Malware collecting

One of the advantages of being at McAfee was access to their
zoo/field/wild collection of malware for research. Now that our Advanced
Research Group (read: DARPA/ARDA/etc contractor) has been sold, we no
longer have access and must build up a collection and collecting
capability on our own. I've noted that there is an "international
alliance" being setup to share samples collected using the mwcollect
software, and have contacted them already. There may be some sharing
going on within the Honeynet project, but I haven't followed up within
that arena yet. We intend to set something up similar to a honeynet for
collection and research purposes as well. Additionally, I have started
making contact to some universities who do research in malware who also
have started collections, but haven't found any formal collaboration
organization set up to develop a corpus of malware samples. The AV
community obviously has a large collection, but it appears to be fairly
insular sharing samples only among AV companies, and the test &
evaluation companies who provide (independent) product evaluations.

Do any of you have any thoughts on the subject? For the record, I've
been part of the
TIS/TISLabs/NAILabs/McAfeeResearch/SpartaSecurityResearchDivision group
for about 7 years, doing research on distributed security, application
security policies, malicious code analysis, and defense against worms.


Dave Sames