Static analysis tools have spent years scanning legitimate software for security bugs before release. These same scanners are also effective on malware, which consistently carries its own vulnerabilities. Researchers used four such tools across 658 leaked malware projects, finding that nearly 90 percent contained at least one recognized software weakness. The malware code originated from VX-Underground, a public repository of leaked samples.
Static analysis tools have spent years scanning legitimate software for security bugs before release. These same scanners are also effective on malware, which consistently carries its own vulnerabilities. Researchers used four such tools across 658 leaked malware projects, finding that nearly 90 percent contained at least one recognized software weakness.
The malware code originated from VX-Underground, a public repository of leaked samples. The specific scanners employed included Cppcheck. This discovery suggests new strategies for defenders to exploit these inherent flaws in malicious software.