Resources list for malware hunters
Hey everyone,
In this post i'll try to group all different sources and "go-to" places that'll really help any malware analyst/hunter.
** Keep in mind that there are MANY other useful sources, and i'll be more than happy to update this list using your comments as well.
** Keep in mind that there are MANY other useful sources, and i'll be more than happy to update this list using your comments as well.
Let's dive straight into it:
Honorable mentions
A few sources that really made a difference (at least for me)
Virusbay
Malpedia
The name says it all.
Requires invitation and vouching.
Phrack
If you don't know it , you should.
CyberChef
It's everything, in one place.
https://gchq.github.io/CyberChef/
Tuts4You
Alot of exercises to practice on, and multiple tools and information sources
https://tuts4you.com/
It's everything, in one place.
https://gchq.github.io/CyberChef/
Tuts4You
Alot of exercises to practice on, and multiple tools and information sources
https://tuts4you.com/
Search Engines:
VirusTotal
I'll assume your'e all familiar with it.
A little tip - sometimes the virusTotal graph feature might be useful.
ThreatMiner
Presents alot of useful info which contains info about samples, domains, hosts and email addresses.
Also provides very comfortable search options.
Valkyrie
Another one i haven't checked much.
Shodan
IOT search-engine.
Sandboxes:
HybrisAnalysis - https://www.hybrid-analysis.com/
Detux (LINUX) - https://detux.org/index.php
Joe's sandbox - https://www.joesandbox.com/
Cuckoo - http://sandbox.pikker.ee/
ViCheck - https://vicheck.ca/
AnyRun - https://app.any.run/
SNDBOX - https://app.sndbox.com
ThreatExpert - http://www.threatexpert.com/
Sekoia Dropper analysis - https://malware.sekoia.fr/new
Iris-H - https://iris-h.malwageddon.com/submit
Iris-H - https://iris-h.malwageddon.com/submit
Trackers:
Malc0de - http://malc0de.com/database/
Scumware - https://www.scumware.org/
CVE tracker - https://cve.mitre.org/cve/cve_new_data_feed.html
Toaster tracker (LINUX) - https://toaster.huntingmalware.com/#/tracker
* http://benkow.cc/passwords.php
* http://benkow.cc/passwords.php
* Ransomware tracker - https://ransomwaretracker.abuse.ch/tracker/
* Malware corpus tracker - http://tracker.h3x.eu/families
* Malware corpus tracker - http://tracker.h3x.eu/families
Massive repositories:
VirusShare - https://virusshare.com/
Virusign - http://www.virusign.com/
malware.one - https://malware.one/
Blogs:
Krebs on security - https://krebsonsecurity.com/
Security Affairs - http://securityaffairs.co/wordpress/
Security Affairs - http://securityaffairs.co/wordpress/
DarkReading - https://www.darkreading.com/
The hacker news - https://thehackernews.com/
Sucuri's blog - https://blog.sucuri.net/
TrendMicro's blogs - https://www.trendmicro.com/vinfo/us/security/research-and-analysis
GBHackers - https://gbhackers.com/
Sophos's blog - https://nakedsecurity.sophos.com/
Some more technical blogs:
SpecterOps- https://posts.specterops.io/
Quarkslab - https://blog.quarkslab.com/
Ensilo's blog - https://blog.ensilo.com/blog-categories
CheckPoint's blog - https://research.checkpoint.com/category/threat-research
Quarkslab - https://blog.quarkslab.com/
Ensilo's blog - https://blog.ensilo.com/blog-categories
CheckPoint's blog - https://research.checkpoint.com/category/threat-research
DR.Fu's Security blog - http://fumalwareanalysis.blogspot.co.il/p/malware-analysis-tutorials-reverse.html
Vitali kremez's blog - http://www.vkremez.com/
Fireeye's Threat research - https://www.fireeye.com/blog/threat-research.html
Malwarebytes - https://blog.malwarebytes.com/
ESET's blog - https://www.welivesecurity.com/
Cisco's blog - http://blog.talosintelligence.com/
Blaze's blog - https://bartblaze.blogspot.co.il/
Kaspersky's blog - https://securelist.com/
Mobius Strip - http://www.msreverseengineering.com/
Malware unicorn's reversing guide - https://securedorg.github.io/RE101/
&& https://securedorg.github.io/RE102/
Forums:
Malwaretips - https://malwaretips.com/ (has malware's samples)
Kernel mode - http://www.kernelmode.info/forum/
Kernel mode - http://www.kernelmode.info/forum/
I mentioned a few links for linux before, but here's a more complete list that might be useful.
