[marcioguerreiro]

my name is Marcio Guerreiro and I am student of London Metropolitan University in located in UK. I am doing my Msc project that involves the analysis of network attack malware. At the moment I have installed the notorious Snort IDS and I am looking for malware samples to study the behaviour. I am looking for advise where to find a malware that triggers network attacks instead of local attacks ? I do not have HDIS so I would not be able to analyze the changes made locally.

thank you

Marcio

[TETYYSs]

There's some linux malware which search for targets to use CVE-2014-0160, don't really remember the name though. I'm sure unixfreaxjp (MMD) would know.

[Daemon]

Even without the ability to see local changes on a machine, such as registry changes, you can still use snort to identify malware infections based on different aspects that are unique to that specific piece of malware. So for example, you may have a malware that does a DNS query for specific domains after it's downloaded so you write a rule that checks for dns queries including that domain(s) (either check the bytes or by text, theres advantages/disadvantages to each). Or you may have a malware like Slammer that tries to perform a buffer overflow against MSSQL servers (I'm assuming that this is what you meant by network attack?) in which case you could write a rule that checks for that overflow in the packet. And then you have malware with no known C&C or a constantly changing one, however it always downloads a file. Like the Dropper trojan family. In which case you could write a rule that checks for specific bytes from that binary in the packets. However, there are ways for people to get around this such as if Dropper is on your host and reaches out to download an encoded binary, the bytes will no longer match the signature so no alert triggers then the Dropper itself could perform the decoding and allow the main payload to run. Or maybe the malware MAY hit certain domains, and it MAY download a specific binary, but if you see an alert for both then you have a probable infection. But thats where correlation and SIEM's come in, a whole different subject matter IMO. And this isn't even touching on the variety of attacks that can be checked for that don't include a malware drop such as scans, SQLi attempts, bruteforce, etc.

So tl;dr you cant really just grab malware that will trigger based on network related rules vs local changes. It's entirely upon how you write the signature, and that is a field unto itself. Hopefully this answers your questions, and I'd be happy to give you some pointers in the right direction if you have more questions. Best of luck man, you've picked a subject that seems easy on the surface but in fact has many facets to it however I find it interesting as hell.

Side note; did i interpret your questions correctly? I apologize if you already knew all this, I just wasn't super clear in what you were asking so I just kinda tossed it all out there.