Sources, Sources, and More Sources

Introduction

For this blog post we will take a step back from strictly technical analysis and discuss where to find malware samples and good leads for security research. Every researcher will eventually build their own “feed” or source for threat intelligence and samples based upon personal preference, but discussing some generic yet well-regarded starting points should help those of you just starting out in security. As time goes on, perhaps you too can start submitting samples to some of these platforms to help the rest of the community build detections, hunts, and/or other security mechanisms.

Malware Samples

Today’s security researchers have a lot of options when it comes to finding malware samples to use for analysis or research. In some cases, there might actually be too many options (i.e., there are a lot of platforms to try to track individually). One resource that I really like as it can link to several sandboxes is the MalwareBazaar database maintained by AbuseCH. This database contains a ton of samples uploaded by a wide range of security experts. The browse page offers an easy way to search all available samples based upon a variety of attributes such as hash values, tags, specific yara rules, and more. These searches really help quickly parse down the huge database into just samples that are relevant to a specific type of malware that you might be trying to research.

Another excellent feature of samples on MalwareBazaar is the fact that each sample has links to other sandboxes that the sample was submitted to. For example, the below image shows the top few sandbox results for this sample.

As a researcher, you can now easily pivot between several sandboxes to try and better understand the specific sample and potentially quickly identify gaps in coverage between different environments. As a threat hunter, understanding why malware was detected by one sandbox but not another is an excellent starting point to very interesting research. However, we should note that not all sandboxes are involved in every sample on MalwareBazaar. For example, this particular sample was not submitted to AnyRun which is a sandbox I have referenced quite often in previous posts. Again, there is no specific reason as to why I prefer AnyRun in most cases other than personal preference on how the resulting data is displayed. Many other researchers like other sandboxes much more for their own reasons.

?Back to MalwareBazaar, another very helpful feature is the link to yara rules that match on the specific sample you are reviewing. Using the same sample as before, we can see the following information (some rules are cut off in the below image):

Remember when I mentioned that you could search the database using yara rules? Well, from this sample we can now click on one of the rules and pivot into a page that shows how often that rule triggers and provides all of the related samples. If you are a threat hunter, the ability to look up related samples in this way again provides another opportunity to see how specific malware strains might change over time. In other words, if there is a sudden drop off in samples triggering a very reliable yara rule, what does that suggest? Is that malware no longer common? Or did the malware developer change techniques? If the latter, then how might they have changed the technique? Is it possible that we can experiment with permutations of the technique ourselves and create hunts based upon those permutations? Another question often relies on clustering rules together. Is it possible that a new malware strain only successfully evaded one of the old detections, but all the others still work? These are all relevant questions that threat hunters should consider when conducting research.

If you are looking for a very specific sample, then it’s certainly possible that it won’t exist on MalwareBazaar. In such cases, you are likely going to have to expand into other databases and sandboxes to look for a sample. Obviously, Virus Total is a major player in malware samples but some of the better features can be locked behind a paid account which may frustrate new analysts and researchers who don’t have the financial backing necessary to get paid accounts for all the various cybersecurity tools. However, even the free services of Virus Total can at least point you in the right research direction for specific samples when they exist.

As you progress along your security career, you are going to find that some sandboxes seem more reliable than others and that some tend to have far more samples than others. Try not to get too focused on any one database or tool but also know that it’s not uncommon to find samples on several sandboxes but not the one you prefer. In those cases, consider getting the sample from other sources and uploading it yourself to your preferred tool.

Threat Intelligence Feeds and News

I won’t be na?ve and attempt to iterate through all possible sources of threat intelligence and news in this post. There are simply far too many, particularly when you step back and look at all the subfields that exist within cybersecurity. However, I will highlight some very high-level resources that I think someone new to the industry might prefer to start with.

The first two resources are very similar in presentation and focus. The first in The Hacker News and the second is Bleeping Computer. Both of these sites could loosely be called news aggregators as many of their stories are quick summaries of blogs and articles published across the industry by a large number of different organizations. In general, you can skim the various posts for one that seems interesting from a research perspective and then quickly skim the article to see if it still sounds like a good lead. If so, each article typically contains a direct link to the full source that you can then use to deep dive into the relevant topic. By having these summaries available, you can often quickly determine if some very technical articles are worth further investigation or not, which can save time given how much there is to review in any given day.

While it goes without saying, social media also has a ton of analysts and researchers posting content every day that can be helpful in threat hunting and security in general. The rise of competing services like BlueSky and Mastodon has caused some dispersion, so it’s hard to say that you only need to follow one platform to get a wholistic view of intelligence and news. In some cases, it’s actually easier to use combined feed tools like “feedly” to consolidate information into one pane rather than constantly switching between platforms and accounts to get all of the information. Depending upon your needs and your work resources, such a combined feed might not be necessary, but it can be convenient at times. If you are lucky, your job might provide threat intelligence directly or at least have a commercial grade service that handles integrations for you as well.

On the topic of social media, Reddit also has several subreddits that can contain a lot of useful information. Again, at a high level, I would recommend at least checking the netsec, redteamsec, and blueteamsec subreddits to see if they appeal to the type of information you want to regularly review. These three subreddits tend to be more technical but there is also the regular subreddit simply called “cybersecurity” that can cover more generic topics in the industry that others might feel is more manageable just starting out.

I don’t want to get too far into podcasts and streamers within the community as there are incredibly competent people starting new nearly every day. There are some major names like John Hammond and ippsec who have gathered large followings and who have very good reputations (as they should). But there are also equally competent folks who are brand new. I would absolutely check out the well-known folks but also consider always keeping an eye out for another person trying to get into the community. The more folks we have talking about security topics and sharing their knowledge, the better the overall community becomes. If you have folks you think deserve more recognition, please share their pages or names in the comments.

Final Thoughts

This post was a bit different from my previous ones. We took a step back from technical analysis and discussed sources of malware samples and threat intelligence. I avoided mentions of specific vendors and organizations but remember that most major security vendors will have blogs that are well worth reading. But also remember that individuals on social media can produce some incredibly valuable intelligence. Individuals also tend to be able to share information more quickly than major vendors, which has both pros and cons but typically means that you can find some really interesting tidbits before major organizations start talking about similar information or intelligence publicly. If you are new to the industry and community, then hopefully you found this post relatively helpful in starting to build your own intelligence feed and finding malware samples of interest. If you have a source that you greatly prefer to others, then consider sharing it in the comments.