Frequently Asked Questions (FAQ)
Having questions? I hope that they are getting answerd here! If not, please do not hesitate to contact us through the Spamhaus Technology contact form:
As many IT-security researchers, I'm heavily using public available information (OSINT) for hunting down new cyber threats. OSINT is a great resource for this threat intelligence! However, I often get confronted with a simple but severe problem: malware samples referenced in blog posts, whitepaper or mentioned on social media like Twitter are usually not easily accessible. You need to register on gazillion different online anti-virus scan engines, sandboxes or malware databases in order to finally obtain the malware sample you need for your analysis. And it is getting worse: Some of these platforms come with download restrictions (you can only download a specific number of malware samples per day), some other platforms are available for paying users only. This is a huge pain for me in my daily work, and I'm sure for many other IT-security researchers out there too.
I've therefore asked myself: why do I have to register on 35457 different platforms? And why should I pay for downloading malware samples?
This was the motivation for launching MalwareBazaar: A malware corpus where IT-security researchers can easily share malware samples with the community without hitting download restrictions all the time or having to pay expensive subscription fees.
What's the difference to VirusTotal?
One of the first questions that propably comes to your mind is: What's the difference between MalwareBazaar and Virustotal? VirusTotal is a great resource for threat intel and hunting malware. Unlike MalwareBazaar, VirusTotal is also a multi anti-virus scanner that allows you to asses whether a certain file is malicious or benign. However, VirusTotal has a handful limitations:
- While you can upload as many files to VirusTotal as you want, downloading malware samples from VirusTotal is restricted to paying users only
- As of March 2020, only 1/3 of all uploaded files are detected by at least one AV-engine (VirusTotal Statistics). So it appears that 2/3 of all uploaded samples are benign
MalwareBazaar follows a different approach:
- MalwareBazaar only track malware samples. No Adware (PUA/PUP). No benign files
- MalwareBazaar is not a multi antivirus scanning engine
- You can upload and download as many malware samples as you want
- It's completely free!
What files should I upload to MalwareBazaar?
Before you start to submit malware samples to MalwareBazaar, please read the following submission policy:
- Confirmed malware only: Please do only submit confirmed / vetted malware samples to MalwareBazaar. Do not submit any suspicious or benign files to MalwareBazaar.
- Adware is not malware: Unlike Malware, most common Adware (aka Potential Unwanted Programs - PUPs) do need some sort of user interaction. In many cases, they also come with a licence agreement that the user has to accept and that is more or less transparent with regards to what the Adware does. Please refrain from submitting Adware to MalwareBazaar.
- Fresh malware samples: There are gazillions malware samples out there. Please refrain from uploading malware samples older than 10 days to MalwareBazaar.
- No file infectors / worms: Please refrain from uploading file infectors and/or or worms to MalwareBazaar
Note: Should you repeatedly violate the submission policy documented above, your account may get banned from contributing to MalwareBazaar.
Code Signing Certificate Blocklist (CSCB)
MalwareBazaar maintains a list of code signing certificates used by threat actors to sign malware. Code signing certificates are dumped by ReversingLabs A1000 Malware Analysis Platform and manually vetted by abuse.ch. The CSCB is being generated every 5 minutes and availabe in CSV format. It can be downloaded here:
Can I use data from MalwareBazaar commercially?
Yes! You can use any data provided by MalwareBazaar for commercial and non-commercial purpose - for free. This includes reselling or ingeration into commercial products. However, I kindly ask you to have a quick look at the (very short) Terms of Services (ToS) at the end of this FAQ.
Download limit on the file download API
MalwareBazaar runs on Google Cloud infrastructure. Sadly, network egress traffic from Google Cloud is extremely expensive. We therefore had to restrict the number of file downloads on our file download API to 2,000 per IP address/day. For bulk downloads we recommend you to use the hourly and daily file exports of MalwareBazaar served by our datalake:
- MalwareBazaar hourly malware batches (ZIP password: infected)
- MalwareBazaar daily malware batches (ZIP password: infected)
Should you have valid reasons to download more than 2,000 malware samples through the file download API per day, feel free to reach out to us using the Spamhaus Technology contact form:
Terms of Services (ToS)
By using the website of MalwareBazaar or any of it's services / datasets, you agree that:
- All datasets offered by MalwareBazaar can be used for both, commercial and non-commercial purpose for free without any limitations (CC0)
- Any data offered by MalwareBazaar is served as it is on best effort with no warranty
- MalwareBazaar can not be held liable for any false positives or damage caused by the use of the website or the datasets provided
- Any submission to MalwareBazaar will be treated and shared under TLP:WHITE and under Creative Commons No Rights Reserved (CC0)
- It is forbidden to use MalwareBazaar to distribute malware and/or infect any devices for malicious purpose