Introduction “My computer has a virus!” Almost anyone who has been involved with any kind of computing device has either said or heard this phrase. These days, we frequently hear about virus attacks. Some of these attacks impact millions of users across the globe. As security professionals, we explain that the term virus is not very accurate. The correct scientific terminology is malware. A virus is a category of malware. What is malware? Malware is a weapon used by malicious entities to execute sinister motives. In technical terms, malware (or rather mal-ware) is malicious software—a piece of software whose intentions are malicious. Malware has always existed, but in the early days of computing, it was hardly a concern for end users. Industry sectors like banking, finance, and government were more concerned about malware attacks compared to the rest of the industry. But the malware landscape has changed drastically over time. Previously, it all seemed to be about money, but data is now the greatest currency in every facet of our lives, and it has become the primary target of malware. To make sure our data is protected, data protection laws are strictly enforced. Any organization that stores information about the public is held responsible for all forms of misuse and loss of data. This has ensured that no organization in the world can take cybersecurity for granted anymore. At the same time, not only organizations, but we end users can’t take it lightly. The kind of computing devices available now, and their usability has changed massively over the last decade. Personal computers and cellphones are used to carry out bank transactions, hotel bookings, flight bookings, pay our utility bills, act as key fobs for our cars, operate the appliances at home, control IoT devices, and so on. Our personal devices hold a lot of private data, including usernames, passwords, and images. Today, no one can afford to be hacked. In the past, malware attacks directly involved a corporation or a government body. Today, malware attacks have grown to target and attack end users’ computing devices to monetize Malware is pretty much a part of every cyberattack carried out by attackers. Malicious threat actors release malware in millions every day. But the number of security professionals who work on malware is much smaller than the required number of security individuals who can handle this deluge of malware. Even lesser are the percentage of said security professionals who are qualified to detect and analyze them. Malware analysis is a growing business, and security professionals need to learn more about analyzing malware. Some of the studies carried out expect the malware analysis market to grow from 3 billion in 2019 to 11 billion by 2024.1 This growth projection comes from the fact that not only is the amount of malware increasing every day, but it is becoming more complex with the advent and use of new technologies. Also, the availability of new computing platforms like the cloud and IoT, has given malware new attack surfaces that they can target and monetize. While the attack surface and complexity has increased, the defense remains largely unmanned due to a shortage of security professionals with the requisite skills to tackle malware. The step-by-step walkthrough of a malware analysis workflow in this book ensures that its readers (malware analysts, reverse engineers, network engineers, security operations center (SoC) analysts, IT admins, network admins, or managers and chief information security officers (CISOs)) advance their malware analysis and reversing skills and improve their preparedness for any kind of malware attack. At the same time, the introduction to the internals of how antiviruses, sandboxes, IDS/IPS, and other malware detection–related tools give a fresh look at new ideas on how to use these tools and customize them to improve your analysis infrastructure. Before you dive into learning how to analyze malware, let’s first go through the terms for various types of malware and their functionalities. Types of Malware As malware analysts, you will not only come across malware samples that you need to investigate, but you also need to read through analysis reports, blogs, and technical articles on the Internet and other sources that discuss malware and cyberattacks around the world. The malware analysis world has coined various terms for malware and its functionalities, which are commonly used. Let’s discuss some of the various terms. These terms can indicate malware, and in some cases, it can refer to malware code, features, or functionalities that make up the larger malware. The following are some of the common malware types or features. • A virus is the first kind of malware that is known to self-replicate. It is also called a file infector. Viruses survive by infecting and inserting themselves into other healthy files on the system. When executed, these infected healthy programs run, execute, and display the intended functionality, but can also execute the virus in the background. • A worm is malware or a malware functionality that spreads and infects other computers, either via the network or some physical means like the USB. • A backdoor is an unauthorized entry point by which an attacker can enter the victim’s system. For example, malware can create an open network port on the system which has shell access, that can be accessed by the attacker to gain entry into the system. • A trojan is malware that masquerades as a clean software and is installed on the victim machine with the user’s full knowledge, but the user is not aware of its real malicious intentions. • Spyware or InfoStealer spies on and steals sensitive data from your system. The data targeted by spyware can be usernames, passwords, images, and documents. • A keylogger is a kind of spyware that can log the user’s keystrokes and send the recorded keystrokes back to the attacker. A botnet is a bot network or robot network that comprises of multiple machinesinfected by malware. The malware that forms this bot network or botnet works together as a herd, accepting and acting on commands sent by an attacker from a central server. Botnets can carry out denial-of-service (DOS) attacks, send spam, and so forth. • Remote administration tool (RAT) is malware or a malware feature that can give the hacker full control of your system. These tools are very similar to desktop sharing software usually used by administrators to access our systems for troubleshooting purposes. The only difference being malware RATs are used by attackers to access our computers without any authorization. • Adware is a common type of malware that most of us have come across but never noticed. Adware is included with software downloads from third-party websites. While installing the downloaded software, adware is installed behind the scene without our knowledge. Do note that not all adware is malicious. But you can call these as a category of trojan but only responsible for displaying unwanted ads on your system. Many of them are known to change the default search engines for the browsers on our computers. • A rootkit is malware or a malware functionality combined with another piece of malware, whose aim is to conceal its activity or that of another malware on the system. Rootkits mostly function by modifying system functions and data structures. • Banking malware works by intercepting and modifying browser communication to capture information on banking transactions and credentials. • Point-of-sale (PoS) malware infects PoS devices, which are used by most retail, shopping outlets, and restaurants worldwide. PoS malware’s main functionality includes trying to steal credit card information from the PoS software. • Ransomware works by taking hostage of the data, files, and other system resources on the system, and demand the victim for ransom in return to release these resources. Compared to other malwar types, ransomware is easy for a hacker to program. At the same time, from a remediation standpoint, ransomware is very hard to deal with since once encrypted, the data causes huge losses for the users, and requires a lot of effort to neutralize the damage and restore the system to its former state. • A cryptominer is a relatively new member of the malware family, having become popular with the increasing use of cryptocurrencies. This malware is rarely known to steal data from the victim’s machine, but they eat up system resources by mining cryptocurrencies. • A downloader is malware that downloads other malware. Botnets work as downloaders and download malware upon receiving a command from the central server. These days most of the Microsoft Office file-based macro malware are downloaders, which downloads another piece of the bigger malware payload. Emotet is a popular malware that uses a Microsoft document-based macro downloader. • Spammers send out spam emails from the victim’s machine. The spam may contain emails containing links to malicious sites. The malware may read contacts from email clients like Microsoft Outlook installed on the victim’s machine and send out emails to those contacts. • An exploit is not malware but rather malicious code that is meant to take advantage of a vulnerability on the system and exploit it to take control of the vulnerable program and thereby the system. These days most exploits are responsible for downloading other malware. Platform Diversity People often question which programming language is used to create malware. The answer is malware can be written and are written in almost any programming language, such as C, JavaScript, Python, Java, Visual Basic, C#, and so on. Attackers are also taking it one step further by using a technique called Living Off the Land, where they develop attacks that carry