Having malware source code will reduce the educated guesswork necessary to determine what the malware does to a system. This is especially true for malware that doesn't write to the disk or malware that could potentially be a rootkit. Since both of these types of malware may be difficult to analyze on a system, having source code available for an investigator speeds up analysis and gives him or her an outline of what is happening to the system. The source code can be used to determine if, what, where and how malware is sending data off a compromised target.
Having source code available also makes analysis faster because there is no need to reverse-engineer a binary. Reverse engineering complex algorithms used by malware can be done, but if an investigator could instead read the code to determine where to find updated malware peers or the encryption keys used, analysis efforts could easily be reduced.
Source code also provides educational value for investigators. If an investigator can practice reverse engineering malware where he/she has the source code, that person can use the source code to validate his or her findings from the reverse engineering. Reverse engineering will still be necessary, after all, since not all malware will have source code available.
This was first published in October 2009