Vast malware repository dedicated to testing and research
Frame4 Group is a Dutch company that has made its name specializing in different fields within IT: project and change management, process engineering, test coordination and quality assurance. Their customers include T-Mobile and British American Tobacco.
But it’s because of their security services that they came to our attention, specifically because of the Malware Distribution Project (MD:Pro). This is a large security archive with a massive collection of downloadable malware and computer underground related information for the purposes of analysis, testing, research and development.
Now, we all know that the big anti-malware names out there have their own archives and file exchange mechanisms in place for years. However, they are not accessible to most other security providers or organizations that could have an interest in them, and are therefore spending enormous amounts of time, money and effort to gather resources for R&D as well as testing purposes.
In MD:Pro, the malware downloads are accessible on a paid subscription basis, and are offered only to corporate customers, such as IT security solutions providers.
Rob McCarthy, founder and Senior Software Developer at Lightspeed Systems has been using MD:Pro since December 2008, and he comments: “I use it every week – without fail. I use the virus samples in my work to first verify that our virus signatures are complete, and secondly to find similarities between different viruses. Some weeks most of the virus samples are completely new and so I am able to test our anti-virus software against threats that our customers haven’t even seen yet” he says. “MD:Pro has proven itself to be the most complete source of virus samples that I know of. On a typical week they will supply me with 10,000 or more unique virus samples that I am unable to get from any other source – which means that our anti-virus solution can be tested more rigorously – ultimately making our product much, much better.”
A talk with the founder
“Despite having a somewhat cloudy reputation in the anti-virus industry at the very beginning, we are a legitimate company providing a malware database for the mainstream security industry since 2006. We are working hard to become world’s biggest and most trusted malware repository by gaining the trust of the IT security community.” says Anthony Aykut, owner and Managing Director of the Frame4 Group, with whom we sat down to find out more about this project.
He then proceeded to stress that they are not a malware/VX distribution site, nor do they condone the public spreading and/or distribution of such information. “Some may not agree with our business model, but mostly our service is well-received. The anti-virus industry was skeptical at first, but is exchanging samples and partnering with us now the common goal (fighting malware) has become clear. Presently our malware database is in use in various commercial anti-malware products such as blacklisting applications and security appliances around the world.”
So, how did they decide to embark on such a project? “We felt there was a need for a reputable research and development resource, one that would cater for security providers that fall outside of the core circle of anti-virus vendors. Existing open source repositories (e.g. Offensive Computing) do not fit requirements because of company policy, malware volume, etc., and we intended to fill that void.”
How does MD:Pro work? “The main challenge in managing such an immense collection of malware is in maintaining the integrity of the files. We have to ensure that there are no duplicates, no corrupted files, no false-positives.” muses Aykut. “On the operational side, we must also ensure that adequate systems are in place and functional to prevent an outbreak, as well the security of database to prevent pollution of malware samples. Fast and correct checking of obtained samples against the database is crucial.”
The malware is not accessible via the MD:Pro web site, but via private FTP access. The web site provides a searchable index of all the malware they have on file. For the moment, the database is updated weekly, but they plan to switch to daily updates by the end of 2009. Sample volume normally varies between 5000-50000 per week.
How big is the team behind MD:Pro and how does the typical workday at Frame4 look like – we wanted to know. “We are currently a team of two – there is me, acting as the General Manager, taking care of sales and business development, customer and partner relations and day to day operations, and my partner, acting as the Technical Director, in charge of the maintenance and administration of the malware DB, collecting malware and research.” says Aykut. “Our workdays are never “typical” due to having customers and partners in different geographical and time-zones. My typical work day is normally divided into two part – a tech-half where time is spent on the malware database (day-to-day operations: checking status of honeypots, answering mails, etc.) and an admin-half where time is spent on business development (looking for new clients) and customer/partner relations. A working day lasts anything between 6 to 16 hours, it gets pretty crazy at times.”
“Our customer base consists almost entirely of anti-malware vendors – MD:Pro has proven to be extremely attractive to anti-malware product manufacturers, developers of IDS/IPS systems, and research bodies.” explains Aykut.
When asked what features and improvements do customers look for in MD:Pro, Aykut explained: “Our clients are usually pretty pro-active when it comes to giving feedback on our services, but the main “request” in this line of business is usually a customer or partner looking for a specific piece or group of malware instead of requesting features and improvements to the service per se. Based on the feedback we got in the first two years of being in service, we have designed the new MD:Pro web site and by the end of 2009 we will be fulfilling the most wanted operational request: providing daily sample updates.”
And talking about fulfilling expectations, another customer – Halvar Flake, CEO and Head of Research at Zynamics – says that he’s been using MD:Pro since 2007 to test their malware classification and unpacking algorithms against recent malware samples, so that they can ensure that the tools work not only on their “test data”, but on the latest malware. “It is frightfully easy to get complacent with old test data. The real test for any R&D success is not the performance on historical malware (e.g. old stuff, 2006 or older) but on the things that come in now.” he muses. “In order to make sure our unpacking / classification tools perform their job, we need “fresh” malware, in sufficient quantities. Ideally, we want to have a “random sample” of the actual malware that is circulated. MD:Pro allows us to obtain such a “random sample” with a minimum of fuss.”
And, at last, there is just one more important question – What’s the price of the subscription and what does it include? “A subscription to MD:Pro costs Ã¢â€šÂ¬ 850 (approx. $ 1170) per month, for a minimum subscription period of 12 months. After the initial subscription period membership is automatically renewed on a rolling basis and can be terminated at one month’s notice. We usually offer a 10% reduction on fees for customers paying a year upfront.” explains Aykut. “A subscription to MD:Pro entitles you to receive our complete malware archive, including analysis reports, weekly sample updates (optional daily updates – coming soon, as I’ve already mentioned), file analysis reports in various formats: XML, CSV, access to future functionality (Malware Classification, Sandbox), full access to MD:Pro website, and last (but not least) – support.”
Parting words? “We do have a lot of malware in our collection, some even with source code; but we do not always have the very latest, as we do depend on what is harvested, traded or in some cases, given/donated to us. This means that we do not always have the very latest threats available the moment they come out in the wild. We do not, can not and will not compete with a specialist like Symantec, or with researchers and research centers around the world scanning 24×7 for the latest threats. This may change in the future though, we are working on it.”