MalwareBazaar – Malware Sample Exchange

If you're just playing with script kiddie stuff and not ridiculous zero days, an up to date virtual machine should be just fine, make sure to keep your VM up to date. VM breaking malware is actually quite rare and usually patched quickly - this is the same stuff that keeps cloud providers safe where anyone can execute arbitrary code in a VM on their systems, if it's good enough for them, it's probably good enough for you, just make sure it has no access to your network.

VM detecting malware however is exceedingly common: plan to have to bypass basic VM detection, minimal knowledge of reverse engineering should make that pretty easy.

If you want/need to allow it access to the internet for dynamic analysis or botnet monitoring, I'd suggest looking into setting up a separate VM to route all the traffic over Tor or a commercial VPN provider and allowing it access only via that VM. This way if you manage to piss off any script kiddies you won't be the one who gets DDoS'd.

Nothing is perfect and if you're serious about this consider separate hardware, but if you're not quite that paranoid this setup is highly workable.

I have done a fair bit of reverse engineering to date including malware analysis. Havent read all the comments but of course a safe environment is important. Virtual environments can even be broken out of if you dont know how to debug simple samples that check for disassemblers or debugger presence. I recommend if you want to get some hands on experience checkout https://nostarch.com/malware (Practical Malware analysis) it will prepare you for messing with real life samples. Techniques are still relevant but technology might be different. Eg: IDA is great but Ghirda is the new hotness on the street.

Anyways have fun, good luck and be safe. Most of all happy hacking :)

Depending on your level or paranoia I wouldn't touch those only in a separate computer. I don't think a VM is sufficient, there have been reports about malware that can break out of a sandboxed environment.

This is quite dangerous unless you know what you’re doing, if you execute the malware then plan to throw away all equipment you’re using to analyze it. For a next-best experience, if you’re curious, you should upload one to an online malware sandbox e.g. app.any.run which allows you interact with it, look at network traffic, inspect file mods etc. - all the fun, much much less risk and hassle!

Just a sandboxed virtual machine.

Also The Zoo.

https://github.com/ytisf/theZoo

"AlienVault is Now AT&T Cybersecurity"

VS

Open, community oriented project with open API access and published archives from abuse.ch

MalwareBazaar allows users to share live samples of indicators and not just hashes/metadata associated with them which threat Intel platforms like AlienVault do. There are several differences between the two but the biggest advantage (along with providing the actual malware to you) for MalwareBazaar is that it’s higher fidelity - you will get far fewer false positives as the barrier to entry is much higher. Nobody is going to label 8.8.8.8 as malicious which happens occasionally in AlienVault. As such this isn’t really a service, it’s more a way for the more advanced threat Intel analysts and reverse engineers to share data.

And people wonder why Adobe pushes an acrobat update every hour

Two thousand a month, what are malware analysts paid for this to be justified?