Malware refers to malicious software—including viruses, ransomware, and spyware—that requires the process of reverse engineering to understand what it does, what it impacts, and how to remove it.

In recent years, we have learned just how costly malware attacks—such as the WannaCry ransomware attack from 2017—can be. Malicious actors, including nation states, can use malware to target the Department of Defense (DoD) and other government agencies, as well as the networks of critical U.S. infrastructure. Attackers conduct these kinds of cyber attacks to disrupt operations, destroy data, and steal intellectual property.

Malware also affects industry on a large scale. Data breaches that result from malware attacks have occurred in retail, health care, education, financial services, and manufacturing. And the cost of dealing with malware for both business and consumers is rising.

Removing malware from an infected network is usually a time-consuming and complex manual process that requires specialized reverse-engineering skills. Reverse engineering is the means by which we analyze how malware works and what it does so we can remove it. The way malware is built, however, poses significant challenges for reverse engineering.

Research in malware that identifies malware families and design similarities can lead to the automation of malware analysis tasks. With automation, we can speed up how quickly we learn about how malware behaves so we can grapple with the quantity and variety of malware currently in circulation.

Automating Malware Analysis for Faster Response

The SEI has been collecting malware in a repository called the Artifact Catalog since2001 to support malware analysis research. Over the years, the SEI has sped up the collection of data in the Artifact Catalog exponentially, and we have been successful in using that data to help government sponsors understand the threats posed by individual malware samples as well as families of malicious code.

The SEI has innovated new ways of analyzing and visualizing malware to increase how quickly and efficiently analysts can find and remove it from their organizations’ systems before it results in data breaches or other damage. One such innovation is the development of Pharos, an automated tool that provides human analysts with the information they need to make design-level similarity decisions. Pharos drastically reduces the time required to compare malware design patterns. Analysts have successfully used the Pharos toolset since 2015 to automatically reverse engineer binaries, which are the files available in malware.