31
Dec 09

Virus Scanners for Virus Authors

facebooktwittergoogle_plusredditpinterestlinkedinmail

I have often recommended file-scanning services like VirusTotal and Jotti, which allow visitors to upload a suspicious file and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers so that those vendors can incorporate detection for the newly discovered malware into their products.

That pooling of intelligence on new threats also serves to make the free scanning services less attractive to virus authors, who would almost certainly like nothing more than to freely and simultaneously test the stealth of their new creations across a wide range of security software. Still, there is nothing to stop an enterprising hacker from purchasing a license for each of the anti-virus tools on the market and selling access to a separate scanning service that appeals to the virus-writing community.

Enter upstart file-scanning services like av-check.com and virtest.com, which bank on the guarantee that they won’t share your results with the anti-virus community.

For $1 per file scanned (or a $40 monthly membership) av-check.com will see if your file is detected by any of 22 anti-virus products, including AVAST, AVG, Avira, BitDefender, NOD32, F-Secure, Kaspersky, McAfee, Panda, Sophos, Symantec, and Trend Micro. “Each of them is setten [sic] up on max heuristic check level,” av-check promises. “We guarantee that we don’t save your uploaded files and they are deleted immediately after the check. Also , we don’t resend your uploaded files to the 3rd person. Files are being checked only locally (without checking/using on other servers.” In other words: There is no danger that the results of these scans will somehow leak out to the anti-virus vendors.

The service claims that it will soon be rolling out advanced features, such as testing malware against anti-spyware and firewall programs, as well as a test to see whether the malware functions in a virtual machine, such as VMWare or VirtualBox. For safety and efficiency’s sake, security researchers often poke and prod new malware samples in a virtual environment. As a result many new families of malware are designed to shut down or destroy themselves if they detect they are being run inside of a virtual machine.

Virtest checks malware suspicious files against a similar albeit slightly different set of anti-virus programs, also promising not to let submitted files get back to the anti-virus vendors: “Your soft isn’t ever sent anywhere and the files being checked will never appear in the fresh AV signature bases after scanning,” the site pledges. “On purpose in all AV-products are turned off all possible methods and initiatives of exchange of files’ info with the AV-divisions.”

The proprietors of this service don’t even try to hide the fact that they have built it for malware writers. Among the chief distinguishing features of virtest.com is the ability for malware authors to test “exploit packs,” pre-packaged kits that — when stitched into a malicious or hacked Web site — serve the visitor’s browser with a kitchen sink full of code designed to install software via one of several known security holes. Many anti-virus programs now also scan Web pages for malicious content, and this service’s “exploits pack check” will tell malware authors whether their exploit sites are triggering virus alerts across a range of widely-used anti-virus software.

But don’t count on paying for these services via American Express: Both sites only accept payment via virtual currencies such as Webmoney and Fethard, services that appear to be popular with the online shadow economy.

Tags: , , ,

37 comments

  1. Another one is avcheck.biz. Not sure how active it is, I don’t read russian. He also had avcheck.info, but let that one go. Combining it with “antiddos” services.

  2. The avcheck.biz site says, “We offer for your attention a service to anonymous check files by various antivirus systems. This system is intended for multiple checks of a file with varius antivirus programs; when this is being doneno reports are sent to teh producers of antivirus systems. You can be confident that your attachments will not get into antivirus databases!

  3. I remember Polypack by Jon Oberheide, which was sut down because Kaspersky industrials (and others) made a big fuzz. In fact AV doesn’t work at all and Malware authors are well aware of that fact.
    AV vendors do not even invest in sophisticated heuristics. So in any case scanning through X signature based engines won’t change the fact that as long as your Malware is new, there’s not signature at all. – You have to compare the similarities semantically: http://ether.gtisc.gatech.edu/index.html – e. g.. PoC.

    “Happy new yeahr! Please kick that tiny funni link! With good bizziness PDF”

    Have fun,
    wishi

    • BTW, PolyPack was not shutdown. It’s available for evaluation by penetration testers and researchers:

      https://polypack.eecs.umich.edu/

      So far, we’ve seen both AV scanning and packing deployed individually in the crimeware as a service (CaaS) model, but we’ve yet to see the combination of both in the wild (eg. packing + AV evasion feedback like PolyPack).

