search menu icon-carat-right cmu-wordmark
Our Research

Reverse Engineering for Malware Analysis

Malware refers to malicious software—including viruses, ransomware, and spyware—that requires the process of reverse engineering to understand what it does, what it impacts, and how to remove it.

In recent years, we have learned just how costly malware attacks—such as the WannaCry ransomware attack from 2017—can be. Malicious actors, including nation states, can use malware to target the Department of Defense (DoD) and other government agencies, as well as the networks of critical U.S. infrastructure. Attackers conduct these kinds of cyber attacks to disrupt operations, destroy data, and steal intellectual property.

Malware also affects industry on a large scale. Data breaches that result from malware attacks have occurred in retail, health care, education, financial services, and manufacturing. And the cost of dealing with malware for both business and consumers is rising.

Removing malware from an infected network is usually a time-consuming and complex manual process that requires specialized reverse-engineering skills. Reverse engineering is the means by which we analyze how malware works and what it does so we can remove it. The way malware is built, however, poses significant challenges for reverse engineering.

Research in malware that identifies malware families and design similarities can lead to the automation of malware analysis tasks. With automation, we can speed up how quickly we learn about how malware behaves so we can grapple with the quantity and variety of malware currently in circulation.

Automating Malware Analysis for Faster Response

The SEI has been collecting malware in a repository called the Artifact Catalog since2001 to support malware analysis research. Over the years, the SEI has sped up the collection of data in the Artifact Catalog exponentially, and we have been successful in using that data to help government sponsors understand the threats posed by individual malware samples as well as families of malicious code.

The SEI has innovated new ways of analyzing and visualizing malware to increase how quickly and efficiently analysts can find and remove it from their organizations’ systems before it results in data breaches or other damage. One such innovation is the development of Pharos, an automated tool that provides human analysts with the information they need to make design-level similarity decisions. Pharos drastically reduces the time required to compare malware design patterns. Analysts have successfully used the Pharos toolset since 2015 to automatically reverse engineer binaries, which are the files available in malware.

What We Offer

The Latest from the SEI Blog

Edward Schwartz

The Great Fuzzy Hashing Debate

April 22, 2024 • Blog Post
Edward J. Schwartz

This post details a debate among two researchers over whether there is utility in applying fuzzy hashes to instruction...

Edward Schwartz

Comparing the Performance of Hashing Techniques for Similar Function Detection

April 15, 2024 • Blog Post
Edward J. Schwartz

This blog post explores the challenges of code comparison and presents a solution to the...


Our Vision for the Future

The SEI continues to update its toolsets to help analysts quickly and effectively remove malware. We continue to evolve the design pattern matching capability and conduct more experiments on pattern variation in malware. Future work will also apply the capability to recognize complex libraries, such as the standard C++ library in binary programs.

For more information about the future of work in malware at the SEI, sign up for our blog.