Skip navigation.
Home

Getting Started with Offensive Computing

| |

Welcome to the Offensive Computing open malware research project. If you're reading this you may (or may not) be interested in researching malware. There are a few different ways that you can contribute. You can upload your malware samples, download the samples, or discuss them.

Register for an Account

In order to get to all of the content on Offensive Computing, you'll need a Google account. All malware downloads are authorized through Google now.

Searching for Malware

To search for a particular piece of malware, please use the malware search tool. This is located on the right hand side of every page at OC. You can search for MD5, SHA-1, and SHA-256 sums, and virus scanner text.

A few handy hashing apps:

Currently the supported virus scanners are:

  • F-Prot
  • Bit Defender
  • Kapersky
  • ClamAV
  • Antivir

We are working on adding support for Windows based scanners.

Analyzing Malware

The next step is to actually analyze malware. There are multiple other sites that deal with the logistics of performing these operations. When you get interesting information, please feel free to make a post. The malware analysis is fairly freeform. If you post your results you will have people reading it, and most likely people will contribute more to it also.

The mechanics of analyzing the malware requires a bit more effort. Jump right in though. Here are some suggestions from Patrick Stach:

  1. A disassembler. Personally I use ndisasm and some custom code for function recognition and symbol resolution. More and more people prefer IDA, however basically that's all it does.

  2. A debugger. For win32 - Windbg (what I use and like), Ollydbg (another popular one). For unices - GDB. Some platforms have other debuggers, but most have pretty painful interfaces and command structure, except for Ladebug for Tru64, which rules.
  3. Architecture reference manuals. Understand the architecture you are trying to reverse engineer.
  4. A compiler. Understand how a compiler turns code into executables, for example, how it does function calls, stack allocation, memory management, etc.
  5. Binary format specification. Handy to pick up the stuff IDA misses or if you are cheap like I am and want to do your own parser.
  6. VM Software of some kind. While these aren't 100% effective it's important to protect yourself at least a little bit. VMware is nice due to the ability for it to take snapshots at various stages.

Once you have decoded or divined information about the malware, the step for performing this operation is to use the Create Content link on the right. The most common format that is used is the "Story" type. Feel free to attach any supporting information you might feel is appropriate.

Code Contribution

Do you have an interesting analysis tool that you would like be easily automated? Contact us and we'll talk to you about adding it in.

Hash Found

Should it be assumed that if a hash is found in your DB then it has been identified as malware ?

Absolutely not!

Absolutely not!

If it's matched with the DB

If it's matched with the DB and it isn't malware so what category should it be?
Thanks.

Protection - Valtx Absolute Security for Windows

I have the above program avaialble - free for researchers - will allow you to test malware and instantly bit level rollback to clean. I can be reached at dennis@valtx.com

Dennis Meharchand
www.valtx.com