      Regards,
      Jon Oberheide

  4. Brian, you wrote: “many new families of malware are designed to shut down or destroy themselves if they detect they are being run inside of a virtual machine”.

    Does this create the possibility of fighting malware by giving it a false indication it is running in a virtual machine?

  5. @doug — I suppose that’s a possibility, and it certainly could be one layer of defense built into an anti-malware product. Although some of the things that malware checks to see if it’s running in a virtual machine may prove difficult to spoof.

  6. By the way, several folks have asked how to get an avatar. If you go to http://www.gravatar.com and register the email address you use for commenting on this blog, your gravatar pic should automagically show up when you leave a comment here (provided your gravitar address/icon is not more risque’ than PG rating).

  7. Question to everyone….
    If Brian were to supply a hosted banner (linking to his site) how many of you would post it on sites you might manage?

    (also a test of gravatar)

  8. I’ll admit I’m just testing this Gravatar thing, too.

    Congratulations on the new blog. There will be plenty of links to it getting posted on the inboxrevenge.com forums, I’m sure.

  9. nice analysis, Jorge. Thanks for the link.

  10. Good to see the new blog bk. Is this your new full-time job or are you doing this on the side. Anyhow glad to see your still blogging.

  11. No comment really, just to add an entry and that Brian can see that people are following him after SecurittFix @ WP. Keep the good work and we’ll be reading u.

  12. >_< So how long before Windows can just be plain banned from the Internet as unfit for safe use?

  13. You can also check out our site VirusZoo, that lets you safely test different viruses and malware on a shared virtual machine.

    It’s more for fun rather than a serious tool.

  14. Brian, I found your posts very interesting.
    I’ve translated this one to spanish.
    http://blog.segu-info.com.ar/2010/01/detectores-de-virus-para-los-autores-de.html

  15. @David Gerard

    Don’t be silly. Other operating systems have security flaws too, only they aren’t targeted by the malware authors because they represent a fraction of the computers online today.

    As soon as your precious Linux (I’m guessing you’re a Linux guy) takes over 90% of the market rest assured it will be bombarded in the same manner Microsoft machines are now, and will seem every bit as insecure. Whatever OS is dominate will always be the one of choice to attack.

  16. @Dorkasaurus

    You clearly know very little about Linux, and are doing nothing more than using a trivial excuses to make your point. (ie: All software has bugs AND popularity affects security.)

    (1) Linux, by default, introduces a different paradigm when installing applications. Instead of blindly downloading and installing/executing things; you rely on a package manager and repository servers that are maintained by the distro developers. (A trustworthy source, as they rely on honesty and reputation in order to establish a user base…If they screw up, people will jump onto another distro).

    It means crackers or blackhats have to attack the distro repository servers. This has happened to Debian, Ubuntu, Red Hat and Gentoo. In all cases, the problem was resolved way before it could hurt their users…Within hours of finding the problem. On top of that, they publish what was the cause and how they solved it.

    This open honesty is something you will NEVER find from Microsoft or Apple. (Denial and playing down the issue would be their first response…Then they’ll admit the problem.)

    (2) Microsoft is slow to respond. They prioritize and categorize their security issues to make them look less bad. Its a PR move…They don’t have the resources to introduce patches/fixes within hours.

    In Linux, a bug is a bug. It has to be fixed ASAP. There’s no PR here to hide behind…When a problem is found, its usually fixed within hours.

    (3) Linux user habits promotes prevention. Windows user habits promotes cures. Why do you think AV companies have a huge market in Windows world? Some have tried to establish themselves in Linux world, but have achieved little or no success. (It isn’t profitable as in the Windows world.)

    Windows users are more likely to pirate software without thinking. They don’t care where the application comes from. They rely on too much AV scanning and automation (cures); instead of using their heads (prevention).

    (4) Linux has a higher learning curve. This plays a role in putting a user in a position where they have to learn and understand the tools they are using on their system. In Windows, you jump on without thinking about security when you do something. You are very vulnerable to social engineering trickery.

