Reverse engineering malware is a process security professionals can use to learn more about how a piece of malware works so they can combat it. They use a carefully controlled computer system to see what the malware does when it is active, using this information to piece together the method of construction and mechanism of action. This information is useful for removing the malware from infected computers, updating antivirus software, restoring damaged files, or preparing material for forensic testimony.
Antivirus companies have an interest in reverse engineering malware because they want to keep their software up to date and need to learn more about emerging trends in virus and malware design. Their engineers work in laboratories set up for this purpose. The engineer can infect a computer, watch the software act, change parameters, and deconstruct the software's design. In addition to studying raw code, the engineer may also have an interest in seeing what the software does in various environments, and in how it changes over time.
When she is done, she can wipe the computer to restore the original state, and will use the information from the reverse engineering session to design an update to the antivirus software and generate information engineers will use in future software designs. The engineer may also notify an operating system's manufacturer if a security hole appears to be vulnerable to exploit in the future. Reverse engineering malware is also part of software and product development for software companies, including manufacturers of operating systems.
Computer engineers may also have an interest in reverse engineering malware as part of the process of cleaning an infected computer or network. This information is necessary to make sure the malicious software is completely eradicated after the cleanup, and it can also be helpful for addressing security problems. If the software took advantage of a vulnerable point in a network's firewall, for example, reverse engineering will show this and provide information on how to fix the vulnerability.
Law enforcement agencies may also practice reverse engineering to learn more about malware. This information can be useful for handling infected computers in their custody, conducting forensic investigations, and developing evidence to prosecute a malware creator. In forensic testimony, a computer scientist will need to be able to talk about reverse engineering malware to determine its structure and function in language that a judge and jury can clearly understand. This requires a deep knowledge of computer science as well as communications, and a compelling witness can be a valuable tool in the course of a trial related to malware.