Malware analysis involves studying the functionality and potential impact of suspicious files or URLs. These files could include worm, trojan horse, virus, backdoor, or rootkit.
Understanding the behavior and purpose of such files can help developers and security analysts mitigate any potential threat and improve the reliability of the overall system.
Malware analysis can be divided into two groups:
- Static analysis: involves examining malware samples without actually executing or running the underlying code. It can be used to detect malicious infrastructure, packed files, or libraries.
- Dynamic analysis: involves examining suspicious files by running them in a secure environment known as a sandbox. It allows analysts to watch the malware in action and extract more information about the threat.
Modern tools utilize both techniques (hybrid approach) to effectively detect malicious code and identify as many indicators of compromise as possible.
Below, we have listed some of the best malware analysis tools available in the market. You can use them to reverse engineer malware samples. Some of them are open-source and completely free to use.
9. Cerbero Suite
Written in: Python
Price: Standard version costs $100 | Free trial available
Cerbero Suite allows you to inspect the code, structure, and numerous other things of dozens of file formats, including MS Office and PDFs. These formats are often used as vectors for malware.
Plus, you can perform Windows memory analysis on physical memory images, crash dumps, and hibernation files. Inspect all aspects of kernel and mini-dumps. Since Cerbero doesn’t rely on WinDBG, it works on every supported platform, including macOS and Linux.
- Full inspection of internal structure and memory
- Includes PDF and Office document analysis
- Image and Font analysis
- Managed code disassemblers
- Hex editor
- Documentation doesn’t provide enough information to ramp up on your own
Written in: C++, Java
Ghidra is a reverse engineering software developed by the National Security Agency (NSA). It has an easy-to-use interface and functions meant to make reversing as easy as possible.
Ghidra runs on macOS, Linux, and Windows, and has all the essential features security researchers would expect. Unlike other malware analysis tools, it is designed to facilitate collaborative work among multiple developers on the same reversing project.
The tool provides context-sensitive help on menu items, dialog, buttons, and undo/redo mechanism that allows you to test out theories about the sample code you are analyzing.
You can also use it as a debugger — it supports debugging user-mode Linux programs via GDB and Windows programs via WinDbg.
- Open source, full-featured tool to analyze compiled code
- Supports assembly, disassembly, decompilation, graphing, and scripting
- Built to solve scaling and teaming problems
- Runs on all platform
- Plenty of extension components
- Large binaries (~100MB) can take several hours to analyze
Written in: Java, .NET
Price: $10 per month per user | 30-day free trial available
Fiddler is a web debugging proxy that sits between your device and the internet and captures inflow and outflow HTTP(S) traffic between the two. It allows you to inspect requests/responses and modify them when required.
Fiddler starts capturing sessions as soon as you load a web page in the browser. It can inspect HTTP traffic from any software that supports a proxy. This tool also allows you to exploit the application’s API, giving you the felicity to capture the exact resources you need.
There is a function called Autoresponder, which allows you to mock external services, simulate network latency, and analyze particular outputs triggered by the response. It can be extremely useful when testing and debugging live URLs.
You can create new rules (based on URL, hostname, or file type) and specify actions to be performed. Set breakpoint, delay (to mimic network latency), reset or close all connections together.
- Inspect web traffic
- Lets you collaborate and debug together as a team
- Includes a powerful event-based scripting subsystem
- Provides delightful analysis and resolution experience
- Documentation can be improved
Written in: Delphi
HxD is a hex editor, memory editor, and disk editor available in multiple languages. It is designed for raw disk editing and modifying the contents of RAM. More specifically, it can be used to change the binary and hex content, check malware, and repair structures.
The tool can handle files of any size and display and edit the memory used by running processes. Its detailed UI offers functions such as file shredder, search and replace, export, checksums/digests, insert byte patterns, split or concatenate files, statistics, and more.
And since the UI is tabbed, you can work on different projects in the same window.
- Works as a RAM-editor
- Can handle very large files
- Checks checksums and hashes
- Export hex files and source code into various formats
- Progress-window for lengthy operations
- Not designed for inexperienced users
- Not available for Mac and Linux
Written in: C
Radare stands for RAw DAta REcovery. In 2014, it was replaced by Radare2 with a full rewrite and more advanced features.
