Malware is one of the common tools used by adversaries, whether they’re getting a foothold in your network, moving laterally through your systems, or exfiltrating sensitive data. Having access to new malware samples can be key to understanding what trespassers are doing on your systems and how they got there. By gathering many thousands of new samples a day, we can see the evolution of these tools as well as investigate how they work.
One of the lesser-known facts about the computer security business is that vendors exchange malware samples with each other, often through mutual sharing arrangements. Unfortunately, despite this practice existing for many years, there isn’t a lot of standardization on how this process should happen. One of the attempts to solve many of the problems related to sample sharing is the Norman Sample Sharing Framework (NSSF), obviously written by folks at Norman. In order to interact with companies using this framework, you must have an NSSF client that supports the NSSF API. Norman has links to their PHP implementation (which has both client and server code) as well as a Perl implementation written by Mario Bono at Ikarus Security Software. We use Python extensively at CrowdStrike for our automated malware analysis work, so we have written a Python implementation of the NSSF client code and made the source code available at our GitHub at: https://github.com/CrowdStrike/pyNSSFClient.
Assuming you have credentials to access an NSSF server (or have set up one yourself), this code allows you to simply interact with that server to get lists of new file hashes and/or download samples.
The key functionality is all within the SampleShare class in sample_share.py. This class has basic command line support for testing purposes, which can be used to get lists of hashes or download samples.
You may notice that we use Doxygen-style code documentation instead of Python docs. We use a variety of languages at CrowdStrike, and Doxygen lets us have a common code documentation format and tooling.
Feel free to fork the code on Github and add your contributions. Or send us your resume and work on it at CrowdStrike — we’re hiring.