Basic Malware Analysis and Removal Part 3: Finding and Obtaining Samples
Posted 5/11/2010 3:37:00 PM
This is the second post in the “Basic Malware Analysis And Removal” series. Click Here to view the first post: Setting up a Virtual Environment and Click Here to view the second post: Shared Folders
Disclaimer: I am in no way responsible for any harm that comes to your computer through the use of the information or links that I provide on this website, and more specifically this post. I am going to show you how to find live samples of malicious software that are capable of causing damage to your computer. Make sure to have a Virtual Machine set up and only perform malware operation within this environment where the likelihood of real damage is slim to none. You have been warned. It seems that anything that you do on a computer can give you a piece of malware. Click on a link on facebook...malware. Open the wrong search result...malware. At least that's how it seems if your job consists of removing malware from computers. The volume of malicious software that manages to infect the average user's machine should mean that it is fairly easy to get a hold of some samples of malware yourself, right? Well, let me issue you a challenge: open up your new virtual machine (I hope you have a snapshot taken) and try to find some malware to get infected with. Fake antivirus programs are recommended. Good luck, I'll check back with you in a moment to see how you did. Well, how did you do? I'm guessing (if you actually tried) that you failed to get your Virtual Machine infected with anything more than a tracking cookie. The fact is, if we want to analyze malware, we need some samples. But if we cannot find samples, how can we analyze malware? Well, believe it or not, there are websites devoted to hosting malware for academic use. In this post, I will focus on one such site. Make sure you have read the disclaimer above before continuing.
Live Malware Repository: Offensive Computing The site I will focus on is called "Offensive Computing." The site hosts over a million samples of malware, ranging from viruses and worms to trojans and rootkits. You will need to register for an account on the website in order to actually search and download any samples. Notice I haven't given you the URL yet? I want you to know what you are getting into. Let me repeat myself: this website hosts LIVE malware. Samples as dangerous as Conficker are available (although good luck getting it running...that's another article). So, if you are truly interested in finding malware, here is the URL: http://www.offensivecomputing.net/. Go ahead and register with the site.
Finding Specific Malware Samples Okay, so now you have a huge database of malware available to you...so what? The next step is to figure out exactly what you are looking for. I will not answer this question for you, although in future articles we will cover analysis of different types of malware. Right now, I will focus on finding the sample you are looking for on the site. Once you have determined what to look for, you have a few options. The first option is to search by the filename of the malware. Offensive Computing only allows filenames without spaces, descriptions without spaces, and also MD5 hashes of files while searching. Usually, you can find any of these items for the specific piece of malware that you are looking for by searching for information about removal of it. Often these sites will have at least one of the pieces of information that you need. Search for your target malware, and if you get results you can download them directly from the site. The files will be in a .zip folder with a password of "infected" (no quotes).
Option Two: Offensive Computing Forums Another source of samples are the forums at Offensive Computing. They can be accessed at http://www.offensivecomputing.net/?q=forum . Here there are topics about analysis of malware, sample requests, and many other topics related to malware. Remember to always do your malware searching and analysis on your virtual machine!
Conclusion In this article, I have shown you a source for finding samples of malicious software. If you find any other sites such as this one, I would love to hear about them! Stay tuned for the next article in the series where we will begin the process of basic analysis of different types of malware.