NSA to build new features into its open-source malware analysis tool Ghidra

New enhancements will improve accuracy, claims NSA

The US National Security Agency (NSA) is builing several new features into its malware reverse-engineering tool, Ghidra, in a bid to improve accuracy.

Brian Knighton, a senior cybersecurity researcher at the NSA, and Chris Delikat, a team lead in NSA's Research Directorate, said that the agency is working to enhance Ghidra with a variety of new features, including processor modules and support for system calls.

The upcoming version 9.1 of Ghidra will also have the ability to perform 'sleigh editing' in the Eclipse development environment.

Moreover, it will also provide support for Android binaries. The current version of Ghidra can analyse Android executable files that use Dalvik executable formats. However, Android 5.0 and later versions of the operating system use a Linux binary format, which is difficult to examine using the current version of Ghidra.

The new version of the malware analysis tool will also come with a debugger to enable users to dynamically analyse the malware and to see its real-time effects by running it in a live environment.

Knighton and Delikat discussed their plans with specialist website Cyber Scoop before a session of the Black Hat security conference held in Las Vegas, California this week.

In March, the NSA surprised cyber security researchers by releasing its internal malware research tool Ghidra for free to the public.

Since its release, the open-source software has been downloaded more than 500,000 times - much beyond NSA's expectations. The Agency was also surprised to see how a large number of outside developers were altering Ghidra's code to create new features for it.

Ghidra has become so popular among researchers that the NSA is now offering classes on the tool for college students.

Ghidra is a software reverse-engineering framework that enables security researchers to translate computer-executable programmes into human-readable programming language commands. It lets users examine compiled code on multiple platforms, including Linux, Windows, and MacOS.

The main capabilities of the software include assembly, disassembly, decompilation, scripting and graphing, along with other features.

Using Ghidra, researchers can compare multiple versions of malicious code to see what they do differently from others and how they might try to hide on networks.

The tool can be run in both automated and user-interactive modes, and users also have the freedom to create their own plug-in components and/or scripts using Python or Java.

The NSA released the tool as cyber attacks continue to climb - especially attacks backed by groups linked to nation states.

A report by Symantec in May claimed that a hacking group linked with China's Ministry of State Security repurposed leaked NSA hacking tools to carry out cyber attacks in 2016.

And just this week it was claimed that the North Korean government had raised some $2 billion from cyber crime - and spent it all on weapons.