The challenge of performing effective malware analysis

Imagine that it’s your responsibility to identify new malware threats, and conduct malware analysis to figure out how it works, and what it does so you can engineer an effective defense against it. Now, consider the fact that there is an average of over 80,000 new malware threats per day. That is 10,000 per hour for a standard 8-hour workday, so you need to analyze approximately 167 malware variants per minute…for eight straight hours every day.

Thankfully, that isn’t really how it’s done. First of all, security vendors operate around the clock, so those 80,000 threats are spread over 24 hours instead of just eight. That still boils down to 56 malware variants per minute, though, so it is clearly imperative to have the right tools, and some ability to automate the malware analysis in order to keep up.

Malware analysis requires a highly-specialized skillset, and there are a number of steps involved. You have to first detect a suspicious file, then reverse engineer it to find out what it’s supposed to do. You have to be able to recognize common attack techniques within the code, and also have the intuition to spot unique attack vectors as well. You have to determine how the malware is designed to infiltrate and spread on the target device, what the goal is once it is there, and then find a way to block the threat, or prevent the malicious activity. That is a lot to accomplish 56 times per minute.

The good news for malware researchers is that the vast majority of the 80,000 threats are just minor variations of other known threats. There is enough new or different to evade the detection and defenses designed for the other variant, but once it is identified the malware analysis is much simpler and faster because most of that work has already been done.

Major security vendors have developed their own processes and automated tools internally. For organizations, or independent security researchers who want to conduct their own malware analysis, there are a number of tools available to automate most of the mundane, routine aspects. Automated tools can crank through thousands of malware samples and quickly identify the ones that are simple variants of existing threats, so human security researchers can focus on the few malware samples that are actually new or unique threats.

Scroll to Top