Using this open-source platform, you can perform analysis on images and files to retrieve valuable artifacts. It can help you better understand how malware works, recover lost files, and troubleshoot why software programs are crashing.
Radare2 is not only an effective disassembler but also a great debugger, especially if you like working on a command-line interface. It also has an intuitive graphical user interface for macOS, Linux, and Windows.
- Powerful analysis capabilities
- Visualize data structures of several file types
- Patch programs to detect new features or fix issues
- Steep learning curve
4. Binary Ninja
Written in: C, C++, Python
Price: $300 (on time fee) | Free demo available
Binary Ninja is a reverse-engineering tool that can efficiently disassemble a binary and display it in linear or graph views. It automatically carries out an in-depth analysis of a program and produces valuable data that helps you examine a binary.
More specifically, it performs function detection, value-set analysis, cross-references for data and code, type interference, and jump table resolution. Its in-built decompiler works with all CPU architectures, including x86, ARMv7, ARMv8, PowerPC, and Thumb2.
Many components of Binary Ninja are open-source, including the C++, Python, and Rust bindings. This allows you to automate everything, from the user interface to decompilation and patching.
What more? The platform has a free cloud version that allows you to collaborate with your team members and utilize the full power of interactive graphs and decompilers.
- Modern UI
- Extensive APIs
- Control flow graph analysis
- Supports almost all CPU architecture and executable file formats
- Too much limitations in demo version
Written in: Java
Price: Starts at $120 per month per user | Free demo available
JEB is a reverse engineering tool for Android apps and native machine code. It is capable of performing static and dynamic analyses of all kinds of Android apps (small or large, goodware or badware).
With JEB, you can decompile obfuscated APKs, test Java code, and debug closed-source applications in minutes. It debugs both Dalvik and native code (Intel, ARM) seamlessly. Plus, there are options to reconstruct resources and obfuscated XML files.
The tool is packed with powerful analysis modules that support code refactoring, virtual hierarchy, and code cleaning to organize highly obfuscated code.
As far as customizability is concerned, you can write your own scripts (in Python or Java) to automate the reverse engineering tasks. Power users can write full-featured analysis modules and headless front-ends.
- Decompile obfuscated APKs
- Break down and analyze document files
- Easy cross-referencing of items
- Support for extensions (plugins and scripts)
- Steep learning curve
2. Interactive Disassembler
Written in: C++
Price: $365 per year | Free version available
Interactive Disassembler is a complete integrated development environment. It efficiently generates assembly language source code from machine-executable code, making complex code more human-readable.
The tool is packed with Fast Library Identification and Recognition technology, which identifies standard function calls for various compilers. This enhances the usability and readability of generated disassembled.
It also handles remote applications very well. The in-built debugging system enables quick debugging and easy connection to both local and remote processes.
Perhaps the best thing about this tool is that it can handle multiple processors and show the binary instruction executed by each processor. This makes it easier to analyze suspicious programs that could be spyware or malware.
- Performs automatic code analysis
- Automates simple to medium complexity tasks
- Open plug-in architecture
- Supports a number of debuggers
- Highly programmable and customisable
- Pricey and over-complicated at times
Written in: C, C++
Wireshark is an open-source packet analyzer that allows you to see what’s happening on your network at a microscopic scale. It is used by many educational institutions, government agencies, and commercial and non-profit organizations.
With this tool, you can inspect hundreds of protocols at multiple layers. It records live data and presents it in a way that’s relatively easy to read and analyze. It can also capture packets from network simulation software like NetSim and OPNET Modeler. Plus, it can read data captured by other network analyzers, such as Microsoft Network Monitor and Sniffer.
The tool applies unique colors to the packets based on rules that match specific fields in packets. This helps you identify the types of traffic at a glance. You can edit pre-defined rules for coloring packets, add new rules, or delete existing ones.
- Analyze network traffic at microscopic level
- Captures live data
- Inspects hundreds of protocols
- Shows issues and errors in detail
- User interface looks outdated
Other Equally Good Malware Removal Tools
Written in: C, C++, Python
Yara is an open-source tool that helps you identify and classify malware samples. It allows you to create “descriptions” (or rules) for malware families based on text or binary patterns.
You can write complex and powerful rules using binary strings with wild cards, regular expressions, special operators, and case-insensitive text strings.
Although you can install this tool to identify patterns for various purposes, it is mainly used by security analysts to detect malware. It runs on macOS, Windows, and Linux.
11. PE Studio
Written in: C++, C#
Price: $150 per year | Free version available
PeStudio is a static tool for analyzing Windows executable files. It starts with displaying useful information about a file’s properties.
This tool analyzes files or programs without running them. It can extract the hash code, size, entropy, as well as compile and debugger stamps. It also reveals various signatures and indicators, showing the integrity of the file.
More specifically, it reveals the information about DOS and file headers, libraries, resources, exported strings, symbols, bound imports, and debug information. You can use this data to determine whether the original file/code has been altered or not.
Written in: C#, VB.NET
dnSpy allows you to decompile certain assemblies in a more efficient way. It has a comprehensive user interface that packs a wide range of useful tools, including an assembly editor, a decompiler, and a debugger.
Everything is organized in a beautiful way, so you can reverse engineer .NET assemblies and achieve quick, satisfactory results. You can configure every aspect of the decompiler and debugger and modify miscellaneous modules. You can even write extensions or use the C# interactive window to control the debugger.
The best thing about this software is it is portable. This means you don’t need to install it on your device; just unpack its archive and launch the executable file to gain full access to its functions. It does not create additional files on your device, nor does it modify registry entries without our explicit permission.
13. Google Rapid Response
Written in: Python
Google Rapid Response Framework (GRR) is an open-source tool for enterprise forensic investigations. It is based on a client-server architecture: the GRR client is deployed on systems that need to be investigated and the GRR server provides web-based UI and an API, allowing analysts to schedule actions on clients and process collected data.
The tool is designed to run at scale so analysts can effectively collect and process data from large numbers of machines. It facilities non-intrusive automated analysis to maintain users’ privacy. Overall, it strikes a balance between protecting access to user data and warranted forensically sound analysis.
Frequently Asked Questions
Is malware a virus?
Technically, malware and virus are two different terms. Malware refers to any type of malicious program, regardless of what its purpose, how it works, and how it is distributed. A virus, on the other hand, is a type of malware that, when executed, replicates itself by injecting its own code into other programs.
All viruses (such as CryptoLocker and MyDoom) are malware, and but not all malware is a virus. Malware can be worms, ransomware, spyware, Trojan horses, or spyware.
What do malware analysts do?
A malware analyst works in the field of computer science and network security to identify, analyze, and understand the nature of cyber threats like worms, viruses, Trojan horses, spyware, and rootkits.
Since these malicious programs come in many different forms, a malware analyst much have a good knowledge of programming languages and machine codes. Plus, he/she must possess a keen understanding of software development and reverse engineering.
Why is malware analysis important?
According to SonicWall Capture Labs, 5.6 billion malware attacks were carried out in 2020, of which 268,362 were identified as new (never-seen-before) malware variants.
In order to reduce these attacks, it is important to detect and determine the capability of malware. Malware analysis allows us to determine identifiable patterns that can be used to prevent future injections and make systems more reliable.
What are the stages of malware analysis?
There are four crucial stages of malware analysis. As we move from one stage to another, the complexity of conducting analysis increases.
- Fully automated analysis: is used to scan and evaluate suspicious code.
- Static properties analysis: involves accessing static properties of a program, such as header information and embedded strings. It provides deeper insights into malware.
- Interactive behavior analysis: involves thoroughly examining the malicious file. This may entail infecting an isolated system with malicious code to observe its behavior.
- Manual code reversing: involves the use of tools such as disassemblers and debuggers. Reverse-engineering the code could help us decode encrypted data, determine the logic of the malicious program, and understand its capabilities that weren’t detected during behavioral analysis.