Several Malware Analysis Reports to Learn From
Learning from other analysts' reports is valuable when you can't reverse-engineer malware yourself. Recommended write-ups cover Murofet (file infection, password stealing), Avzhan (DDoS bots), Visal (email worm), Facebook clickjacking worms, and techniques for hiding JavaScript across PDF objects.
Analyzing malware helps you understand the overall threat landscape. The next best thing to reverse-engineering malicious programs yourself is learning from other analysts’ reports.
Here are several excellent write-ups, authored by different researchers, which describe several types of malicious software:
- Murofet exhibits file infection and password stealing abilities. Marco Giuliani at Prevx provided insightful analysis of this specimen.
- Avzhan is a growing family of DDoS bots. Jeff Edwards at Arbor Networks offered a comprehensive overview of this family of malware.
- Visal is an email worm that spreads links to malicious Windows executable files. It was thoroughly examined by SecureWorks.
- “The Hottest girls on Facebook” worm uses clickjacking and social engineering to propagate. It was researched by Krzysztof Kotowicz. George Deglin examined another example of a Facebook worm.
- A malicious PDF file can split JavaScript across several objects. An example of this technique was documented by Tamas Rudnai at Websense.
- Attacks often combine a malicious PDF file with a Windows executable. One such incident was analyzed by Curt Wilson.
I periodically post interesting malware analysis reports from across the web on the Reverse-Engineering Malware Course page on Facebook.
If you’d like to improve your own malware report-writing skills, take a look at my earlier note What to Include in a Malware Analysis Report, which includes a mind-map template.