search menu icon-carat-right cmu-wordmark
Our Research

Reverse Engineering for Malware Analysis

Reverse Engineering for Malware Analysis

Malware refers to malicious software—including viruses, ransomware, and spyware—that requires the process of reverse engineering to understand what it does, what it impacts, and how to remove it.

In recent years, we have learned just how costly malware attacks—such as the WannaCry ransomware attack from 2017—can be. Malicious actors, including nation states, can use malware to target the Department of Defense (DoD) and other government agencies, as well as the networks of critical U.S. infrastructure. Attackers conduct these kinds of cyber attacks to disrupt operations, destroy data, and steal intellectual property.

Malware also affects industry on a large scale. Data breaches that result from malware attacks have occurred in retail, health care, education, financial services, and manufacturing. And the cost of dealing with malware for both business and consumers is rising.

Removing malware from an infected network is usually a time-consuming and complex manual process that requires specialized reverse-engineering skills. Reverse engineering is the means by which we analyze how malware works and what it does so we can remove it. The way malware is built, however, poses significant challenges for reverse engineering.

Research in malware that identifies malware families and design similarities can lead to the automation of malware analysis tasks. With automation, we can speed up how quickly we learn about how malware behaves so we can grapple with the quantity and variety of malware currently in circulation.

Automating Malware Analysis for Faster Response

The SEI has been collecting malware in a repository called the Artifact Catalog since2001 to support malware analysis research. Over the years, the SEI has sped up the collection of data in the Artifact Catalog exponentially, and we have been successful in using that data to help government sponsors understand the threats posed by individual malware samples as well as families of malicious code.

The SEI has innovated new ways of analyzing and visualizing malware to increase how quickly and efficiently analysts can find and remove it from their organizations’ systems before it results in data breaches or other damage. One such innovation is the development of Pharos, an automated tool that provides human analysts with the information they need to make design-level similarity decisions. Pharos drastically reduces the time required to compare malware design patterns. Analysts have successfully used the Pharos toolset since 2015 to automatically reverse engineer binaries, which are the files available in malware.

What We Offer

The Latest from the SEI Blog

Garret Wassermann

Introducing CERT Kaiju: Malware Analysis Tools for Ghidra

September 13, 2021 • Blog Post
Garret Wassermann, Jeffrey Gennari

Ghidra provides a compelling environment for reverse engineering tools that are relatively easy to use during malware analysis. Our latest blog post highlights a new suite of tools, known as Kaiju, for malware analysis and reverse engineering to take advantage of Ghidra’s capabilities and...

read
Marisa Midler

3 Ransomware Defense Strategies

November 09, 2020 • Blog Post
Marisa Midler

Ransomware is evolving. Not only are there more attackers due to ransomware as a service (RaaS) threats, but ransomware attack strategies are changing with data exfiltration extortions, which I will explain in more detail later in this blog post. Since defense against email phishing was covered in...

read

Our Vision for the Future

The SEI continues to update its toolsets to help analysts quickly and effectively remove malware. We continue to evolve the design pattern matching capability and conduct more experiments on pattern variation in malware. Future work will also apply the capability to recognize complex libraries, such as the standard C++ library in binary programs.

For more information about the future of work in malware at the SEI, sign up for our blog.

Subscribe