.

Staff meeting discussing the logistics of the new volume of malware samples

busy rn sorry

We're going back to bed. Nobody do anything crazy while we're gone.

Hello to the person who decided to name themselves 'gay4smellyvx' on Call of Duty.

Thank you for the meme submission, foilmanhacks

Good morning,

Our virus exchange website is going through a serious overhaul. Moving forward, all samples submitted will automatically upload to VirusTotal. The sample uploaded will subsequently be tagged and/or renamed using the VirusTotal 'Popular threat label' naming convention.

If in the event a popular threat label is not present, but it still holds a sufficiently high enough threat score, it will default to the Kaspersky naming convention.

All malware files will be retained — even junk file infectors like Padodor or Berbrew. If the file is not malware we will delete it. We only want malware.

Additionally, each day our virus exchange will release a 'daily dump' 7z file. This will be every file submitted, named as stated previously, and synced to vx-underground to be available for bulk download.

An API is available for programmatic access to virus exchange. Some users have created unofficial wrappers in Python to ease API access to our malware database.

This is all free of charge. Anyone, anywhere, can access this resource and download as much as they'd like. However, we ask you consider donating to allow this to continue. Furthermore, if you're unhappy with the performance of the site, we advise larger companies to consider becoming monthly sponsors. A system at this scale, while remaining free of charge, is not easy.

We hope moving forward we can give back to individuals who submit and share samples with us by offering rewards to valued contributors... but that's a conversation at a later date and later time.

Thanks,
- smelly

As a side note, because others have asked, we have no intention on implementing malware configuration extractors, gathering C2 information, etc. That is something more along the lines of Triage. That is much more exhaustive work.

https://tria.ge

Oh, our website if you didn't know:

https://virus.exchange

"why doesn't vxug prompt for cookies"

the only cookies present are for maintaining your session on vxug or vxdb. we dont track you, we dont collect data, we dont do ads, blah blah blah. its just malware ok download it

We've updated the vx-underground Windows malware paper collection. We have a lot more papers in queue.

Read them.

Papers:
- 2024-08-31 - Finding open file handles in PS
- 2024-08-30 - Evil MSI A story about vulnerabilities in MSI Files
- 2024-08-26 - DLL Sideloading ith LicenseDiag.exe
- 2024-08-19 - DRMBIN - Prevent binaries from running on other machines
- 2024-08-15 - Offline SAM Editing
- 2024-08-14 - Tricks with Microsoft Word and Sandboxes
- 2024-08-13 - Abusing AVEDR Exclusions to Evade Detections
- 2024-06-09 - Bypassing EDR NTDSdit protection using BlueTeam tools

Generally speaking, the ultimate goal of collecting malware is getting malware which offers intelligence in some capacity.

- Novel malware
- Stagers and/or chains (leading to malware)
- Active malware campaigns

There is a metric poop-ton of dead malware floating in cyber space which offers nothing of value. Collecting it simply allows you to add (yet another) SHA256 entry in your DB of known-bad files. It will do (probably) nothing except alter system files and be annoying.

Ideally, you'd like malware you can extract C2 information from, tie to a malware campaign, study for making detection rules, or study to learn new malware development techniques.

Old and dead malware does nothing except take up space. But, some vendors like it just to check it off as 'lol this bad fr'.

As an example: our malware ingestion can take it millions upon millions of "padodor", "berbew", "qukart", "vilsel", "zegost", or "vbclone" samples. Most of these don't even work on modern windows, drop like, 100+ copies of itself, and can't connect to anything.

tl;dr its dead

Today we ingested 1,721,892 suspected malicious binaries.

Non-junk malware: less than 100,000, probably closer to 60,000

lemon > rolex

twitter algorithm 😂😂😂

if you cringe you lose

Saw XI: Internet Dweeb Edition:

Jigsaw voice: "Hello, internet pirate, want to play a game? One of these buttons is a real pirated version of Photoshop. The other three deliver Redline information stealer. Make your choice."

Today reports surfaced on a cybersecurity incident impacting the London Transport Department

We can assert with a high degree of confidence that this 'incident' is of extreme severity. The immediate presence of the NCA and NCSC drives this point further.

Updates to vx-underground:

Papers:
- 2024-09-03 - Rundll32 and Phantom DLL lolbins
- 2024-08-17 - HookChain - A new perspective for Bypassing EDR Solutions
- 2024-08-11 - DriverJack
- 2024-08-11 - Blocking EDR drivers with HVCIDisallowedimage
- 2024-08-10 - ShimMe - Manipulating Shim and Office for Code Injection
- 2024-08-09 - Blocking EDR Drivers with WDAC policies
- 2024-08-08 - Abusing Windows Hello without a severed hand

Families:
- Android.BlankBot
- AteraAgent
- AtlantidaStealer
- Azorult
- BruteRatel
- CobaltStrike
- DCRat
- DonutLoader
- GCleaner
- Gh0stRAT
- GuLoader
- Lokibot
- LummaStealer
- Mirai
- Neshta
- NjRat
- Pony
- PureLogStealer
- RhadamanthysLoader
- Sliver
- Vidar
- XWorm
- ArcStealer
- AgentTesla
- Amadey
- Andromeda
- AsyncRAT
- AugustStealer
- CryptBot
- CyberGateRAT
- Danabot
- Formbook
- Latrodectus
- MicroClip
- Rakos
- Redline
- Remcos
- StealC
- XenoRAT

Note: someone said the artwork we use when pushing updates is scary, they requested we post something cute instead.