What certifications do you have that will help you in this role?
While this question may also be faced in the entry-level/tech-level interview questions, the application of certifications and, by extension, what they certify also applies to this level of interview question.
Malware analysts have some certification options they can use to help them in their careers — GIAC Reverse Engineering Malware (GREM), Certified Reverse Engineering Analyst (CREA), and Certified Ethical Hacking. Apply any one of these or any other certification that you may have, to the responsibilities of malware analysts. It should be noted that you do not need a certification to work as a malware analyst, but it may help to demonstrate your potential value to the employer if you have one.
How would you handle a malware threat on a major production server?
This answer will have to include the fact that with a production server, you will have to take it out of production to address the issue. Part of this is because of the importance of production servers to organizations. Aside from the almost guaranteed downtime of the server, the rest of the answer should stress that while malware can be as easily removed from a server as a computer (mention tools you have used), it may be necessary to restore a file or even an entire image from a backup. If the malware has already damaged files, then restoration will be vital to solving this problem.
What is threat intelligence?
Threat intelligence is how you keep abreast of changes to the malware and botnet landscape. As new malware and other malicious threats pop up, they are reported with threat intelligence engines that compile and leverage this data to help malware analysts do their dirty work. Threat intelligence can be thought of as the brain of malware analysis.
Explain the importance of software updates with regard to malware
Software updates are a critical part of keeping a computer or system malware-free. As a matter of fact, it could be said that the most important part of Windows updates is the security updates, which contain new malware signatures captured during the last month.
Malware analysts will have to coordinate with members of an organization’s security team to ensure that software updates are performed at the organization level so that all computers and systems get their software updates.
Give a brief Overview of PE Header?
First, you must have to remember all the header’s structures inside the PE file.
1.Dos Header (_IMAGE_DOS_HEADER)
2.NT Header (_IMAGE_NT_HEADERS)
3.File Header (_IMAGE_FILE_HEADER) (Inside NT header)
4.Optional Header (_IMAGE_OPTIONAL_HEADER) (Inside NT header)
5.Section Headers (_IMAGE_SECTION_HEADER) (one for each section)
First, we have DOS header, after that NT header. Inside NT header two other headers are embedded called file header and optional header. After the optional header is an array of 16 structures called data directory. Then there is section header just after that, which is there for each section present in PE image.
What is process injection?
Process injection is the method that malware can use to conceal its operations within the system. The malware has to go through a certain set of functions to carry out this technique, and it is important that the malware analyst know how to identify these operations. The best way to know this is to make judgments based on previous experience and acquired knowledge.
What hex values “Magic” field in the Optional header is set to?
The magic field in Option header shows if the PE file supports a 32-bit machine or 64-bit machine. Its value set to 010B for PE32 and 020B for PE64.
It’s not necessary to remember these values but it may be asked sometime. So it’s better to remember only important field values like the above one, machine in the File header, and e_magic in DOS header.
How to determine the total size of the header in the disk?
SizeOfHeader in the optional header field shows the total size of the header in the disk.
How many sections are possible in a PE file?
Inside File header, the NumberOfSections field shows the number of sections possible. Since it is a Word value(2 bytes) maximum sections possible is 0 to 65,535.
What is the difference between RVA(Relative virtual address) and AVA(Absolute virtual address)?
AVA(also called as VA) is the original address in the virtual memory. whereas RVA is the relative address with respect to the Image Base. In calculation:
RVA = AVA – ImageBase
Means for AVA = 400100 and ImageBase = 400000, RVA will be 100.
What is Import Address Table(IAT) used for?
IAT contains the address and a few other information of all DLL’s that needed to be imported by that image.
Questions related to IAT have been asked a lot. Even for your malware analysis career, you must be familiar with imports and exports. More info on this in the next few questions.
How important are software exploits with regard to malware analysts?
Software exploits are very important to malware analysts in the course of carrying out their roles. Software exploits have been increasingly used in recent years to sneak malware into a system because they need no user interaction and the malware’s malicious code can deliver its malicious code undetected. It goes without saying that analyzing software exploits can be very helpful for software analysts.
