Since March 2013, alongside a handful of volunteers, Silas has run a fully public, never-for-profit malware repository named MalShare. The site allows anyone to register and immediately have access to our entire collection of malware samples.
When MalShare first launched, the idea of openly sharing malware was highly controversial; Silas was told the site would never survive against existing commercial options and that it would only serve to give threat actors deeper insight into defender visibility. Now ten years later, Malshare is still online. What started out as a handful of open web directories has grown into a service used by thousands of researchers and integrated into numerous tools.
In this talk, Silas shares his experience of some of the challenges and rewards of running a free, public malware repository for the benefit of the research community. Along the way, he describes his greatest fear, discusses rival services like VirusTotal and vx-underground, and explains why he doesn’t worry about people trying to hack the site.
Malshare | 10 years of running a public malware repository: Audio automatically transcribed by Sonix
Malshare | 10 years of running a public malware repository: this mp4 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Silas Cutler:
Thanks for having me. My name is Silas Cutler. And today I’m going to be talking about talking about a really important project to me. But those of you who don’t know me, as I said, my name is Silas. I wear many hats. I’ve worked quite a few places. But the hat that is the most important to me is one that started almost ten years ago. It’ll be ten years in a couple of weeks.
Silas Cutler:
So I run a public malware repository with several other people, several of whom are here called Malshare. Malshare is a Public Repository. We don’t have any paid services. We will never offer any paid services. The entire project is focused around making malware sample access easier. Malshare started on 28th March 2013, and it was really interesting listening to Thomas Ridd’s talk yesterday when he noted back about the pre shadow brokers eras and before the mass proliferation of a lot of the nation state actors that we’ve seen.
Silas Cutler:
Back then, sample sharing was complicated. You couldn’t just openly share malware. People told me that if I was to start this that I was going to be sued into the ground, that no hosting provider would ever talk to me again and that I would essentially be helping the attackers along the way.
Silas Cutler:
Funny how the world has changed. Yeah. And I was told also that the abuse reports and just the takedown requests from people accidentally uploading samples would consume all my time and the entire ten years that this has been running, I’ve had one sample removal request. That’s it. And it’s funny, and this is a really amazing conference to be doing this talk at, because the entire project started at a conference.
Silas Cutler:
It started talking to another analyst, figuring out how we could exchange samples because I was in the process of leaving a job and and I was terrified of losing access to VirusTotal. And that’s the true reason that the entire project started, was because I knew that I needed data. I needed to be able to play with stuff. And I figured if I was going to be building something and trying to build my own way to feed myself samples and do research, that there’s no point in keeping it private and it’s something that can be shared with everyone.
Silas Cutler:
So I will preface all of this with I am not a graphic designer. This is what the first version of our site looked like and fun. Fun Easter eggs. You’ll notice the wonderful Mt. Gox logo icon right at the bottom to donate 0.1 BTC to keep the server going. Back then that was about $20. Now the price ranges from 2000 to something hourly. I think we actually lost like $30 in Bitcoin when Mt.Gox got tanked.
Silas Cutler:
So in the original structure, the way that we were sharing files was we would tar up a batch of files every day and post them on the website. And this seemed like a really easy way to do it. It made things accessible. That process lasted about a week and somebody included it, like the bulk sample set, one of them in part of a dropper, and started trying to use me as a cheap deployment place.
Silas Cutler:
And it was it was horrifying because everything that people had said about how it could become a resource for attackers became absolutely true and smacked me in the face. So we had to get better. And it also became a lot of the ways that I look at the project and taught me the very important lesson that we can do better. And when things like this happen, there is an onus on platforms like this to try and help as much as we can.
Silas Cutler:
So fundamentally, Malshare I see as new researchers and old researchers first and last repository. We do not have the sample collection that VirusTotal does. We don’t have the features of many of the other ones. But when you have no budget and you need and are building a program, we will always be there.
Silas Cutler:
This talk is not about not about the tech stack of malshare or the the back end details. There’s a lot of things that make Malshare the most mediocre malware repository on the Internet, but that is the point as well. The number one thing and the most important thing that I want to say in this talk and I’ve rewritten this talk about four times this week, but the most important thing I want to say actually, is thank you, because Malshare isn’t Malshare is not mine. It’s belongs to everyone who is uploaded samples, who has used files from it, who’s messaged me on Twitter to say, Hey, the site’s down. It’s a community resource that belongs to us all. So thank you to everyone who uploads. Thank you. If you’re on the advisory boards of committed code and thank you for letting me be part of your research over the years and I hope to continue helping and going forward doing that for everyone.
