worm blog: Malware for Sale: Comments on some recent efforts

« Model checking of worm quarantine and counter-quarantine under a group defense | Main | Microscopic simulation of a group defense strategy »

Malware for Sale: Comments on some recent efforts

Some thoughts on some of the recent malware distribution projects that have been announced.

The first of these is MD:Pro, who plans to change about 1000 Euros a month for access, which has a number of benefits. It keeps the average people, who may have malicious intentions, from getting arbitrary access. And it also helps fund such a venture, which can be costly. Managing sample submission, a site, etc .. that takes people, and time, and eventually people have to pay their bills.

Another effort is the Offensive Computing effort. Their stated goal is to help people get access to malware who share their intentions, namely learning how it works. This full disclosure for the malware world. From their website, "There is a noticeable lack of public sources of malware and malware analysis available. Those that were available were either for sale or limited to a small number of users. We provide resources such as live copies of malicious software, md5sums to search on and analysis of the malware to the general public." Pretty worthy goals from my perspective (more below), but there's more to it than good intentions.

If you're a malware researcher (or an aspiring one), the key thing to remember about any such malware distribution site is the integrity of the samples. You'll be wasting your time if you don't get real samples to work on. Right now I don't think we're aware of what kinds of integrity controls these malware collections have in place. For a great review of what this means, be sure to read Analysis and Maintenance of a Secure Virus Library, by Vesselin Bontchev, from the VB Conference, 1992. If you remember the 1999 admw0rm incident (which owned the person who executed it before running off to infect anyone ele), you'll know what it means to have a sample do something you didn't expect it to.

Many people in the malware analysis community will tell you that distributing samples so openly and indiscriminately is irresponsible and should be frowned upon. The AV community already has a sample sharing scheme, with everything from very tightly knit groups which require massive amounts of vetting and trust to more loose affiliations. Access to these is granted by personal introductions, and sharing outside of an approved circle is frowned upon for obvious reasons: You don't want the samples to fall into the wrong hands.

With regards to how someone may make use of such a sample, I'm reminded of something Brian C. spoke about recently on the Daily Dave mailing list. Someone asked if you should use your own tools or openly available tools to commit an act (e.g. penetrating a network or a host). Brian brought up a great point: if it's an open tool, they'll have more difficulty in tracing it back to you than if you wrote your own tools for the job. Everyone has a set of tricks they know and use, methods they fall back on, and coding style. This is apparent when you review anyone's work output over the years. If you have access to a malware repository written by others, you can tweak it for your needs.

In a recent story in The Register, John Leyden looks at the pay for your malware access model. It does raise a number of questions as John pints out. This sort of thing isn't new, the for-pay model is not unlike the TippingPoint ZDI program or the iDefense VCP effort: organizations can subscribe to a feed from the underground and stay abreast of things. The broker, in this case the MD:Pro organization, makes a few bucks off of their effort of being the middleman. Clearly large organizations can (and do) penetrate the underground and get their intelligence: vulns, malware, exploits, etc. and it works. There's a growing presence of these sorts of intelligence brokers in the infosec space, but clearly the market can't support them all, and I don't know if MD:Pro will survive, only time will tell.

Years ago when I was starting to evaluate malicious software, I wanted access to malcode repositories so I could understand samples, families, techniques, etc. If you look at any established AV researcher, it's usually the same story: I found some samples, I analyzed them, and I got access to more samples. Then again, the malware (and AV) world is significantly more mature and well staffed by this point. I raided a few sites for peoples' malware stashes, I begged borrowed and stole numerous samples for my worms book, and I am eternally grateful. Now, a few years later, I have so many samples flowing in I have to automate analysis. I can totally see why people who want to learn malware analysis (a fast growing field) want and need lots of samples, I have been there myself.

That said, there's a couple of things I disagree with in this business model. First, it violates a lot of reasonable safeguards and ethical standards developed by the anti-malware and AV community, such as AVIEWS and AVIEN. These safeguards have a place, and while it can be frustrating to not get access when you want to learn and grow in this space, you have to remember that there are a lot of people out there who want malware for themselves for nefarious purposes. You can't be responsible and give it to people with expressly malicious intentions.

Secondly, while it is a broker model, selling samples is another violation of a common AV ethic, namely not to sell samples. It's counter-productive, because you force people you share with to chose when budgets start to run out (no one's budget is endless). And unless it's your intellectual property or you have express licensing terms, it's hard to justify selling it as well.

If you really want to start analyzing malware, check your inbox. So much mail-based malware is moving around, you get a few new samples every day. There's no shortage there. Fire up a free copy of IDAPro (trial copies are available, you just can't save your work), use OllyDbg (free), and read some tutorials on the web. If you're really interested, fire up a honeypot or malware collection tool like MWCollect and Nepenthes on your broadband line and start analyzing the samples you collect.

January 19, 2006 in editorial | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

Pretty good article. Ill be sure to read the paper you recommended. Thanks for mentioning us :)

Just a clarification to something I might have missed in your article. We (offensivecomputing) aren't charging for anything. And your right, we don't garuntee the integrity of our samples. Basically we are doing exaclty what you you suggested, i.e. getting samples from our email, machines on the net, nepenthes/mwcollect, etc. and analyzing them. Then we put the results of this analysis along with the sample on our site so other people can contribute to the analysis. I won't get into the debate of "full disclosure" thats for others much smarter than me :).

Thanks again for a great article!

Posted by: valsmith | Jan 20, 2006 11:35:45 PM

It was interesting to read. Both the article and the comment.

Posted by: Erik | Mar 25, 2006 7:33:35 AM

hi
This is Parker i want to say some thing about the above article it was giving us a lot of information i thank you for giving such a lot of information.And the comments that are placed in the above are so nice and are very use full to us.
==========

Parker

MLS listings

Posted by: MLS listings | Jan 19, 2009 5:20:22 AM

this is very intresting and informative

Posted by: Article submission | Jan 6, 2010 9:38:42 PM

The comments to this entry are closed.