Fighting malware and spam

Samples.malware.org: sample sharing for the next decade?

Richard Ford, Thomas Walsh and William Allen Florida Institute of Technology

In the anti-malware industry public discussion of sample exchange is verboten - any discussion regarding sample trades are far too reminiscent of 'black-hat' activities for comfort. However, the reality is that the anti-malware industry has an extensive sample-sharing community that is crucial to providing protection globally. Unfortunately, as the goals of some malware authors change, the effectiveness of traditional sharing paradigms requires revisiting. In particular, corporate users are desirous of a rapid way of submitting samples to a group of vendors in one simple step, as well as investigating suspicious files with multiple scanners. In order to address this need, various sample submission and multi-scanner 'services' (such as VirusTotal and Jotti) have been developed. However, these services have the potential to be abused by both malware writers and users to the detriment of the industry in general.

In this paper, we present a design for a robust and safe sample submission service, as well as review some of the history of industry sample sharing. The presentation concludes with a demonstration of our automated sample submission service, samples.malware.org, and discusses design choices that make the system more robust for end-users, resistant to abuse, and capable of providing benefit to the community at large.