VirusTotal for "their"
Today we are releasing another post for Habrahabr. Our senior virus analyst Zakorzhevsky Vyacheslav will tell about the interesting side of cybercrime.
It is clear to everyone that the majority of Malvarschiki are interested in their offspring “living” among users as long as possible. The more time Malvar is on the computer, the more money you can potentially earn. The main threat to them is antiviruses. In the overwhelming majority of cases, virus writers use cryptors to protect the malware from signature / heuristic detection by antivirus. The market of cryptors is quite extensive; there are many offers on it, since cryptors are in demand.
After the file is “covered” with a cryptor, virus writers check it with antiviruses (otherwise you can release something that will already be detected). Everyone knows that there are services that allow you to scan files at once with a bunch of AV engines. For example, VirusTotal or Jotti Virscan .
')
Virusirus
Jotti virscan
Everything is convenient - a lot of engines, minor "brakes", etc. But for those who are going to release the next version, for example, a blocker, these services have a small drawback: these companies in some cases send scanned files to AV offices.
If you want to make it clear, you can improve. not send them at all. ”(Files sent to us can be sent to anti-virus companies so that they can improve the detection level of their products. Read more about this in the privacy policy. If you don’t want your files to be passed on to third parties, don’t send them at all ").
From the VirusTotal FAQ: “ If you’re getting rid of it, it’s not a problem.” "(" In return for providing your anti-virus kernel, you will receive all files sent to VirusTotal, which are not detected by your product, but detected by at least one other vendor + corresponding report ")
It is logical to assume that this is not a joy for malware painters, since their files will be sent to AV companies for analysis, and, accordingly, this will reduce the time that the sample goes unnoticed. That is why they use the services of companies that provide services similar to VirusTotal, but at the same time providing anonymity. (at least it’s written on sites with scanners, but we cannot know for sure :)).
For example, there is such a service:
On one of the forums I found a list of what else this office can do:
"Available:
- scheduled check with email / jabber alert
- autoregistration and autocompletion of the account via Webmoney
Our AV checker contains the current versions of antiviruses and their latest updates. ”
It is quite convenient to receive by mail or to another place a notification that some vendor has detected a new build.
Two other offices that provide anonymous file scanning services.
Of course, there are many more, but it is worth noting that all these services very quickly meet the needs of their customers. Also, there is a support, an API for working with the service, a GUI client, etc. This suggests that there is competition in the market, and everyone is fighting for the client.
However, all such services have a significant disadvantage - they scan only a single file, or a separate domain. This does not quite match the most popular computer infection patterns. All modern antiviruses have a multi-level protection. So, often before checking the file itself may not reach. In the case of a drive-by attack scheme, the antivirus can block one of the domains through which the redirect is performed, an evil iframe or script, or the exploit itself. And if Malvar got on the user's computer and started, then the sandbox or proactive defense is already working here, which at the execution stage analyzes the program behavior. In those services that I saw, there was no information anywhere about the test for detectability of proactive protection - it is understandable - it is difficult to implement. Do not forget about the cloud, which can block the file by its reputation. So, despite all the efforts of the intruders, many real-life situations are not lost, which makes checking a single object as a signature / heuristic scanner simply inadequate :)
It is clear to everyone that the majority of Malvarschiki are interested in their offspring “living” among users as long as possible. The more time Malvar is on the computer, the more money you can potentially earn. The main threat to them is antiviruses. In the overwhelming majority of cases, virus writers use cryptors to protect the malware from signature / heuristic detection by antivirus. The market of cryptors is quite extensive; there are many offers on it, since cryptors are in demand.
After the file is “covered” with a cryptor, virus writers check it with antiviruses (otherwise you can release something that will already be detected). Everyone knows that there are services that allow you to scan files at once with a bunch of AV engines. For example, VirusTotal or Jotti Virscan .
')
Virusirus
Jotti virscan
Everything is convenient - a lot of engines, minor "brakes", etc. But for those who are going to release the next version, for example, a blocker, these services have a small drawback: these companies in some cases send scanned files to AV offices.
If you want to make it clear, you can improve. not send them at all. ”(Files sent to us can be sent to anti-virus companies so that they can improve the detection level of their products. Read more about this in the privacy policy. If you don’t want your files to be passed on to third parties, don’t send them at all ").
From the VirusTotal FAQ: “ If you’re getting rid of it, it’s not a problem.” "(" In return for providing your anti-virus kernel, you will receive all files sent to VirusTotal, which are not detected by your product, but detected by at least one other vendor + corresponding report ")
It is logical to assume that this is not a joy for malware painters, since their files will be sent to AV companies for analysis, and, accordingly, this will reduce the time that the sample goes unnoticed. That is why they use the services of companies that provide services similar to VirusTotal, but at the same time providing anonymity. (at least it’s written on sites with scanners, but we cannot know for sure :)).
For example, there is such a service:
On one of the forums I found a list of what else this office can do:
"Available:
- scheduled check with email / jabber alert
- autoregistration and autocompletion of the account via Webmoney
Our AV checker contains the current versions of antiviruses and their latest updates. ”
It is quite convenient to receive by mail or to another place a notification that some vendor has detected a new build.
Two other offices that provide anonymous file scanning services.
Of course, there are many more, but it is worth noting that all these services very quickly meet the needs of their customers. Also, there is a support, an API for working with the service, a GUI client, etc. This suggests that there is competition in the market, and everyone is fighting for the client.
However, all such services have a significant disadvantage - they scan only a single file, or a separate domain. This does not quite match the most popular computer infection patterns. All modern antiviruses have a multi-level protection. So, often before checking the file itself may not reach. In the case of a drive-by attack scheme, the antivirus can block one of the domains through which the redirect is performed, an evil iframe or script, or the exploit itself. And if Malvar got on the user's computer and started, then the sandbox or proactive defense is already working here, which at the execution stage analyzes the program behavior. In those services that I saw, there was no information anywhere about the test for detectability of proactive protection - it is understandable - it is difficult to implement. Do not forget about the cloud, which can block the file by its reputation. So, despite all the efforts of the intruders, many real-life situations are not lost, which makes checking a single object as a signature / heuristic scanner simply inadequate :)
Source: https://habr.com/ru/post/134316/
All Articles