2

I would like to get more into studying black market internet activities related to malware. I often see specific malware or kits for sale or ddos services, etc.

  1. How do researchers go about studying these things without having to illegally purchase them? Is it just a risk people take to stay on top of the industry, or do countries like the US (where I am based) provide any protections for this sort of thing?
  2. What technical precautions should be taken to ensure I do not harm myself (my identity)? I am ignoring my safety with respect to actually studying the malware itself since that is a well discussed elsewhere, but I am specifically referring to everything up to and through the acquisition of said malware.
James Young
  • 21
  • 1
  • It varies a lot in different jurisdictions. In some, merely buying something you know to be illegal can be a crime. In others, the knowledge isn't required. In yet others, the purchase is legal, but breaking any protection on the code is not. You would be safest to consult a specialist lawyer in your country before acting. – Matthew Aug 22 '16 at 16:17
  • If you google enough, you will learn that most of it is through honeypot, or reverse engineer the malware code to the C&C address and user id password. Sometime researcher can get the whole source code from the C&C. – mootmoot Aug 22 '16 at 16:49
  • I don't know if James Young is your real name (frankly, I don't need to), but don't ever use nicknames similar to your name when browsing the darknet! – A. Darwin Aug 22 '16 at 17:46
  • I'd worry mostly about you being USA citizen. Reverse engineering could easily trample on DMCA, and you wouldn't be first security researcher to face prison time on that basis... the fact that the software being cracked is malware might help you, but then again it may not. – Matija Nalis Aug 22 '16 at 20:28

2 Answers2

3

Okay, here are my 2 cents.

  1. You don't necessarily have to purchase malware to study them. You can scour the interwebs looking for malware, get infected, get hold of the right files and start researching them! Or, you can find malware to study on Github. Take a look at - https://github.com/rshipp/awesome-malware-analysis#malware-corpora.
  2. The only technical precaution I would take while purchasing malware or mal-services online would be to pay in Bitcoins. That would take care of not revealing your identity and your payment information to malware-sellers. I doubt Governments would spend their time, money and effort hunting down people that purchase malware with Bitcoin.

Hope this helps!

theabhinavdas
  • 332
  • 1
  • 7
  • 1
    Your first point is legitimate. However, note that bitcoin is not a truly anonymous currency nor was it ever meant to be. Also see here: http://bitcoin.stackexchange.com/questions/193/how-do-i-see-the-ip-address-of-a-bitcoin-transaction Further, as a U.S. citizen I can tell you that my overreaching government has no qualms chasing after shadowy people who purchase malware with Bitcoin. Just look at the IRS's take down of KickAss torrents, who's founder Ukrainian and lived in Poland, but happened to have one server in Chicago. The feds were able to track his IP from ad sales on the site. – Verbal Kint Aug 22 '16 at 18:41
  • 1
    And I'm convinced that any government would happily spend it's citizen's money for special interests in the name of security. – Verbal Kint Aug 22 '16 at 18:43
  • I never said that Bitcoin payments are truly anonymous. I clearly stated why I would prefer paying by Bitcoins to underground malware devs/sellers - `That would take care of not revealing your identity and your payment information to malware-sellers.` It is possible, however, to shuffle around the Bitcoins so much that it becomes annoying and possibly extremely difficult to track. – theabhinavdas Aug 22 '16 at 18:45
  • No matter how much "shuffling" you do, all transactions are still visible on the blockchain, with the sender and reciever's bitcoin addresses, and the amount sent. Plus, the blockchain is easily searchable. Although it might be time consuming or difficult manually, there is nothing stopping even a semi-competent security team or goverment agency from tracing it back to a single bitcoin address, or worse, and IP address. – Verbal Kint Aug 22 '16 at 18:54
  • 1
    @VerbalKint, then you have absolutely no idea what you're talking about. If you did, you wouldn't make such a statement. Learn about taint and taint analysis. Bitcoin mixers/tumblers/whatever-you-call-them ideally provide 0% taint, meaning, there is no link from the sender address to the receiver. Here's an example - [https://blockchain.info/taint/1dice6GV5Rz2iaifPvX7RMjfhaNPC8SXH](https://blockchain.info/taint/1dice6GV5Rz2iaifPvX7RMjfhaNPC8SXH). Scroll down, you'll notice a lot of *0%* taints. Now, while I agree it *may be* possible, it is *extremely difficult*, which I already mentioned. – theabhinavdas Aug 22 '16 at 19:03
  • 1
    @VerbalKint, also, why do you think nobody caught the perpetrators behind the various famous Bitcoin heists? I'm sure millions of dollars of stolen Bitcoins is enough to warrant hiring a *semi-competent* security team, as you said. It's also enough to warrant Government intervention, IMHO. But then, have you heard of all of the perps getting caught? – theabhinavdas Aug 22 '16 at 19:06
  • Huh. Well, then I admit defeat and thank you for keeping the torch of knowledge lit in spite of my apparent shroud of ignorance. – Verbal Kint Aug 22 '16 at 19:09
  • @VerbalKint, haha, cheers mate! :) And I apologise that I came off a little harsh in a prior comment. – theabhinavdas Aug 22 '16 at 19:12
0

All of the below is subject to your knowing exactly what your target samples are and adjusting all the moving parts accordingly.

How do researchers go about studying these things without having to illegally purchase them?

Setting up a honeypot is a common way to do this. Under the appropriate conditions and as means to capture malware for study in an appropriately secured environment, that is. Take a thorough look at the linked reference, but as key points I would highlight:

  • Setting up your honeypot safely in an infrastructure that is appropriately isolated and purpose provisioned. That is, never violating the terms of service, should they apply.
  • Make sure to not have conflicts of interest. Any evidence you obtain(in the course of a formal cybercrime investigation) by way of a honeypot is in a very complex legal juncture that I won't even dare to address. Never utilize hardware or software from a third party or your employer to perform your analysis if doing so violates applicable policy, company or otherwise.

Here is a diverse collection of honeypots you can test out. Again, nothing beats knowing your target malware and provisioning an appropriate environment(platform, isolation, firewall rules..) to capture a sample safely.

What technical precautions should be taken to ensure I do not harm myself (my identity)?

You question is rather broad, and there are many moving parts. Practical Malware Analysis is a wonderful place to start (perhaps the best) regarding both analyzing malware and setting up a basic safe environment to perform your analysis. It also contains many samples that have been slightly changed to no longer be harmful, while maintaining malicious "type" behavior and obfuscation/packing.

dotproi
  • 346
  • 1
  • 5