Linux malware analysis tools

Introduction

Malicious software is almost as old as the first computers. From innocent viruses to ransomware, we can be sure that new malware continues to exist. Whenever you are just interested in malware analysis or do it as a profession, good tooling helps to simplify research. This page has some of the most popular tools to perform static and dynamic analysis.

Usage

Linux malware analysis tools are typically used for malware analysis and malware detection.

Users for these tools include malware analysts, security professionals.

Tools

bamfdetect (extract information from bots and malware)

malware analysis, malware scanning

With bamfdetect, malware and bots can be analyzed. It identifies and extracts information and returns data in JSON format.

Binary Analysis Next Generation (framework for binary analysis)

binary analysis, malware analysis, malware scanning

BANG is a framework to unpack files recursively and scan them. The files can be firmware, binaries, or malware. The main goal is to scan all files and perform classification and labeling. This way each file can be further analyzed based on the characteristics.

Cutter (graphical user interface for radare2)

binary analysis, malware analysis, reverse engineering

Cutter is a graphical user interface for radare2, the well-known reverse engineering framework. It focuses on those who are not familiar enough with radare2, or rather have a graphical interface instead of the command-line interface that radare2 provides.

Intrigue Core (attack surface discovery)

asset discovery, attack surface measurement, intelligence gathering, OSINT research, penetration testing, security assessment

Intrigue Core provides a framework to measure the attack surface of an environment. This includes discovering infrastructure and applications, performing security research, and doing vulnerability discovery.

Intrigue also allows enriching available data and perform OSINT research (open source intelligence). The related scans include DNS subdomain brute-forcing, email harvesting, IP geolocation, port scanning, and using public search engines like Censys, Shodan, and Bing.

LIEF (library for analysis of executable formats)

binary analysis, malware analysis, reverse engineering

In several occasions, it may be useful to perform analysis on binary file formats. Such occasion could be incident response, digital forensics, or as part of reverse engineering tasks. In these cases, a toolkit like LIEF can help to perform this job. It allows you to parse and modify the files. LIEF also will make information available an application programmable interface (API) for automated processing.

Malice (VirusTotal clone)

malware analysis, malware detection, malware research, malware scanning

Malice is a malware analysis that wants to provide a free and open source version of VirusTotal. The goal of Malice is to make it usable by both independent researchers up to fortune 500 companies.

Malice is useful for those that do malware analysis or deal with user-generated files that may contain malware. The framework allows scanning files and directories to see if they are infected.

MalPipe (Malware/IOC ingestion and processing engine)

data enrichment, data processing, intrusion detection, malware analysis, malware detection

MalPipe is a modular malware and indicator collection and processing framework. It is designed to pull information about malware, domains, URLs, and IP addresses from multiple feeds. Finally, it will enrich the collected data and export the results.

Mal Tindex (malware sample analyzer)

malware analysis, malware research

Mal Tindex is a tool that performs binary analysis on malware samples. It analyzes the binaries it is provided to learn about the specifics of each malware sample that makes them unique. This way data can be gathered that may provide background information. For example, it could provide the attribution of a particular actor or malware campaign.

MultiScanner (file scanning and analysis framework)

malware analysis, malware detection, malware scanning

MultiScanner helps malware analysts by providing a toolkit to perform both automated and manual analysis. The data extracted from the analysis can be easily stored together, including the relevant metadata and samples. It allows enriching the data further by retrieving information from external resources.

PyREBox (Python scriptable Reverse Engineering Sandbox)

binary analysis, malware analysis, reverse engineering

PyREBox is short for Python scriptable Reverse Engineering Sandbox. It provides dynamic analysis and debugging capabilities of a running QEMU virtual machine. The primary usage is the analysis of running processes to perform reverse engineering. PyREBox can change parts of the running system by changing data in memory or within processor registers.

radare2 (reverse engineering tool and binary analysis)

digital forensics, reverse engineering, software exploitation, troubleshooting

Radare2 is a popular framework to perform reverse engineering on many different file types. It can be used to analyze malware, firmware, or any other type of binary files. Besides reverse engineering, it can be used for forensics on filesystems and do data carving. Tasks can be scripted and support languages like JavaScript, Go, and Python. Even software exploitation is one of the functions it can be used in.

SSMA (malware analysis tool)

malware analysis, malware detection, malware scanning, reverse engineering

SSMA is short for Simple Static Malware Analyzer. The tool can perform a set of tests against a malware sample and retrieve metadata from it. SSMA can analyze ELF and PE and analyze its structure. For example, it can retrieve the PE file header information and its sections. Other pieces it can analyze is the usage of packers, anti-debugging techniques, cryptographic algorithms, domains, email addresses, and IP addresses. It can also check if the sample is already detected ...

YARA (malware identification and classification)

malware analysis, malware detection, malware scanning

YARA is a tool to identify and classify malware samples. It uses textual or binary patterns to match data, combined with a boolean expression to define a match. YARA is multi-platform, can be used via a command-line interface or via Python scripts using the yara-python extension.

YaraGuardian (Django web interface to manage Yara rules)

malware analysis

YaraGuardian provides a web-based interface that helps to manage Yara rules. It can be used to search, organize, and bulk-edit rules. The tool also prevents creating duplicate entries, which is a nice additional benefit of this management utility.

Other related categories: Android malware detection tools, Linux malware detection tools, Linux malware scanners

Missing a favorite tool in this list? Share a tool suggestion and we will review it.