Mining Malware – Part I

Hard to find, but priceless.I first found out about Stuxnet from this post on the WildersSecurity forum, and not through any of the other channels frequently mentioned. It was early July 2010 when I saw the post, and I immediately started pulling whatever information I could get. It wasn’t much though, at the time I wasn’t talking to many of the security guys who would have access to the malware.

During that time, I began to wonder if there were any other infections related to automation that we had missed over the Lost Decade. The idea stayed in the back of my mind while I continued my engineering and security work, and even when I was working for a utility. In other words, what was already out there that had been detected, but discarded or deemed irrelevant?

I know generation and transmission systems, I’ve done work on them for years. And I know many of the programs used in DCS and SCADA for Electric Power, how they are installed, and how the components fit together. If I, or other engineers/security-pros, had access to malware samples, we could search those malware samples for evidence of targeting SCADA and DCS.¬†The major impediment for me was always this: I never had access to bulk malware samples, the kind that all the major Anti-Virus software companies had.

Well, now I do. ¬†Thanks to @VXShare, I now have in my hands a 2 TB harddrive filled with malware samples. @VXShare is a malware researcher and forensics expert, and has been periodically releasing massive collections of malware samples via Bittorrent. If you are working on malware, you should check @VXShare out. And the best part of this is that they aren’t simply hashes, they are actual executables.

Currently, I’m working up a database layout for the samples, and will be coding the operations I wish to run on the data. I’ll keep you in the loop on what I’m up to, but for right now it’s basic strings. I’ve got some more plans, but I really just need to get things in a basic format first.

So, Digital Bond readers, what are some basic strings you’d expect to see in malware that was attempting to compromise automation systems? I’ll be searching for filenames, directories, services, etc, with a specific focus on DCS and SCADA, but I doubt I’m the only one who would like to search this corpus. Chime in on the form below (one string per line, or comma seperated), and if I find anything you’ll be the first to know.


Leave a Reply