Saturday, August 17, 2013

Elitism: A rant by Secluded Memory

After several blog posts, it occurred to me that not everyone understands the purpose of this blog, my intent for writing, or why I don't believe in being an elitist, so I wanted to take some time to try to clear that up. There will definitely be some ranting involved here - you've been warned.

For starters, I've been extremely flattered by all of the positive feedback I've been given surrounding my various blog posts, as well as the work I've been doing as part of the MalwareMustDie community. So, to all of you who have supported me in my personal life, my professional life, and my time as a "malware crusader" - thank you.

When I write a post, there's only one place I ever post the link - Twitter. Inevitably the link seems to be passed around to various other places on the internet, which is fine. The side effect is that it reaches a much wider audience than I originally anticipated. This isn't necessarily a bad thing, but a larger viewer base means there are going to be people who simply don't like what I have to say.

If you happen to be such a reader who doesn't like what I have to say, let me be clear - I didn't create this blog for you, and I'm certainly not forcing you to read it. I created this blog to contribute something positive the community which has been so incredibly helpful in my never-ending quest to learn. I did not create a blog for people like this:

"I'm tired of things like "Look, I'm malware analyst I can post VirusTotal links to my twitter". There is only one tool for malware analysis - IDA PRO, other tools are for malware analysis cargo cult. If you are uploading file to VT then you don't do any malware analysis - you just get results from many AV vendors. I just don't get people who calls output from tools like ProcMon, or some sandboxes "malware analysis", why not a research?" - <name redacted>

Which brings me to my next point...

What does it mean to be a malware analyst?

Malware analysis involves so many different things. One of the biggest components to that involves research. We aren't here to reinvent the wheel, we're here to accomplish a task. Sometimes all we want to do is answer the question of, "what type of malware is this?" or, "what does this malware do?" and don't necessarily need to fully reverse engineer the sample. Maybe we just don't have time to do that.

Being a malware analyst means being an observer, a researcher, a hacker - an analyst. We take a piece of malware and figure out something about it that the average user doesn't know. The tools we choose to use are not what determines who we are, and the choice of tool certainly does not make one of us better than the other. I use VirusTotal because it helps point me in the right direction to start my research. If someone else has already fully reversed the sample I'm working on, why would I do it again if all I really want to do is give people an overview of my thought process for dynamic (read: behavioral) analysis? I wouldn't.

I have never claimed to be an expert at anything other than drinking and sarcasm. Just because I have a blog doesn't make me any better than anyone else. Just because I can look up something in VirusTotal doesn't mean I think I'm an expert at reverse engineering. Just because I don't think IDAPro is the only tool people should be using for malware analysis doesn't mean I'm not a malware analyst.

At the end of the day, I think we can do without the elitist attitude that certain individuals have who are also a valuable part of this very same community. Trying to keep up with the spread of malware is hard enough, we don't need to be putting each other down or trying to pretend like we're better than the next guy. We are all on the same team, so let's start acting like it. With that, I'll leave you with one question:

If we can't help each other become better at whatever it is that we're doing, then why are we here?

-SM

2 comments:

  1. Fully agree, I understand there are analysts who only do work with IDA and that's fine. I would love to have more time to delve deeper into samples. My environment only gives me enough time to do some basic analysis and remediate any infection. I've found a lot of writeups helpful even if someone has just done some basic stuff. For an IDS alert that I've never seen before I'm going to try and dig up some information first. Blogs like yours are always helpful just to help get started. Your contributions to the community are probably more helpful than you might think.

    ReplyDelete
    Replies
    1. digi4nsic,

      Thanks for taking the time to leave a comment, I appreciate it. I'm happy to hear that you find the things I write about helpful as well. My work environment often keeps me limited to basic analysis steps as well. I do sometimes get more time to dive deep into samples, but I'm still very much learning assembly/IDA/Olly,etc., so I don't really write about those unless I have a very specific example for usage (see my post on UPX packed malware).

      The evolution of this blog is really meant to mirror my own learning process. Can I use IDA? Sure, but I wouldn't dare do a write-up on it yet -- it's still very much foreign territory for me. It'll come, eventually. When that happens, I hope to have a "bigger picture" with my blog where someone can follow my more basic posts and learn things from them. After that, they can continue reading through more advanced topics as they get covered.

      Sooner or later the full spectrum of malware analysis and reverse engineering will be here. Unfortunately even then there are still going to be people who won't, can't, or don't care to shake the elitist attitude that often comes with the territory of working in or studying information security.

      Thanks again for stopping by!

      SM

      Delete