Name different tools you would use as a malware analyst, with the tools being used in different phases of malware analysis?
This is a good question to further highlight your previous work experience with malware. A good example of a tool to use during the Disassembler phase is IDA Pro. Another malware analysis phase is the Debugger phase, and OllyDbg is a good example of a tool used at that phase. Whatever you pick, though, it’s smart to back up your choices of tools with stories about your experience with their real-world application.
What is reverse-engineering of malware?
Reverse-engineering of malware consists of taking an executable and performing what has been called the “computer version of an MRI” on it. Due to the unknown nature of the executable, this work should be performed on a system or environment that is not connected to the network to minimize potential damage. This process can be painstaking, but it is sometimes the only way to understand the executable.
What is assembly language and why is it important?
Assembly language is the last level of human-readable code. Malware code is generally down at the operating system level, and for a human to be able to read this code it needs to be disassembled to a level that is readable to the human eye. Malware analysts will generally disassemble up to the assembly language; from there, they should know how to read and write in assembly language to analyze malware code.
What is TLS Callback?
TLS Callback is Address of Callbacks( functions that are generally stored on .tls section) that are executed when a process or thread is started or stopped. Since the windows loader first creates a thread for the process to run. The code in TLS Callback runs even before the program reaches the entry point.
Malware uses these functions/Callbacks to store there malicious code or Anti-Debug methods. It makes malware analysts confused while they are debugging the code since they first break at EntryPoint but the malicious code is already executed.
What is the difference between the import table and export table?
You already know about the import table.
The export table contains details about functions that the image exports to use by other programs.
What is the difference between SizeOfRawData and VirtualSize in the section header?
VirtualSize is the total size of a section when loaded into memory. Whereas SizeOfRawData is the size of the section when the image is in disk.
Why is it good to have a hypervisor in a malware analysis lab?
In testing environments without a hypervisor, you need to have multiple computers running different operating systems. Hypervisors allow you to run multiple operating systems from one computer, which takes up fewer organization resources. Another good thing is that a hypervisor can run multiple tools at once, making a malware analyst’s job easier.
What is the heuristic analysis?
Heuristic analysis is a malware and virus detection method that looks for common suspicious characteristics to find new and unknown malware and virus threats. This will keep an organization ahead of the curve with the hardest-to-find threats — the unknown ones.
What is automated analysis?
Automated analysis is another way to analyze malware. Just as when other things are automated, when you automate the analysis of malware it is done to save time. This should be done in a sandbox to mitigate or eliminate any impact on your network.
What is dynamic analysis?
Dynamic analysis, or behavior analysis, examines malware by executing it in a controlled, monitored environment in order to observe its behavior. This is preferable to static analysis, which conducts its examination without actually running the malware. The other major benefit of dynamic analysis is that you can execute the malware without harming your network devices.
What is the difference between IDS and IPS?
IDS is an Intrusion Detection System and it only detects intrusions and the administrator has to take care of preventing the intrusion. Whereas, in IPS i.e., Intrusion Prevention System, the system detects the intrusion and also takes actions to prevent the intrusion.
What are the response codes that can be received from a Web Application?
1xx – Informational responses
2xx – Success
3xx – Redirection
4xx – Client-side error
5xx – Server-side error
Explain SSL Encryption
SSL(Secure Sockets Layer) is the industry-standard security technology creating encrypted connections between Web Server and a Browser. This is used to maintain data privacy and to protect the information in online transactions. The steps for establishing an SSL connection is as follows:
- A browser tries to connect to the webserver secured with SSL
- The browser sends a copy of its SSL certificate to the browser
- The browser checks if the SSL certificate is trustworthy or not. If it is trustworthy, then the browser sends a message to the webserver requesting to establish an encrypted connection
- The web server sends an acknowledgment to start an SSL encrypted connection
- SSL encrypted communication takes place between the browser and the webserver