    On top of this, there isn’t really anything like Grsecurity/PaX/etc in Windows. Windows users must rely on software developers to use Windows API in order to run things in reduced privilege mode. (eg: Internet Explorer’s Protected Mode)…Most developers won’t bother.

    (5) User privileges are simple and clearly defined in Linux. You’re either Root or you’re not. And when you’re not, you can escalate when the situation calls for it. (This is always when a system wide change is needed; like system upgrade or update)…Instead of clicking OK/Allow, you must enter a user or root password. It gets the user to think twice before doing something.

    Microsoft are still struggling with UAC. Windows has a multitude of privilege levels like Admin, System, Standard/Limited User, Guest, etc. There isn’t a clear/simple boundary that has been defined. Its unnecessary complexity makes it hard for UAC to be effective than it should be. UAC has to balance between security and usage without annoying. eg: Windows 7′s UAC is less secure by default compared to Vista UAC’s default, but its also less annoying.

    (6) In Linux world, using root privileges full time and not having passwords is considered a sin. In Windows world, no one but the most technically competent Windows users care. Why do you think UAC was a bitter pill to swallow when it was first introduced in Vista?

    (7) Microsoft is willing to compromise security for usability. They have to sell a product that people can use. (They are a business after all, and they have shareholders to appease). The default settings of a Windows installation are more convenience focused. This is what happens when you have users who don’t learn anything. They want things to work, they don’t care about security…Until their family photos/videos, financial details, etc are exploited against them.

    (8) Linux brings focus of systems to the user. Which means they take responsibility for their system. Often, a compromise of a Linux box is because a user has yet to develop the experience or understanding. ie: Its often mis-configuration being the problem.

    (9) Linux is more flexible than Windows. In Windows, bits are tied together. It allows for one to attack something (using it as a vector) to compromise the whole system.

    In Linux, things are not deeply integrated to one another. This allows one to install only what they need and nothing more; thus greatly reduce their vulnerability profile.

    You can’t have Windows install a base OS and customize things to your needs. If you try, things start mis-behaving in really odd ways. I know, I’ve tried.

    (10) Care to explain why I can crash a Windows box with file/print sharing enabled; by forming malformed crafted network packets, and why I can’t do the same thing with Linux and Samba? (Samba allows Linux, Mac, etc users to connect to Windows networks).

    Security has nothing to do with market share. That’s what Microsoft wants you to accept via their marketing spin…Its really to do with user knowledge, software implementation, and how responsible the software developers are.

    I know all this because I work in the security industry on Windows, Linux, BSD and Solaris platforms.

  17. @Doug: I’m a malware researcher, and I’ve encountered both kinds of virtual machine-aware malware: Some types simply self-immolate when run in a VM, and others behave very differently than they would in a “real” environment. Sometimes the behavior in a VM is just a fraction of the normal activity it might perform in a real box, and sometimes it can be very different.

    That’s one way malware research has been evolving over the years, moving from the convenience of VMs (which you can snap back to a clean state in seconds) to silicon and platters, which are somewhat slower to use but much more dependable.

    • but I’m afraid I didn’t answer your question. You could fight some kinds of malware by trying to convince your software and OS that it’s running in a virtual machine, but it would be hard to do, because there are myriad ways that malware detects the virtual environment, and you’d almost never be able to predict what trick they’d use next.

      And some of the tricks (invoking small, otherwise unnoticable errors, for example) you couldn’t reproduce on a real box without making substantial changes to architecture — and again, you’d have to know exactly what moving target the malware creators are aiming at, in order to do that.

  18. Charlie_S,

    Almost you convince me to be a Linux user! No, actually, at heart I accept all the fundamental policies of *nix which have been tried and tested over the past 4 decades or so. It’s just that I was born into a Windows world… and that’s what I have to work with.

    But I digress. I still am unsure about why it is “bad” for great services like VirusTotal to share their results with anti-virus vendors. I am also unsure as to why many top AV vendors are based in former Eastern Bloc countries…

    I guess I will conclude by saying that signature-based file scanning is becoming an ever-less-effective way to protect systems. But nevertheless, it’s a line of defense that cannot go away, since at least at alerts against the “known” malware. But the public as a whole needs to come to the recognition that AV scanning alone is not even close to being real “protection” against malware.