Silas Cutler:
As with most things very bluntly and real talk, I don’t always know where I’m going with projects. I see a path that looks fun and I run at it and along the way it’s been incredibly it has been amazing to be able to watch the people and learn and see how the project has grown. Yes. So what I want what I want to kind of talk about for the next part of the talk is who I see Malshare as and what I see it as, as the one of the administrators of this project.
Silas Cutler:
So this is now where we are. We have users now all across the planet. We are up to 27,049 users as of this morning. And it’s been unbelievably incredible to see and talk to people and hear about how they’re using the files. When you register on the site by default, you’re allowed 2000 downloads a day or queries. So searches, downloads, if you want more, just email doesn’t make it. We don’t charge for anything. If you don’t want to email, you can just make more keys too. Our users do that and I’ll talk about that in a few minutes too.
Silas Cutler:
But it’s been amazing as well watching over the years where people where people come from to register for the site, the projects they work on. We’re heavily rooted in places across the Middle East, across China, and many of them are students who are in university who want to get into malware analysis. And it’s not always accessible. Unfortunately, the one country that I really upset that I have not managed to get users in in one country, but those some of the the more northern blips, maybe.
You know, one of those Chinese lives?
Silas Cutler:
Yeah, we do. So. So, Malshare is a community resource, as I’ve said. Almost everything on the site is open source. We didn’t start out that way. We actually became open source because a employer of mine years ago tried to say that it was improperly disclosed as part of my onboarding and my prior inventions and that the ownership defaulted to them. So a git push later. It belonged to everyone.
Silas Cutler:
There’s a couple pieces that are not yet open source. The reason they’re not open source is because the code is really bad, and I’m a little embarrassed for people to see it. Mind you, the site is written in PHP, so that’s saying a lot with the site being open source. There’s no secrets. Everything we do is visible in the code, but that makes it accessible for people and usable to bend and to use, however meets the needs of people. The site itself is even usable internal outside of the public instance, and there’s a couple of groups that have started forking it and creating local instances at universities. And even a couple like student clubs have their own instances running in order to share samples that they’re collecting as part of. One of them is doing as part of like a honeypot project, which is really cool.
Silas Cutler:
Over the years, the space of malware repositories has significantly increased and there are some of them and it’s some of them have done absolutely amazing things and some of them have have kind of faded off. Oh, I didn’t include the ones that vanished over the years.
Silas Cutler:
But anyways, but it’s been really interesting also to watch each one of them take their own different approach to how they look at creating a usable service to help people hunt through malware malware sets. And I’ll call out vx-underground specifically because they’re feisty ones, aren’t they? Yeah. Yeah. The password infected. I’ll save you the DMs cos Smelly gets really upset about it. But unlike what what Malshare is which was designed very much to focus on the API to allow people to automate into it and to build things to go beyond what the service can do. vx-underground took a fascinating route with this because they went in the almost an encyclopedia like design where people almost look to them now as a resource for for defining what a set looks like. And there’s been arguments on social media about about what’s a Pegasus sample and what’s not.
Silas Cutler:
But each of these different approaches, the admins of these sites all face different interesting challenges and problems along the way. For Malshare, I don’t have to worry about the the problem that vx-underground does in terms of building a library and a curated collection because people don’t are not looking for assessments from the site. It’s also because I don’t have enough like a lawyer to protect if I accidentally slander someone by saying they’re legitimate to software as malicious. Right.
Silas Cutler:
One of the things that has made it really special for me over the years is your hacks actually make me really happy.
Silas Cutler:
So I said before as well, we limit people to 2000 API API queries a day. We see people creating duplicate keys regularly and I’m really privileged to be able to say that I don’t give a fuck because what I care about is and I’ll touch on more at the end of it. As long as you’re not interrupting service to others, as long as you’re not trying to dump the user database, why worry?
Silas Cutler:
It’s been fascinating and exceptionally cool to watch. The ways that people look at the site, use the site, exceed the site and what we can do and build out and to build cooler hacks and things that go beyond. So I pulled yesterday as well trying to look at some of this API API key reuse and it’s fun as an admin seeing, seeing some of the things.