First of all, some info that might be important when your'e analyzing linux malware:
Useful commands
objdump (http://man7.org/linux/man-pages/man1/objdump.1.html)
objdump (http://man7.org/linux/man-pages/man1/objdump.1.html)
readelf (https://sourceware.org/binutils/docs/binutils/readelf.html)
elfdump (https://docs.oracle.com/cd/E19683-01/816-0210/6m6nb7m8b/index.html)
nm (https://sourceware.org/binutils/docs/binutils/nm.html)
strace (http://man7.org/linux/man-pages/man1/strace.1.html)
ltrace (https://linux.die.net/man/1/ltrace)
Intro to ELF files
CheatSheets
* https://darkdust.net/files/GDB%20Cheat%20Sheet.pdf
REMnux
A great vm , you should check it out if your'e analyzing linux malware.
https://remnux.org/docs/
Malware sources
* http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3471
* http://blog.malwaremustdie.org/2016/11/linux-malware.html
* http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3471
* http://blog.malwaremustdie.org/2016/11/linux-malware.html
Sources for OSX:
Malware sources
* https://objective-see.com/malware.html (A great blog)
Useful commands
dtruss (https://jameshfisher.com/2017/08/01/dtruss.html)
dtruss (https://jameshfisher.com/2017/08/01/dtruss.html)
Syscalls info - https://sigsegv.pl/osx-bsd-syscalls/
Guides and overviews
Some additional interesting links:
YARA
* Online tool - https://analysis.yararules.com/
Cheat-sheets
* Reversing - http://r00ted.com/cheat%20sheet%20reverse%20v5.png
* Analyzing malware - https://zeltser.com/malware-analysis-cheat-sheet/
* Reversing - https://home.zcu.cz/~bodik/cheatsheets/reverse_engineering_cheat_sheet.pdf
Reference manuals
* https://github.com/rmusser01/Infosec_Reference
* General guide - https://github.com/yellowbyte/reverse-engineering-reference-manual
* https://github.com/0x4D31/awesome-threat-detection
* https://github.com/wtsxDev/Malware-Analysis/
Tools
* https://www.kitploit.com/
* http://www.effecthacking.com/2017/10/maltrieve-tool-to-retrieve-malware-from-source.html (malware collection automation)
* https://github.com/microsoft/procdump-for-linux (analyzing malware on linux)
* https://github.com/decalage2/oletools/wiki (useful for office documents)
* ViperMonkey - http://decalage.info/vba_emulation (useful for office documents)
Tools that make reversing easier (:
* the magic number data base - https://www.magnumdb.com/
* UUID database - https://uuid.pirate-server.com/
APT's
* AptNotes - https://github.com/kbandla/APTnotes
* Threats map - https://embed.kumu.io/0b023bf1a971ba32510e86e8f1a38c38#apt-index
Cheat-sheets
* Reversing - http://r00ted.com/cheat%20sheet%20reverse%20v5.png
* Analyzing malware - https://zeltser.com/malware-analysis-cheat-sheet/
* Reversing - https://home.zcu.cz/~bodik/cheatsheets/reverse_engineering_cheat_sheet.pdf
Reference manuals
* https://github.com/rmusser01/Infosec_Reference
* General guide - https://github.com/yellowbyte/reverse-engineering-reference-manual
* https://github.com/0x4D31/awesome-threat-detection
* https://github.com/wtsxDev/Malware-Analysis/
Onion links
* https://github.com/alecmuffett/onion-sites-that-dont-suck
* https://onion.torproject.org/
* Onion investigator - https://oint.ctrlbox.com/
* DeepWeb map - https://www.hyperiongray.com/dark-web-map/
Plugins
* http://www.openrce.org/downloads/
* https://github.com/alecmuffett/onion-sites-that-dont-suck
* https://onion.torproject.org/
* Onion investigator - https://oint.ctrlbox.com/
* DeepWeb map - https://www.hyperiongray.com/dark-web-map/
Plugins
* http://www.openrce.org/downloads/
Tools
* https://www.kitploit.com/
* http://www.effecthacking.com/2017/10/maltrieve-tool-to-retrieve-malware-from-source.html (malware collection automation)
