I don’t know what it is like to fly an aeroplane when all the engines have failed, but I feel like I’m doing the career equivalent — my engines have stopped and now I’m trying to restart them again before I slam into the ground!

I’ll explain by asking what it is that makes you want to go to work in the mornings? For me, it is the prospect of having something interesting to think about — something challenging — and if I can do something to help other people in the process, then even better.

A few years back I started getting bored with the I.T. work that I was doing, and found myself capturing malware to analyse (hey, I could give up any time I wanted to!) — something which I’d been interested in since I found the Stoned virus on a school PC back in year 11. This was kind of ok, although it did take a lot of time, but then I also attempted to get a life and started taking up some hobbies. These hobbies then started taking up my personal time and didn’t leave much time to analyse malware.

Desperate for some more challenging work, I jumped at the chance to attend the ‘FOR508: Computer Forensics, Investigation, and Response’ SANS course (‘Hi Chad’, if you’re reading this) when it came to town, and started thinking that I was in the wrong job!
I wanted a job that would use a lot of the knowledge that I had from my (I was starting to think, misspent) youth — the knowledge that I’d gained from playing around and experimenting with assembly language, MS-DOS, some of the earlier PC viruses, anti-virus software, and how stuff worked (or didn’t work in some cases).

Amongst other things, I’d written boot code to automatically detect and clean MBR viruses, I’d written a self-encrypting/decrypting UNIX Bourne shell script to add what I later learned was a form of two factor authentication to my university UNIX account, and I’d written some assembly language to bypass anti-virus int 0x21 hooks by watching for the int 0x21 handler jumping in to MS-DOS’ memory area. After I started full-time employment, however, I slowly found that none of that mattered!

About a year ago, I resigned from the UNIX admin position which I was occupying at the time. I’d had fifteen years of professional I.T. experience, spanning a variety of fields (including info sec), but I needed something more challenging — it was time to actually do something about it!

I had taught myself 80×86 assembly language (mostly out of curiosity — hence the comment about recently trying to get a life) back before I came across the Stoned virus and I was using DEBUG.EXE back then, so with today’s debuggers like OllyDbg, and WinDbg (which I’ve noticed implements some of the good old DEBUG.EXE commands) I ought to find it a bit more comfortable.

However, the last time I tried doing this it was taking me ages as, although the debuggers were easier to use and had a lot more features these days, I was still loading the malware in to a debugger and wading through pages of disassembled code to figure out what it was doing. I considered my method, then the rate at which my lab was collecting malware, and exclaimed to myself ‘I need to get a lot quicker at this!’.

That’s when I learned that a number of tools and methods can be used to analyse malware, so I bought some books, read articles/blogs on the Internet, started learning Python, and started some faster analysis and then started some scripting of my own (I have a philosophy — why do something manually when you can automate it).
I found myself repeating some of the behaviour from my university days where I’d end up getting to bed late because I’d been working on some code, and then not be able to sleep from thinking about ideas/changes I could make. I’d done it — I’d made I.T. interesting again…

… only now I need a new job!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s