task at hand, eagerness to crack problems, patience, and a keen eye for detail.

How do you continue to expand your knowledge and keep up to date?

Lukas: I have to say, staying up to date takes a lot of time every day. However, I’ve learned how to keep current using dedicated and trusted RSS feeds and social media channels, reading blog posts and tweets by peer researchers and other cybersecurity companies, as well as academic research and via Google Alerts. Once I’ve narrowed this down to and read the most important news updates, I try to share them with other mobile security enthusiasts via my Telegram channel and so perhaps save them some time while they’re also looking for news about mobile security.

Fernando: I usually go Twitter to find information shared by fellow researchers and to read their publications. That way, I learn about new campaigns and new techniques that can be deployed by cybercriminals. Also, if there’s something that caught my eye in a piece of research, I make a note of it and then dive into it in my own free time. This could be anything, for example a cipher or a malware obfuscation method.

Matías: You have to read the news and keep up to date on what’s going on. I suggest using social networks to follow security companies and find out about new research, or even follow other researchers. Also read computer security blogs: WeLiveSecurity, for example. ;)

What message would you share with people who are keen to embark on a career in malware research?

Lukas: Go for it. Passion and enthusiasm are crucial and make it easier for any budding malware researcher to “soak up” information and knowledge. In addition, if you find something difficult to understand, don’t fret – your future colleagues will be more than happy to explain it to you.

Fernando: Go one step at a time. Join CTF contests involving various topics that are related to malware analysis, such as reverse engineering, cryptography and network traffic analysis. You don’t need to start by dissecting malware, simply because this can be too complex. Additionally, read what others have already done, so you learn from analyses of previously detected threats and see how the malware samples worked. If you read and search enough, you’ll notice that some malware variants have certain characteristics in common – for example, they tamper with registry entries in order to gain persistence on a victim's machine. Also, when reading an article from another researcher, you can see what they considered important about this specific threat, which is an insight you should leverage when setting about analyzing a piece of malware for the first time.

Matías: Keep calm and identify the cryptographic constants.

There you have it. We hope this has given you enough food for thought. Now, one-third of your life is spent at work – why not choose a career where you can make an impact and contribute to making technology safer for everybody?

Happy Antimalware Day!