* https://github.com/microsoft/procdump-for-linux (analyzing malware on linux)
* https://github.com/decalage2/oletools/wiki (useful for office documents)
* ViperMonkey - http://decalage.info/vba_emulation (useful for office documents)
Tools that make reversing easier (:
* the magic number data base - https://www.magnumdb.com/
* UUID database - https://uuid.pirate-server.com/
Ransomwares
A google doc that groups alot of different ransomwares.
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml
A google doc that groups alot of different ransomwares.
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml
APT's
* AptNotes - https://github.com/kbandla/APTnotes
* Threats map - https://embed.kumu.io/0b023bf1a971ba32510e86e8f1a38c38#apt-index
Learning Resources:
While it's important to know how to find the interesting samples, it's also crucial to know how to dissect them (:
Here's some extra links to sharpen your knowledge. (notice that it doesn't aim to teach everything, for that there are great books and courses online).
I'll also make sure to share educational\interesting sources on twitter, you can find me at @B_H101
Here's some extra links to sharpen your knowledge. (notice that it doesn't aim to teach everything, for that there are great books and courses online).
I'll also make sure to share educational\interesting sources on twitter, you can find me at @B_H101
* Learning about Anti-debugging techniques - https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf
* hasherezade's unpacking playlist - https://www.youtube.com/playlist?list=PL3CZ2aaB7m83eYTAVV2knNglB8I4y5QmH
* vitali's technical blog is really helpful - http://www.vkremez.com/
* using wireshark effectively - https://hackertarget.com/wireshark-tutorial-and-cheat-sheet/
* setting up remote debugging with Windbg and IDA pro - https://research.checkpoint.com/scriptable-remote-debugging-windbg-ida-pro/
Final thoughts
When it comes to locating a sample, it really depends on what your'e after.
- If your'e interested in current threats, and "live" samples, it'll probably be best to keep on eye (or a script) on the latest feeds, and latest sandboxes submission's etc.
- If you're looking for more interesting and complicated samples, it might be better to keep an eye (or a script ?) on the latest papers in all different blogs and forums.
- YARA is a great direction when your'e dealing with mass amounts of samples, and it'll help you reducing the results into less duplicated sample , and divide them into specific "groups".
- Social communities (at least as i see it) is the best way to find/ask for "rare" samples and discuss them, and even get information or new data from fellow researchers.
When it comes to locating a sample, it really depends on what your'e after.
- If your'e interested in current threats, and "live" samples, it'll probably be best to keep on eye (or a script) on the latest feeds, and latest sandboxes submission's etc.
- If you're looking for more interesting and complicated samples, it might be better to keep an eye (or a script ?) on the latest papers in all different blogs and forums.
- YARA is a great direction when your'e dealing with mass amounts of samples, and it'll help you reducing the results into less duplicated sample , and divide them into specific "groups".
- Social communities (at least as i see it) is the best way to find/ask for "rare" samples and discuss them, and even get information or new data from fellow researchers.
If you have anything else to add to the list, please feel free to contact me.
Comments
Post a Comment