Share malware with a security team
With the recent increase of notifications of cryptolocker malware I was wondering if this dropped malware was always the same version or if the attackers used different versions. I was also curious if the delivery path (e-mail route or otherwise) was different. This raised the question : “How to share malware with a security team?”.
Some teams have a service where you can upload samples. If they do not have an upload service then you will have to use more traditional methods.
Sharing workflow
Ideally you notify the team, either before sending the sample or with a separate message, that you are going to share a sample. Smart virus scanners might block the message with your sample and the receiving part might never know you wanted to share something.
You can also use the prior notification to verify that you are sending the notification to the correct recipients. Some teams can have a dedicated mailbox for receiving malware samples.
You should also let them know what feedback you are expecting. Are you sharing the malware for “information only” or do you expect an analysis and feedback?
The accompanying message for sharing the sample should contain context, impact and delivery route.
- Set context.
- What is your organization type?
- What is the volume of detected malware?
- What is the typical user environment (OS, software installed)?
- Do you have server based protections (firewall, anti-virus, IDS) that triggered or that failed?
- Are there host based protections that triggered or that failed?
- Define impact
- Did the malware execute?
- If the malware did not execute, why do you suspect this to be malicious?
- What was the impact (host infected, server infections)?
- Is the incident ongoing or did you contain it?
- Delivery route
- How was the malware delivered (e-mail, USB, website)?
Sharing the sample
You can not just “send” the sample via e-mail or share it via an online file sharing platform. If it is recognized malware then it’s certain to be blocked either in transit or at the receiving part. So how do you share?
The easiest way is not technologically challenging : use a password protected ZIP file.
- Create a new ZIP file;
- Add the sample to the ZIP file;
- If delivered by e-mail, add the source or the entire message to the ZIP file;
- Set a password (easiest: ‘infected‘) on the ZIP file.
Do not forget to inform the receiving team of the password that you used to protect the ZIP file.
CIRCL.lu mentioned that nowadays a lot of mail providers brute-force ZIP passwords. An alternative for a ZIP with ‘infected’ could be to either use GPG encryption with a symmetric key or use your own customised password.
If you want to verify the integrity of the file then do an MD5 sum of the original files (the malware, not the ZIP file) and include that in your notifications. Digitally signing your messages is also a good idea.
If your company policies allow you to share logs then including e-mail, fileserver or firewall logs (possibly anonimized) can also help the security team for doing the analysis and providing feedback on the possible impact.