Virus Scanners for Virus Authors

December 31, 2009

I have often recommended file-scanning services like VirusTotal and Jotti, which allow visitors to upload a suspicious file and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers so that those vendors can incorporate detection for the newly discovered malware into their products.

That pooling of intelligence on new threats also serves to make the free scanning services less attractive to virus authors, who would almost certainly like nothing more than to freely and simultaneously test the stealth of their new creations across a wide range of security software. Still, there is nothing to stop an enterprising hacker from purchasing a license for each of the anti-virus tools on the market and selling access to a separate scanning service that appeals to the virus-writing community.

Enter upstart file-scanning services like av-check.com and virtest.com, which bank on the guarantee that they won’t share your results with the anti-virus community.

For $1 per file scanned (or a $40 monthly membership) av-check.com will see if your file is detected by any of 22 anti-virus products, including AVAST, AVG, Avira, BitDefender, NOD32, F-Secure, Kaspersky, McAfee, Panda, Sophos, Symantec, and Trend Micro. “Each of them is setten [sic] up on max heuristic check level,” av-check promises. “We guarantee that we don’t save your uploaded files and they are deleted immediately after the check. Also , we don’t resend your uploaded files to the 3rd person. Files are being checked only locally (without checking/using on other servers.” In other words: There is no danger that the results of these scans will somehow leak out to the anti-virus vendors.

The service claims that it will soon be rolling out advanced features, such as testing malware against anti-spyware and firewall programs, as well as a test to see whether the malware functions in a virtual machine, such as VMWare or VirtualBox. For safety and efficiency’s sake, security researchers often poke and prod new malware samples in a virtual environment. As a result many new families of malware are designed to shut down or destroy themselves if they detect they are being run inside of a virtual machine.

Virtest checks malware suspicious files against a similar albeit slightly different set of anti-virus programs, also promising not to let submitted files get back to the anti-virus vendors: “Your soft isn’t ever sent anywhere and the files being checked will never appear in the fresh AV signature bases after scanning,” the site pledges. “On purpose in all AV-products are turned off all possible methods and initiatives of exchange of files’ info with the AV-divisions.”

The proprietors of this service don’t even try to hide the fact that they have built it for malware writers. Among the chief distinguishing features of virtest.com is the ability for malware authors to test “exploit packs,” pre-packaged kits that — when stitched into a malicious or hacked Web site — serve the visitor’s browser with a kitchen sink full of code designed to install software via one of several known security holes. Many anti-virus programs now also scan Web pages for malicious content, and this service’s “exploits pack check” will tell malware authors whether their exploit sites are triggering virus alerts across a range of widely-used anti-virus software.

But don’t count on paying for these services via American Express: Both sites only accept payment via virtual currencies such as Webmoney and Fethard, services that appear to be popular with the online shadow economy.

Welcome to Krebsonsecurity.com

December 29, 2009

Welcome, everyone, to krebsonsecurity.com. Here’s to new beginnings, and a happy, healthy and prosperous New Year!

Some of you may be familiar with my work at The Washington Post and the Security Fix blog. Krebsonsecurity.com will feature similar content: Original reporting and analysis on important security threats and trends.

With a few exceptions, I will continue to eschew chasing the security story-of-the day, as there are plenty of sites you can go to for that. My focus will remain on publishing information and reporting that you won’t find anywhere else – and with a minimum of editorializing.

Visitors who are unfamiliar with my work can browse through a collection of what I think represents some of my best reporting over the past few years. The About the Author and About this Blog tabs include a bit more detail about who I am and how this blog will be organized.

Finally, this blog will be a whole lot more interesting if folks participate, so if you’ve got something to add or have a strong feeling one way or another on a topic, take a second to leave your comments and voice your opinion. I will be moderating comments, but only for spam and probably only at the outset of this blog launch (unless your post is truly offensive to other readers, exists merely to pimp some product, links to nasty sites, etc). If you want to shoot me a note directly, send it here.

Thanks for visiting, and look for actual reporting and news content here in the next 24 hours or so as I iron out a few remaining kinks in the blog.

Advertisement

Story-Driven Résumé: My Best Work 2005-2009

December 29, 2009

I began writing for The Washington Post in 1996, and started covering computer and Internet security in 1999. Below are links to what I believe is some of my best work over the past four years or so. Virtually all of the stories and blog posts listed here were either Washington Post/Security Fix exclusives, or were the result of my investigative reporting and research aimed at shining a light on the Internet’s darkest corners, and educating readers about the importance of security.

Continue reading