theZoo is a project at GitHub which makes malware available for researchers. (Malware being defined as “software that does harm to a computer or network.”) The repository is great in that it makes the malware accessible without a paywall so that hobbyists like me can access it.
I had heard about theZoo and did not know what to expect to find when I visited theZoo. theZoo was not like the zoos I had visited in the USA.
In the USA, zoos in the last few decades have tried to re-create the natural environment for all of the animals contained within the zoo. They are intended to cater to the animals and allow visitors to see how the animal behave in the wild. By contrast, theZoo reminded me of a “bug pin board”.
A bug pin board is a box or board where insects, who were caught alive and then killed, are pinned to the board . That being said, the malware in theZoo has not been defanged―it can and still will harm computers if not handled carefully. However, like a bug on a pin board, each malware has been removed from its natural environment and the environment it had been intended for.
This series, the natural museum, intends to be very colonial in that regard: someone before us plucked each sample from their natural environment and threw them into a box and shipped the box home to us. The samples come with very little identification and almost no metadata about where they were collected or why the sample was included. Like a bug pin board, I plan to primarily investigate the individual sample as preserved in theZoo.
Like a bug pin board, I have no expectation to be able to recreate the environments they were found or for which they were intended. In some cases, such as with Stuxnet which was aimed at Iranian gas centrifuges which were themselves for separating nuclear material, that is impossible. As a result, we may not be able to investigate the full functionality of some of the malware and I do not plan to include information from other researchers in my analysis.
- I am not trying to be original. Others may done similar studies and published similar research. I don’t know. I am doing this for my benefit to learn and practice analysis skills.
- I plan to do regular analysis to learn and practice different tools. I may revisit samples or I may lack the ability to analyze a certain sample at all.
- I am using theZoo and posting information because I think it may be helpful to others as well. If you are curious and want to follow along analyzing malware, you can! In order to follow along, you would need to download the same sample from theZoo, put it in a safe environment and download the tools required.
I hope to be able to give you a solid tour of theZoo and I hope you enjoy your time here. I plan to use Zoo and Bug-pin-board analogies regularly because they are both fun.