Reverse Engineering for Malware Analysis
Malware refers to malicious software—including viruses, ransomware, and spyware—that requires the process of reverse engineering to understand what it does, what it impacts, and how to remove it.
In recent years, we have learned just how costly malware attacks—such as the WannaCry ransomware attack from 2017—can be. Malicious actors, including nation states, can use malware to target the Department of Defense (DoD) and other government agencies, as well as the networks of critical U.S. infrastructure. Attackers conduct these kinds of cyber attacks to disrupt operations, destroy data, and steal intellectual property.
Malware also affects industry on a large scale. Data breaches that result from malware attacks have occurred in retail, health care, education, financial services, and manufacturing. And the cost of dealing with malware for both business and consumers is rising.
Removing malware from an infected network is usually a time-consuming and complex manual process that requires specialized reverse-engineering skills. Reverse engineering is the means by which we analyze how malware works and what it does so we can remove it. The way malware is built, however, poses significant challenges for reverse engineering.
Research in malware that identifies malware families and design similarities can lead to the automation of malware analysis tasks. With automation, we can speed up how quickly we learn about how malware behaves so we can grapple with the quantity and variety of malware currently in circulation.
Automating Malware Analysis for Faster Response
The SEI has been collecting malware in a repository called the Artifact Catalog since2001 to support malware analysis research. Over the years, the SEI has sped up the collection of data in the Artifact Catalog exponentially, and we have been successful in using that data to help government sponsors understand the threats posed by individual malware samples as well as families of malicious code.
The SEI has innovated new ways of analyzing and visualizing malware to increase how quickly and efficiently analysts can find and remove it from their organizations’ systems before it results in data breaches or other damage. One such innovation is the development of Pharos, an automated tool that provides human analysts with the information they need to make design-level similarity decisions. Pharos drastically reduces the time required to compare malware design patterns. Analysts have successfully used the Pharos toolset since 2015 to automatically reverse engineer binaries, which are the files available in malware.
What We Offer
Rhiannon Weaver discusses how a small subset of features from dynamic malware analysis can help to uncover possible relationships among files and to direct static reverse engineering efforts.
The Latest from the SEI Blog
June 05, 2023 • Blog Post
Current malware detection systems evaluate elements in a file or evaluate the file as a whole. New research shows other avenues for malware detection exist, specifically, breaking up the file into sections and then comparing the resulting...read
November 01, 2021 • Blog Post
This post presents two tools for malware analysis and reverse engineering in Ghidra, the National Security Agency’s software reverse engineering tool...read
Our Vision for the Future
The SEI continues to update its toolsets to help analysts quickly and effectively remove malware. We continue to evolve the design pattern matching capability and conduct more experiments on pattern variation in malware. Future work will also apply the capability to recognize complex libraries, such as the standard C++ library in binary programs.
For more information about the future of work in malware at the SEI, sign up for our blog.