Report an incident
Report an incident

Set up your own malware repository with MWDB Core
21 October 2020 | Paweł Srokosz | #malware, #tools

    We proudly announce that the open-source version of MWDB Core has been released!

    If you want to try it – check out mwdb-core project on GitHub.

    What is MWDB Core?

    MWDB Core is a malware repository for automated malware collection and analysis systems, developed by CERT Polska. You can set it up as a part of a malware analysis lab or use it for collaborative malware analysis in your organization.

    It is a crucial part of mwdb.cert.pl service, performing several roles like:

    • Aggregating various feeds and malware collection in well-organized model that allows to discover relations between samples, families and campaigns;
    • Providing unified interface and REST API for data exploration and malware analysis pipeline;
    • Enabling mwdb.cert.pl users to exchange malware insights and make them available for other malware researchers;

    Using MWDB Core you can store all your malware samples in a single place.

    https://mwdb.readthedocs.io/en/latest/_static/uRL9dt6.gif

    MWDB is not only about the binaries. It brings the order to all of the information that comes as a result of malware analysis like static configurations, associations between files and configs or additional metadata.

    configuration example

    The repository can be easily explored using a search engine based on Lucene syntax. You can also use the relation graph to visualize relationships between objects.

    If you want to learn more about MWDB Core, check out the User guide section in the documentation.

    Why MWDB Core was developed?

    It’s just a matter of time before researcher faces a problem of maintaining the constantly-increasing set of malware samples. In CERT.pl the first attempt to bring the order in our dataset was VxCage project authored by Claudio “nex” Guarnieri. Then it was heavily modified by Maciej “mak” Kotowicz and extended with a simple web interface. That extension allowed to cooperate on building the MWDB with other colleagues and researchers.

    In 2018 we have decided to rewrite everything from scratch deriving lessons learned from the first version. The goal was to create a highly-efficient solution that could be shared with much broader malware research community. Due to that rewrite, whole service has changed significantly.

    After the success of mwdb.cert.pl service, which was followed by next two years of development, we have reached the point where we can publish our tools to allow other researchers to setup their own malware analysis environment similar to mwdb.cert.pl. This is possible in conjunction with our other projects:

    MWDB Core can integrate with all of these tools using plugin engine. Interaction with repository can be also automated using API binding for scripts written in Python – mwdblib library.

    Although plugins are still in development, we are going to release them soon. Meanwhile, you can develop your own webhook-based integrations like the example one integrating MWDB Core with DRAKVUF Sandbox.

    Join mwdb.cert.pl community

    If you are a malware researcher, we highly recommend you to apply for an account in mwdb.cert.pl. Due to limited resources on our side, people with the following affiliation will be accepted first:

    • independent researchers with documented, public malware research;
    • IT security specialists employed in a company focused on malware analysis;
    • specialists employed in public IT security institutions (for example national CSIRTs, banks, government institutions etc.);

    If you meet our requirements, use the registration form to apply for the account.

    Take into consideration that we reserve the right to respond only to approved applications. Therefore, please ensure the credibility of the application. The e-mail address should confirm your affiliation, so avoid using personal e-mail like [email protected] or [email protected]. If you don’t want to use business e-mail, left a handle to other places we can reach you out e.g. Twitter. Make sure you have unlocked Private Messages, so we can contact you to additionally confirm your identity.

    Call for contributors

    MWDB Core was released thanks to the developers, friends and bug reports/ideas coming from mwdb.cert.pl community.

    If you have an idea how to improve the project or want to integrate your solution with MWDB Core instance or mwdb.cert.pl service – feel free to leave an issue on Github or make a pull request if you have already implemented that improvement. We’ll be glad for any valuable feedback.

    The contents of this publication are the sole responsibility of NASK PIB and do not necessarily reflect the opinion of the European Union.

Share: