Home Blog 5 Best Open Source Malware Analysis Tools for 2021

5 Best Open Source Malware Analysis Tools for 2021

October 13, 2021
man in blue suit looking at computer with hazard sign and tabs in the air

The COVID-19 pandemic in 2020 caused huge numbers of students and workers to turn to remote access for their technologies. Unfortunately, cybercriminals exploited that massive increase in online activities and took advantage of any vulnerabilities they could find; compared to 2019, there was a shocking 485% rise in ransomware attacks, according to the 2020 Consumer Threat Landscape Report from Bitdefender.

"Our 2020 findings depict consumers under constant assault from cybercriminals looking to capitalize on fear and societal uncertainty," said Bogdan Botezatu, Bitdefender's Threat Research and Reporting Director. "Cybercriminals will stop at nothing to use outlier events and human empathy to line their pockets...we are constantly seeing how attacks evolve through malware delivery mechanisms, inventive social engineering, and new exploits.”1

With the recent ransomware attack on the Colonial Gas Pipeline, which netted cybercriminals $5 million in ransom, 2021 is not seeing any relief from such events.2 Cyber gangs and criminals are evolving their techniques, upgrading malware to hide longer before activating, and stealing massive amounts of data to guarantee their ransom demands are met.3

Luckily, as malware variants have grown increasingly more complex, the use of free, open source malware analysis tools to counteract them has increased, too.4, 5 Keep reading to learn more about the five best open source malware analysis tools for 2021, their key features, why they are helpful, and why they can be risky to use.

1. Cuckoo Sandbox

Cuckoo Sandbox is an automated malware analysis tool. The main Cuckoo application runs on a host system where a virtual machine (VM) with a Cuckoo agent is installed inside of it. The Cuckoo agent feeds data out to the main Cuckoo app on the host. When malware is submitted to the VM, the Cuckoo agent documents the malware activity and sends it to the host for an analysis and detailed report.6, 7

Originally created in 2010 during the Google Summer of Code project, Cuckoo Sandbox is an open source platform for Windows, Android, OS X, and Linux. Easily customizable for processing and reporting, Cuckoo is one of the more convenient and commonly used open source malware analysis tools available.4

2. Autoruns

Autoruns is an open source tool created by Microsoft that documents any software installed on a device that is set to launch when the device is turned on. Once malware finds a way to hide on a machine, it can not survive a reboot unless it runs and creates a persistence mechanism allowing it to survive (or persist) after the machine reboots. Malware coding achieves this by creating a scheduled task or specific run keys within the registry. A sample of malware submitted in a VM will be detected by Autoruns, also running in the VM, when the malware creates any new persistent software. The technique used to implement the new persistence mechanism will also be reported.6, 8

3. Process Hacker

Process Hacker by SourceForge is used for displaying the processes running on a device. When a piece of malware is detonated in a VM, Process Hacker records what new processes are created by the malware and the disk location from where they are being run. As malware attempts to hide by copying itself to a new location and then renaming itself, this activity is detected and recorded by Process Hacker, enabling an analyst to recognize its hiding place. Memory can also be inspected for strings by Process Hacker when malware is detonated. Significant information hiding in strings found in memory may potentially include user agents, IP addresses, and domains being used by the malware.6, 9

4. Ghidra

Ghidra, developed by the National Security Agency (NSA), allows an analyst to navigate assembly code functions. The malware code is not detonated or executed; instead, it is disassembled to facilitate static analysis. Ghidra attempts to decompile malware code into output that is 'readable' or closely resembling what the malware creator would have written during creation. Instructions and variables contained in each assembly code function are presented by Ghidra, enabling the malware to be reverse engineered.6, 10

5. Wireshark

Wireshark is the most widely-used network protocol analyzer, offering live capture and offline analysis. Unlike other web proxies focusing only on HTTP/HTTPS traffic, Wireshark enables deep packet analysis of multiple protocols at multiple layers. It is considered the de facto standard across government agencies, commercial and non-profit enterprises, and educational institutions. The original project was started by Gerald Combs in 1998, and now Wireshark development is sustained by volunteer network experts all around the world.6, 11

Risks of Using Open Source Malware Analysis Tools

Open source threats (OST) such as software apps, libraries and exploits with offensive hacking capabilities are highly controversial in the information security (infosec) community. Although OSTs are shared widely to help cyber defenders learn how to protect against future malware attacks, they are often downloaded and utilized by hacking groups, as well. Security researcher Paul Litvak of the cybersecurity firm Intezer Labs reports that OSTs are widely used "across the entire cybercrime ecosystem," including by low-level malware gangs, elite financial crime groups and even nation-state sponsored advanced persistent threats (APTs).12

You can try to mitigate the risk of OST adoption by cybercriminals by introducing complexity into code before security researchers release open source offensive hacking tools. Litvak points out that OSTs with complex features requiring a deeper level of understanding to use are rarely adopted by hackers. He adds that cybersecurity analysts should at least sprinkle libraries with special or irregular values to make their code unique and dissuade their usage by cybercriminals.12

Ready to Become a World-Class Cyber Pro?

If you're interested in helping shape a smarter, safer world as a cybersecurity professional, consider how an online MS in Cybersecurity from the Katz School of Science and Health at Yeshiva University can accelerate your career and fast-track you to a leadership position.

Our 100% online Master of Science (MS) in Cybersecurity program focuses on the technical aspects of cybersecurity and its role in the business environment. With coursework in management strategy and training to excel on industry-standard certification exams, we prepare you to assume a leadership role and assemble a world-class team of experienced cyber professionals ready to defend today's complex business world.

  1. Retrieved on May 27, 2021 from infosecurity-magazine.com/news/ransomware-attacks-grow-2020/
  2. Retrieved on May 27, 2021 from investisdigital.com/blog/technology/why-ransomware-attacks-are-rise
  3. Retrieved on May 27, 2021 from f5.com/labs/articles/threat-intelligence/ransomware-how-it-has-evolved-to-be-faster-stealthier-and-strike-harder
  4. Retrieved on May 27, 2021 from cyberbit.com/blog/endpoint-security/open-source-malware-analysis-tools/
  5. Retrieved on May 27, 2021 from cybersecuritynews.com/malware-analysis-tools/
  6. Retrieved on May 27, 2021 from varonis.com/blog/malware-analysis-tools/
  7. Retrieved on May 27, 2021 from cuckoosandbox.org/
  8. Retrieved on May 27, 2021 from docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  9. Retrieved on May 27, 2021 from processhacker.sourceforge.io/
  10. Retrieved on May 27, 2021 from ghidra-sre.org/
  11. Retrieved on May 27, 2021 from wireshark.org/
  12. Retrieved on May 27, 2021 from zdnet.com/article/malware-gangs-love-open-source-offensive-hacking-tools/