    Actually, I just had an idea! Why not turn the tables? Why not establish an online database of *known* NON-malware files and assume every file is a malware unless it checks positive as being “known safe?”

    • @baodad

      He almost convinced me to be a Linux user, too!

      Hardly. with all the demands he puts on the User to become an expert. I am a security expert in the Windows environment and I have secured thousands of Windows systems with less effort than he expects of each and every Linux user.

      Even when I consider the handful of systems that have been compromised by stupid users who fell for social engineering, the time spent cleaning or “nuking and paving” their systems with a new image still doesn’t add up to the investment in user expertise required to manage a Linux system, especially when balanced against the major loss of convenience.

      Having said that, I don’t disagree that *nix is better designed for security from scratch. Windows is still trapped by its legacy as a single-user, stand-alone, non-networked OS, and CANNOT be made as secure as *nix without a full re-write. However, it can be made substantially secure enough that it would take a very focused and determined attacker to compromise the system of an average user. Far more effort than the payback is worth, even to use the system in a botnet.

      I still feel the trade-off between security and convenience favors Windows, as evidenced by the failure of free Linux distros to make a dent in the Windows market.

      Charlie’s reasons not to go to Linux:

      1. “Linux gets fixed within hours of finding the problem” (but there is nothing like MS Update to push it out) and too many flavors of Linux anyway.

      2. “Linux has a higher learning curve.” (too high for most users to be bothered; that’s why hardly anyone even changes their own oil or services their own brakes anymore). One has to learn too much to even pick the best flavor of Linux to use.

      3. “Microsoft is willing to compromise security for usability. They have to sell a product that people can use.” God forbid! You mean people actually prefer a product they can USE? If that’s not an admission that most people wouldn’t find Linux useful enough for the effort, I don’t know what is.

      4. “Security has nothing to do with market share.” Major overstatement. Just as Dorkasaurus was dead wrong to claim that’s THE major difference. Charlie has his head in the sand, if he thinks the overwhelming domination of the market by Windows isn’t one of the major factors making Wintel systems a target.

      Even without UAC on Vista and Win7, there are many means of overcoming most of the weaknesses even in Windows XP security and user ignorance, e.g. Drop My Rights, Sandboxie, SnoopFree Privacy Shield, Roboform, Secunia PSI, NoScript, RunAs, Sanur, Sudo for Windows, suDown, WinSUDO, Group Policy, WOT, LinkScanner, etc. and using these are easier than becoming a Linux mechanic.

      Now to answer your question, baodad…

      “Why not establish an online database of *known* NON-malware files and assume every file is a malware unless it checks positive as being ‘known safe?’”

      That’s pretty much what Norton Internet Security does now via the Insight Network. After comparing the checksums, from an inventory of files after the initial scan, against a database of known safe files, they are excluded from further scans, as long as the checksum remains the same. All other files are continuously evaluated until they are cleared as safe. Unfortunately, Norton’s detections rates have suffered in the past couple of years too. But the scans are so unintrusive now, I can afford to supplement NIS with SAS and MBAM at less than $50 for lifetime licenses for both.

  19. antivirus firewall

    Is antivirus firewall still needed? there was no major virus attack lately!

  20. I was happy using Kaspersky Internet 2009 until I bought a new PC that came preloaded with Norton 360. In the old days, Norton slowed me system down so much I had to find an alternative and Kaspersky did the job very now. Since getting this new box (Visa O/S) I decided to test-drive Norton 360 and “knock on wood” I’ve not been whacked yet. Every Saturday, I do my house cleaning (complete scan) and Norton 360 has prevented countless invasions trying to back door and infect my box w/ their nasty malware stuff.

    • Unfortunately, Symantec doesn’t fare as well against the competition as they once did at av-comparatives.com so your Norton 360 may be missing a lot too.

      I like Norton’s self-configuring and mostly un-intrusive, but adequate, firewall. But for AV, I would prefer ESET NOD32 or Avira AntiVir, both of which have been top picks in the past 3-4 years and consistently outperform most of the others.


Read previous post:
Welcome to Krebsonsecurity.com

Welcome, everyone, to krebsonsecurity.com. Here’s to new beginnings, and a happy, healthy and prosperous New Year! Some of you may...

Close