Silas Cutler:
So for example, there’s this odd pattern there where about ten of the duplicate API keys came from 43 IP addresses, Someone’s got a little proxy network or is using Nordvpn to pull samples. Not a problem, but just a curiosity to see how people are trying to harvest things. Another piece of the sort of service abuse that I’ve seen over the years. And there’s actually another malware repository that I listed on the previous slide that actually had this setup where what happened is they would pull my feed every day. It would go through a discord bot that would post it to a channel. They would upload the sample then to VirusTotal so they could get download quota on VirusTotal to download different samples.
Silas Cutler:
I couldn’t be happier to see this because it’s finding creative solutions to what are really dumb problems that don’t need to be there. And I get it. It can be really awkward to send an email. Sometimes there’s people I owe email responses to and it’s been several days. I’m sorry, social anxiety is a thing. So as I said, why worry? In the end, people building creative solutions is what the project is about. There’s a price point that I can get away with continuing to run the service at, and as long as I can continue to hit that price point, which because I want this talk to be as open and transparent as possible, it’s about 125 bucks a month. But as long as I can keep it running at that price and. I’m fine with however much abuse happens on that.
Silas Cutler:
And in a few minutes, I’ll tell you about the abuse that I don’t like and what happens when when people fuck around and need to find out. But as a brief aside to it, something that came up on a Glasshouse call that I did a few weeks ago, one of the odd things as well in the industry that I’ve noticed is that if you want to get into pen testing and offensive security, there are numerous pathways to do it and it’s a series of pathway that has many different steps that are very easy to hop over, ones you don’t like.
Silas Cutler:
So Vuln Hub. Hack the box, hack this site, all these different resources to go from someone who is curious, to someone who knows the skills and knows the techniques. But on the defensive side, especially for things like malware analysis, we still often are dependent on training series written by forum users, on unknown cheats and and sketchy forums from the nineties to learn how to do some of the deep technical analysis that produces some of the cases that we’ve seen this week.
Silas Cutler:
Credit though, to OALabs, which is a group that does twitch streaming on reverse engineering. They are legit and they’re having a really huge impact. So fundamentally, though, by malware not being a commercial service, we don’t have to worry about the things like service abuse. What we do worry about, though, at the end of the day, is ensuring that the things that happen on the site don’t pose a risk to other users.
Silas Cutler:
When things happen that affect or could potentially affect other users, I care a lot. So the example I have of this that I wanted to call out is unfortunately, I had to redact the name of it for the person. So in July 2018, I got an email from someone. Recognize the email immediately there another researcher who I’ve known for a better part of a decade now asking for a couple of samples. It was a little odd also that they introduced themselves by saying they’re an independent security researcher, but I didn’t think too much of it.
Silas Cutler:
But I got this email, so I immediately responded with back with the samples. We’re not perfect when it comes to phishing. We all make mistakes. A couple of days went by. I followed up with him directly via Slack and they said, Oh yeah, I didn’t I didn’t email you. I just downloaded myself. So I immediately followed back up with this suspicious emailer asking if there was anything more they needed. Because if this is already someone impersonating another researcher, I want to see how far this goes.
Silas Cutler:
So what it turned out was that there had been a long running campaign in which someone was going around registering on sites as this famous security researcher. And trying to get things like extra quota and special access. And when you go back to things like Apache logs to dig through, when people are doing stupid stuff, they’re not great about hiding where they from. So long running campaign targeting a researcher from Iran and they’re still active to this day. They haven’t registered on the site and I do watch now for any time they do this. If you see people trying to impersonate or do bad things through Malshare, please let me know because at the end of the day, I want to make sure people are protected. And something like Apache logs to me are not what Malshere considers proprietary or sensitive data. So if there are things that we can provide, we absolutely will. Think about when I want to. Right.
Silas Cutler:
So the other thing that has caused impact in the past are DDoS attacks. Over the past several years, we’ve had three major attacks that have actually disrupted service. Only one of them actually was someone maliciously intending to disrupt the site. The other two were from researchers with poor Python scripts that continued to request the same sample thousands and thousands of times, which is also a really bad way for me to find out that you’re also using multiple keys which don’t care about but care about when it affects the users.
Silas Cutler:
As the briefest aside, talking about the tech stack. Fundamentally, Malshare is pretty simple conceptually. There’s a MySQL database to track everything an Apache web server and a file a file structure on disk for the sample repository. As a well thought out web scaled enterprise, we took this these three pillars of success and we put them in a box. And I mean, we put them on one server. So the site still continues to run on one server.
