How to get and handle malware

Hello guys! In this blog I would like to share some things I learned, this is very important as malware analysis is risky by nature.

But before analyzing malware, we must obtain it, but how? Many might think (myself included) that we should go into the dark web and get it from the darkest places but no, these are some sites that I like but don’t download them directly!

Where to get malware?

There are a lot of sites, among them some web pages specifically dedicated to this and some GitHub repositories!

So let’s start with a very popular GitHub repositories!

TheZoo

theZoo is a project created to make the possibility of malware analysis open and available to the public. Since we have found out that almost all versions of malware are very hard to come by in a way which will allow analysis, we have decided to gather all of them for you in an accessible and safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev.

If you want more information, go to the repository, it includes instructions to obtain the repository.

VX-Underground

Now these guys are doing a great job and both their official site and repository you can find malware, in many languages, for different operating systems, etc. Be sure to follow them on twitter!

https://zeltser.com/malware-sample-sources/

This is a list of sites where you can find malware of all kinds, I want to thank LENNY ZELTSER for this compilation, follow him on twitter!

MalwareBazaar

MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.

This source is also very popular, so make sure to go there!

Now guys let’s say I found a specimen that catches my attention, let’s use theZoo repository as an example, we must manage and be very careful when dealing with this, we don’t want our host to get infected by accident.

With these precautions and standards you should be safe, always make sure to follow these! Let’s imagine that our malware is an .exe file, what would happen if we run it by mistake?

The first thing to do is to add an extension to our file, such as .mylittlepony

This way if we run it by accident nothing will happen because it is not an extension with execution properties.

Another very good recommendation is to have a standard for naming malware, it is quite common in the industry to use this:

Malware.something that describes this specimen.exe.our extension without risk

Something like this:

Malware.RAT.exe.mylittlepony

Now lastly, and this is very important as it is an industry standard, make sure you password protect your specimens, encrypt and compress them, the industry standard password is “infected”, all in lower case.

Well, guys that’s it make sure to check your settings and SAFE ALWAYS!