(Estimated Reading Time: 7 minutes)
How to Acquire Malware
If your looking to learn more about malware analysis you’ll need some actual malware samples to look at, but where do you find them? The internet is a giant place and finding a malware sample can be a bit like looking for Waldo.
There seems to be three main ways to acquire malware samples;
- Run a honeypot and collect them yourself.
- Look at recently blacklisted URL’s and try visiting them. You’ll have to hope the malware is still here and that your Internet Service Provider (ISP) hasn’t already blacklisted the URL such that you can’t reach them.
- Lastly, Search one of the many malware corpus web sites that will let you download samples. Some sites will let you download for free, some sites require you to register, and some sites want to charge you money to download samples.
I’ve not personally had a lot of luck with number two because by the time I go to the URL my ISP or someone upstream has already blocked it. Number one is a topic for a whole other blog, so today I’m just going to briefly touch on the tons of malware corpus’s that already exist.
Where’s the malwarez!
With so many sites to get malware from, where do you start. Personally I started with the free ones. Many require a paid membership to actually download samples. Lenny Zeltser and Cyberlab have blogs with a decent starting list of sites. Some of the sites from their blog are no longer active, and other new sites have popped up as well.
I personally like the following sites as they are free and were easy to get started with. VirusTotal would be great but it is not free to download samples sadly. I’ll usually start by looking at VirusTotal, and then copying the SHA256 hash into the following sites and hope one of them has it.
VirusShare: Requires a free login to download
ANY.RUN: Registration required, free to download
Malshare: Register to get an API key to allow free download of 1000 samples/day
MalwareBazaar: Free to register and download
Lastly, I’ll mention theZoo because I think it is a really cool idea and a great way of getting a large repository of malware quickly. However you can not easily search on the site to see if a given hash is in the Zoo.
Always us a safe environment to run malware samples in. See my other blog on Setting up a Malware Lab.