search menu icon-carat-right cmu-wordmark
Our Research

Reverse Engineering for Malware Analysis

Reverse Engineering for Malware Analysis

Malware refers to malicious software—including viruses, ransomware, and spyware—that requires the process of reverse engineering to understand what it does, what it impacts, and how to remove it.

In recent years, we have learned just how costly malware attacks—such as the WannaCry ransomware attack from 2017—can be. Malicious actors, including nation states, can use malware to target the Department of Defense (DoD) and other government agencies, as well as the networks of critical U.S. infrastructure. Attackers conduct these kinds of cyber attacks to disrupt operations, destroy data, and steal intellectual property.

Malware also affects industry on a large scale. Data breaches that result from malware attacks have occurred in retail, health care, education, financial services, and manufacturing. And the cost of dealing with malware for both business and consumers is rising.

Removing malware from an infected network is usually a time-consuming and complex manual process that requires specialized reverse-engineering skills. Reverse engineering is the means by which we analyze how malware works and what it does so we can remove it. The way malware is built, however, poses significant challenges for reverse engineering.

Research in malware that identifies malware families and design similarities can lead to the automation of malware analysis tasks. With automation, we can speed up how quickly we learn about how malware behaves so we can grapple with the quantity and variety of malware currently in circulation.

Automating Malware Analysis for Faster Response

The SEI has been collecting malware in a repository called the Artifact Catalog since2001 to support malware analysis research. Over the years, the SEI has sped up the collection of data in the Artifact Catalog exponentially, and we have been successful in using that data to help government sponsors understand the threats posed by individual malware samples as well as families of malicious code.

The SEI has innovated new ways of analyzing and visualizing malware to increase how quickly and efficiently analysts can find and remove it from their organizations’ systems before it results in data breaches or other damage. One such innovation is the development of Pharos, an automated tool that provides human analysts with the information they need to make design-level similarity decisions. Pharos drastically reduces the time required to compare malware design patterns. Analysts have successfully used the Pharos toolset since 2015 to automatically reverse engineer binaries, which are the files available in malware.

What We Offer

The Latest from the SEI Blog

3 Ransomware Defense Strategies

3 Ransomware Defense Strategies

November 09, 2020 • Blog Post
Marisa Midler

Ransomware is evolving. Not only are there more attackers due to ransomware as a service (RaaS) threats, but ransomware attack strategies are changing with data exfiltration extortions, which I will explain in more detail later in this blog post. Since defense against email phishing was covered in...

read
Using OOAnalyzer to Reverse Engineer Object Oriented Code with Ghidra

Using OOAnalyzer to Reverse Engineer Object Oriented Code with Ghidra

July 14, 2019 • Blog Post
Jeffrey Gennari

Object-oriented programs continue to pose many challenges for reverse engineers and malware...

read

Our Vision for the Future

The SEI continues to update its toolsets to help analysts quickly and effectively remove malware. We continue to evolve the design pattern matching capability and conduct more experiments on pattern variation in malware. Future work will also apply the capability to recognize complex libraries, such as the standard C++ library in binary programs.

For more information about the future of work in malware at the SEI, sign up for our blog.

Subscribe