The landscape of cybersecurity research requires access to real-world malware specimens to analyse threat techniques and develop effective defences. For UK-based enthusiasts, students, and professionals in the field, understanding how to legally and safely obtain free trojan samples is a critical first step. This article details the available resources, methods for acquiring samples, and essential safety protocols, based exclusively on the provided source material.
Understanding the Purpose and Legal Context
Malware samples, including trojans, are utilised by cybersecurity researchers to study malicious behaviour, improve detection algorithms, and fortify defensive strategies. It is important to note that these samples are not promotional freebies for consumer use but are tools for educational and research purposes. The provided sources indicate that all samples should be handled exclusively within secure, isolated laboratory environments and never on production systems. The primary goal is to develop protection strategies, not to cause harm.
Key Sources for Free Trojan Samples
Several reputable platforms and repositories offer free access to malware samples for research. The following resources are mentioned in the source data, though researchers must verify current access requirements, as some may have changed since the data was compiled.
1. ANY.RUN
ANY.RUN is described as an online interactive sandbox with a vast database of over 6.2 million public submissions. It allows registered users to rerun and analyse samples, obtain reports and Indicators of Compromise (IOCs), and download malware for testing. Fresh samples are constantly added by researchers worldwide. The platform features a "Public submissions" window where users can explore tasks shared by the community. It also provides a filter system to search for specific samples by hash, run type (URL or file), extension, or country. While registration is required, the service offers free access to its public submission database and analysis tools, making it a valuable resource for researchers. Premium subscriptions are available for additional features.
2. Cybersight Security Malware Samples Repository
Hosted on GitHub, this repository is a curated collection of malicious software specimens for cybersecurity research and analysis. It provides security professionals with real-world samples to study malware behaviour, develop detection techniques, and enhance defensive strategies. The repository includes a comprehensive collection of real malware samples, categorised by type such as Remote Access Trojans (RATs), ransomware, and trojans. Examples of trojan samples listed include AgentTesla, Akira, Amadey, BanLoad, Berbew, Blankgrabber, Coper, Dirdex, and ICEDid. All samples are contained within password-protected archives (password: "infected") and should only be handled in secure, isolated environments. The repository is regularly updated with new specimens and is intended for research-focused organisation.
3. Curated Lists of Free Malware Sample Sources
A curated list of free sources where malware researchers can obtain samples is available. This list includes platforms such as MalwareBazaar, Hybrid Analysis, VirusShare, and vx-underground. Most of these resources require registration. The list emphasises the importance of taking precautions to avoid self-infection. Specific sources mentioned include: - Contagio Malware Dump: Curated, password required. - Hybrid Analysis: Registration required. - MalShare: Registration required. - MalwareBazaar - theZoo aka Malware DB - VirusShare: Registration required. - vx-underground
Researchers are advised to be careful not to infect themselves when accessing and experimenting with malicious software.
Detailed Information on Specific Trojan Samples
The source data provides descriptions of several trojan samples that are available for research. These descriptions help researchers understand the potential threats they are studying.
- AgentTesla: A keylogger and information stealer used to capture sensitive data such as login credentials and financial information.
- Akira: A malware strain primarily designed for stealing cryptocurrency wallets and credentials from infected devices.
- Amadey: A modular trojan often used in phishing campaigns to steal personal and financial information.
- BanLoad: A banking trojan designed to steal sensitive banking information, such as login credentials and account details.
- Berbew: A trojan primarily targeting banking and financial institutions to steal sensitive information related to online banking transactions.
- Blankgrabber: A data-stealing malware focused on capturing sensitive information, like login credentials and financial data.
- Coper: A banking trojan specialising in stealing financial data, such as credit card details and online banking credentials.
- Dirdex: A trojan malware known for stealing sensitive information from infected systems and spreading through network shares and removable drives.
- ICEDid: A banking trojan designed to steal sensitive information from infected systems.
Safety Protocols and Best Practices
Handling malware samples, including trojans, carries significant risk. The source material repeatedly emphasises the need for extreme caution. The following protocols are explicitly recommended:
- Use Isolated Virtual Machines: Operate samples only within virtual machines that are disconnected from your main network and the internet. Tools like VMware and VirtualBox are suggested.
- Disable Network Connectivity: Ensure that the virtual environment has no network access to prevent the malware from communicating with command-and-control servers or spreading.
- Employ Memory-Only Analysis Tools: Where possible, use analysis tools that operate in memory to minimise the risk of file system infection.
- Utilise Sandbox Environments: Platforms like ANY.RUN provide a sandbox where malware can be analysed safely without direct exposure to your local system.
- Handle Password-Protected Archives: Many sample repositories provide archives password-protected with "infected". Only extract these in secure environments.
- Never Execute on Production Systems: Under no circumstances should malware be run on any production, business, or personal computer.
- Maintain Strict Isolation Protocols: Treat all samples as live threats and adhere to all laboratory safety procedures.
The Role of ANY.RUN in Analysis
ANY.RUN is highlighted as a particularly useful tool for researchers. Beyond sample acquisition, it offers detailed analysis features. When a sample is run in its sandbox, researchers can examine: - Process Graphs: A visual overview of the malware's actions and events. - MITRE ATT&CK Matrix: A framework that provides a full view of the malware’s tactics, techniques, and procedures (TTPs). - PCAP Files: Network traffic data that can be downloaded for further analysis in tools like Wireshark. If the task was run with an HTTPS MITM Proxy, an SSL Key Log file is also available for decrypting HTTPS traffic.
These features allow for a comprehensive investigation of a trojan's behaviour without exposing the researcher's own infrastructure.
Access and Registration Considerations
Most free malware sample sources require user registration. This is a standard practice to track usage and maintain a community of researchers. For example, ANY.RUN, Hybrid Analysis, MalShare, and VirusShare all require registration. Some sources, like the Cybersight repository, are publicly accessible on GitHub but come with strict usage guidelines. Researchers should be prepared to provide basic information to create an account on these platforms. It is also important to review the terms of service and license agreements for each source, as they outline permitted uses and disclaimers of liability.
Conclusion
For UK-based cybersecurity researchers, accessing free trojan samples is a feasible but carefully regulated process. Platforms like ANY.RUN and repositories such as the Cybersight Security Malware Samples provide valuable, free resources for analysis. However, the paramount consideration is safety. All samples must be handled in strictly isolated environments, with network connectivity disabled, and using appropriate virtualisation and analysis tools. Researchers should prioritise sources that require registration and offer clear, curated collections, and they must always adhere to the legal and ethical guidelines for malware research. By following these protocols, enthusiasts can contribute to the development of stronger cybersecurity defences while maintaining the integrity of their own systems.