Silas Cutler:
So the point of this is. The point with this is. Over the past ten years. It has been an incredible privilege to do this, and I want to continue to do this. And I want to also make sure that this service lives on past just me as the single point of failure. And I bring up the fact that it’s still a single server, not because it’s a problem, but because as services like this go, and having watched other ones fail in the past, something an old project manager told me, which is one is none and two is one.
Silas Cutler:
And so unless there’s redundancy, things do fall down. So over the next ten years, where I’m trying to take the site is to build it into something that can outlive and move past a single point of failure or a single server into something that can continue to be a resource for people until how we share sample and how we think about malware no longer is relevant. Over time, things do fade away and become less relevant and Malshare is always a continuous reminder.
Silas Cutler:
And the other thing that stood out so importantly over the past ten years, and I’ve joked that Malshare is a mediocre malware repository, but the other thing that it does and that it has done so well is it defines the bottom of the barrel. If your vendor feed is worse than Malshare, which is free, you’re getting taken for a ride. If you’re not getting the services that should be available from something free, this as a free service, as a community resource says, everything above is where it should be, and that’s a really important role that we don’t focus on enough because it ensures a baseline and helps us move forward.
Silas Cutler:
So with that, I’d like to say one final thank you and open it up for any further questions that people may have. Yes, Brad. So it’s been a long time. Yeah. Since we’re doing this. I’ve had the privilege of watching it grow.
Speaker2:
Over the years, and.
Silas Cutler:
I didn’t want to. I didn’t want to dox you as as one of the folks.
Speaker2:
See one of the see some of the terrors of What do you think has been the biggest success? What what is the biggest thing that surprised you?
Silas Cutler:
The biggest thing that surprised me. The biggest thing that surprised me is that is actually when people say like, Oh, Malshare only has a bunch of HTML pages, or criticizes the quality of the feed. I don’t know how many people have actually pulled like an hourly batch of VirusTotal and gone file by file. I have really bad insomnia and it really helps sometimes, but VTE has a lot of junk too, but they also have so much that nobody’s picking through it at a granular rate. It’s been surprising that that isn’t always obvious.
Silas Cutler:
I think the other thing that’s really surprising is also the other thing that’s incredibly surprising is the integrations that I see. And to everyone who’s written an integration that I will never see and don’t know about, like, thank you and please feel free to let me know if there’s things we can do better. But for example, like Synapse has a plugin for Malshare to pull data and consume the feed, and it’s amazing to see all of these all of these integrations and where the service is being used. Mandiant has one as well that I found when trying to find listings of them. It’s been truly amazing just seeing all those. It has also been surprising seeing people who are resistant to me trying to give them free malware as a feed, which I get. Already the hesitations about people trying to give others malware. But yeah. Yes.
You mentioned there was one sample that you had a request to remove. Yep. You give any context on that?
Silas Cutler:
It was a PDF document for a company. I think it was meeting notes that somebody accidentally uploaded. I really don’t want to throw stones in glass houses, but I’m going to for just a moment to your question also, Brandon, I’m going to throw a real hard stone on this, which is the biggest fear that I’ve had with malware actually is csam. I am deathly afraid of it.
Silas Cutler:
The surprising thing also has been how many people have commercialized that as a service and reaching out to some of the big players who offer services to help watch for it and have hash lists of it. It is a little tone deaf when they tell me the price is $120,000 a year. That has been surprising too. So anyways, any further questions?
Silas Cutler:
Awesome. Thank you again. And again, if there’s if there’s anything we can ever do for Malshare to help, we’re always happy. And here to help. Cheers.
Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.
Automatically convert your mp4 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.
Sonix has many features that you’d love including world-class support, share transcripts, advanced search, upload many different filetypes, and easily transcribe your Zoom meetings. Try Sonix for free today.
About the Presenter
Silas Cutler is Senior Director for Cyber Threat Research and Analysis at the Insitute for Security and Technology and Resident Hacker at Stairwell. He specializes in hunting advanced threat actors and malware developers, nation states and organized cybercrime groups. Prior to Stairwell, Silas was a threat intelligence practitioner at CrowdStrike, Google, Chronicle and Dell Secureworks.
About LABScon
This presentation was featured live at LABScon 2022, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.
Want to join us for LABScon 2023? The Call for Papers is now open!