Getting Started with Offensive Computing
Welcome to the Offensive Computing open malware research project. If you're reading this you may (or may not) be interested in researching malware. There are a few different ways that you can contribute. You can upload your malware samples, download the samples, or discuss them.
Register for an Account
In order to get to all of the content on Offensive Computing, you'll need a Google account. All malware downloads are authorized through Google now.
Searching for Malware
To search for a particular piece of malware, please use the malware search tool. This is located on the right hand side of every page at OC. You can search for MD5, SHA-1, and SHA-256 sums, and virus scanner text.
A few handy hashing apps:
Currently the supported virus scanners are:
- Bit Defender
We are working on adding support for Windows based scanners.
The next step is to actually analyze malware. There are multiple other sites that deal with the logistics of performing these operations. When you get interesting information, please feel free to make a post. The malware analysis is fairly freeform. If you post your results you will have people reading it, and most likely people will contribute more to it also.
The mechanics of analyzing the malware requires a bit more effort. Jump right in though. Here are some suggestions from Patrick Stach:
- A disassembler. Personally I use ndisasm and some custom code for function recognition and symbol resolution. More and more people prefer IDA, however basically that's all it does.
- A debugger. For win32 - Windbg (what I use and like), Ollydbg (another popular one). For unices - GDB. Some platforms have other debuggers, but most have pretty painful interfaces and command structure, except for Ladebug for Tru64, which rules.
- Architecture reference manuals. Understand the architecture you are trying to reverse engineer.
- A compiler. Understand how a compiler turns code into executables, for example, how it does function calls, stack allocation, memory management, etc.
- Binary format specification. Handy to pick up the stuff IDA misses or if you are cheap like I am and want to do your own parser.
- VM Software of some kind. While these aren't 100% effective it's important to protect yourself at least a little bit. VMware is nice due to the ability for it to take snapshots at various stages.
Once you have decoded or divined information about the malware, the step for performing this operation is to use the Create Content link on the right. The most common format that is used is the "Story" type. Feel free to attach any supporting information you might feel is appropriate.
Do you have an interesting analysis tool that you would like be easily automated? Contact us and we'll talk to you about adding it in.