75% of Malware Uploaded on 'No-Distribute' Scanners Is Unknown To Researchers (bleepingcomputer.com) 26
Catalin Cimpanu, writing for BleepingComputer: Three-quarters of malware samples uploaded to "no-distribute scanners" are never shared on "multiscanners" like VirusTotal, and hence, they remain unknown, US-based security firm Recorded Future reports, to security firms and researchers for longer periods of time. Although some antivirus products will eventually detect this malware at runtime or at one point or another later in time, this leaves a gap in terms of operational insight for security firms hunting down up-and-coming malware campaigns.
This is news? (Score:4, Informative)
Re: (Score:2)
It's like they just figured out the reason these services are "no-distribute."
Oh good grief (Score:5, Informative)
A multiscanner is a service like Google's VirusTotal that aggregates antivirus (AV) scanning engines into one big melting pot, allowing users to upload a suspicious file and scan it simultaneously on all the AV engines hosted on the service.
If at least one of the multiscanner's engines finds the file suspicious, the service shares the result among all AV companies, allowing cyber-security firms insight on new types of malware that their engines are not currently detecting.
On the other hand, a no-distribute scanner is a service similar to a multiscanner, only that its operators modify the AV engines so they cannot report back to their respective vendors, hence limiting their ability to see the malware uploaded on such a service.
Although I'm not really sure what the article's point is - that no-distribute scanners are mostly used by criminals and therefore should have an open API? That's like saying speakeasy's during prohibition should've posted their locations on local walls so everybody could share the info!
So ... the point? (Score:2)
Is this article basically about the fact that people making malware are making more of it then is caught by the average virus detector? Is there a useful quantification here perhaps? not my greatest area off expertise but maybe I missed something.
Re: (Score:2)
That was my first thought, but upon closer(?) reading it sounds like "security researchers" aren't getting informed of these submissions because some of the scan engine owners are holding back the data.
I'm trying to decide if "security researchers" means actual people with that as some kind of job title or whether it's small fries who have lost their free data feed.
Re: (Score:2)
When they are sure they are ready the update is released.
Until then a lot of other researchers who could have helped work on the same malware have to wait until they too find the same in the wild.
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
Script that link to another site will be blocked. What if the malware is the same site thats trusted?
Thats why good quality AV software is another wise product to support.
As the malware attempts to change and stay deep in the OS, an AV product might just detect that new action. Then report that action and protect all other users of that AV pr
Re: (Score:2)
Re "automatic browser updates"
Re "the consequences".. Invest in some good AV and the user could be protected. If not at least the malware is discovered...
I'm gonna rewrite that with context. Here ya go: (Score:5, Informative)
That article was so horrendous, I'm going to attempt to rewrite it with more context:
Malware authors want to slip their malware into a victim's PC undetected, which means they need to know, ahead of time, whether it will be detected by antivirus tools. So they scan it with antivirus tools. However, there are so many such tools (and it's difficult to know which one a victim might have), it's time-efficient to centralize the scanning. This is done with a "multiscanner", which is a website that runs a bunch of antivirus tools to inspect any file that a user uploads. The results from the (dozens of) scanning tools are presented to the user in a webpage.
There are two kinds of multiscanners, however: Those run by/for the "good guys", where Jane Doe can go and upload a fishy file to see what the scan result looks like (as part of deciding whether she wants to run/install/trust it). These scanners send copies of uploaded files (at least, those which smell suspicious to a first-pass heuristic) to antivirus companies so they can be hand-evaluated, and folded into future detection signatures. If a malware author uploads their newest creation to check that it slips through undetected, chances are that a few hours later, that result will change!
Aaaaand, those run by/for the "bad guys", which work just the same way, except they don't send copies of the fishy files back to AV companies. This is most useful to malware authors who want to make sure their payloads are still stealthy, without tipping their hand to the AV companies. Just like the other multiscanners, this type presents the results to a user in a web page.
In either case, the link to the results page contains the checksum of the submitted file; it's just an easy way for such things to work.
The article's central point is that this latter class of multiscanner is very popular. Sometimes, malware authors will share a link to their results page as a way of asserting that their payload is undetected by any scanners. By skulking around the seedier parts of the internet, looking at malware advertisements, researchers collected a lot of these links, and then looked for the checksums on other multiscanner sites. Only about 25% of them showed up in a timely fashion.
[Ed. note: This can be improved by you, the reader, by uploading suspicious files to sites like Virustotal.]
Re: (Score:2)
Interesting right after the news of the recent no-distribute scanner bust I see Dave Aitel asking around on his mailing list for any alternative sites. That's right, there's also "good guys" using these scanners to write up offensive security tools. This just brings back the old argument that it's not the tool which is good or evil but how it's used. (Arguments against offensive security apps notwithstanding)