The Anti-virus Times

Wednesday, August 3, 2022

Virus analysts study malware in detail. Their job is to investigate existing threats and predict the emergence of new ones. They should be able to parse someone else's code, piece by piece. And in order to understand how intruders think, they have to be somewhat like psychologists.

Computer viruses appeared in the 1970s. And the 80s saw the first virus outbreaks.

Today, there exists an entire industry devoted to combatting malware, and valuable professionals—virus analysts—work within it. These people analyse the reasons why viruses appear and what they do on user devices, and develop ways to counteract virus attacks.

Virus analyst responsibilities

Every day, the Doctor Web analytical laboratory of computer virology receives from 500,000 to 900,000 code samples. They come from different sources. Including from anti-virus "aggregators" (such as VirusTotal), anti-virus vendors, bait (honeypots) dedicated to attracting computer viruses, traps for spam, and the laboratory’s internal telemetry units.

Is a file malicious? To determine this, a virus analyst uses different testing methods and monitors its behaviour. Not all samples that get to our lab pose a real threat. However, for us to be convinced of this, they need to be analysed.

Up to 95% of samples are automatically analysed. There are specialised tools for this: Doctor Web is one of the few anti-virus vendors in the world to have its own technologies for detecting and curing malware.

We analyse code samples for which robots cannot give an immediate verdict. A professional and experienced virus analyst requires just 5 minutes to disassemble a suspicious file, analyse its source code, and confirm its status.

When a virus analyst detects very sophisticated or new malware, they perform an in-depth analysis that allows them to give a technical description of the threat. In the Doctor Web virus laboratory, such tests are carried out in the Sandbox testing environment, which operates on the basis of the Dr.Web vxCube service, as well as on virtual machines and emulators.

We monitor some malicious programs for several months, since they may be in a sleep state and appear again later once cybercriminals have “redesigned” them.

Scanned files confirmed to be malicious are added to the anti-virus databases, which are updated every hour. This allows the anti-virus to do its job, which is to promptly detect and eliminate threats.

What a virus analyst should know and be able to do

A Doctor Web virus analyst can work on the front line—in the department responsible for developing automated analysis tools, traps, and the Dr.Web vxCube service. Here, specialists analyse all samples ignored by automated systems and respond to requests sent to the technical support service. To work in this department, you need to:

• be familiar with Assembler x86,
• be able to work with OllyDBG, Hiew, and IDA,
• be versed in the architecture of Windows and PE files,
• understand technical terms in English.

There is a department for researching and analysing complex threats. This team’s task is to study yet unknown and/or very complex threats, botnets and cyberattacks. Here, virus analysts decrypt files corrupted by encryption ransomware and also manage investigations related to VCIs (virus-related computer incidents). These specialists, in addition to having the above knowledge and skills, need to be versed in encryption, have experience investigating various attacks on remote servers carried out by intruders, and be able to write technical articles and examine various vulnerabilities and complex viruses in depth.

And a third department analyses malware that threatens mobile devices. Specialists of this department:

• are familiar with Android’s operation and Java code,
• know the format of Elf/Dex executables, basic programming algorithms and Python/C/C++,
• have experience working with Dex decompilers and Linux systems.