Where's Waldo's Malware

Cyber_00011011 · February 11, 2021

Malware   Overview

(Estimated Reading Time: 7 minutes)

How to Acquire Malware

If your looking to learn more about malware analysis you’ll need some actual malware samples to look at, but where do you find them? The internet is a giant place and finding a malware sample can be a bit like looking for Waldo.

wherewaldo

There seems to be three main ways to acquire malware samples;

  1. Run a honeypot and collect them yourself.
  2. Look at recently blacklisted URL’s and try visiting them. You’ll have to hope the malware is still here and that your Internet Service Provider (ISP) hasn’t already blacklisted the URL such that you can’t reach them.
  3. Lastly, Search one of the many malware corpus web sites that will let you download samples. Some sites will let you download for free, some sites require you to register, and some sites want to charge you money to download samples.

I’ve not personally had a lot of luck with number two because by the time I go to the URL my ISP or someone upstream has already blocked it. Number one is a topic for a whole other blog, so today I’m just going to briefly touch on the tons of malware corpus’s that already exist.

Where’s the malwarez!

With so many sites to get malware from, where do you start. Personally I started with the free ones. Many require a paid membership to actually download samples. Lenny Zeltser and Cyberlab have blogs with a decent starting list of sites. Some of the sites from their blog are no longer active, and other new sites have popped up as well.

I personally like the following sites as they are free and were easy to get started with. VirusTotal would be great but it is not free to download samples sadly. I’ll usually start by looking at VirusTotal, and then copying the SHA256 hash into the following sites and hope one of them has it.

  • VirusShare: Requires a free login to download

  • ANY.RUN: Registration required, free to download

  • Malshare: Register to get an API key to allow free download of 1000 samples/day

  • MalwareBazaar: Free to register and download

Lastly, I’ll mention theZoo because I think it is a really cool idea and a great way of getting a large repository of malware quickly. However you can not easily search on the site to see if a given hash is in the Zoo.

Download Responsibly

Always us a safe environment to run malware samples in. See my other blog on Setting up a Malware Lab.

References

Twitter, Facebook