How to get interesting malware samples

As an independent malware researcher, sometimes it is not easy at all getting new malware samples. I want to show you a a few methods that can get you some really interesting samples, tough they require some investment (time & money).

  • Honeypots – I invested some dollars (and a couple of hours) and configured Dionaea on a VPS. I have installed also DioaneaFR (Web front-end for Dionaea) on another server, and the bistreams,samples and additional data are copied to the server where the front-end is hosted every 10 minutes. The samples from the honeypot are automatically submitted to some online sandboxes and virus scanners, and If you are interested it can even forward them to your own sandbox.

connections

 

main

 

If you are an independent researcher, and you are interested in access to my honeypot data, Let me know in the comments of this post, and I will contact you.

 

  • MWcrawler

mwcrawler is a simple python script that parses malicious url lists from well known websites (i.e. MDL, Malc0de) in order to automatically download the malicious code. It can be used to populate malware repositories or zoos.

MWcrawler is really useful, the problem is that because of the nature of those malicious sites, (Might be up, then down 2 hours later…) You may get some samples or not. It does not hurt to have this script on your crontab 😉

  • Recommended Websites – There are some websites where you can get some interesting malware samples, although not unique. contagio is a good source for network captures,PDFs and other types of malicious files. The virus exchange forum on malwaretips offers “Malware Packs”.