Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Services Let Virus Writers Check Their Work

Posted by ScuttleMonkey on from the better-faster-stronger dept.

An anonymous reader writes "Former Washington Post Security Fix blogger Brian Krebs has launched a new blog at krebsonsecurity.com, and his first story highlights a pair of underground antivirus scanning services that cater to virus writers. Scanning services like virustotal.com scan submitted files against dozens of antivirus products, and share the results with each of the vendors so that all benefit from learning about threats they don't yet detect. But there are number of budding online services that allow customers to pay per scan, and promise that the results will never get reported back to the antivirus companies. One service even tests how well web site 'exploit packs' are detected, while others promise additional layers of protection. 'The service claims that it will soon be rolling out advanced features, such as testing malware against anti-spyware and firewall programs, as well as a test to see whether the malware functions in a virtual machine.'"

61 comments

  1. Inevitable by Spad · · Score: 4, Informative

    As I've said before on this subject, there's a whole economy around spam, website exploits and malware, you've got people who will QA your malware for you to check for bugs and these services that will run them against common AV software and suggest ways to evade them. Then you can sell your malware to someone who will use the network of compromised sites they bought off someone else to build botnets which they then sell time on to other people who are using them to send spam emails and perform DDOS attacks on behalf of *other* people.

    1. Re:Inevitable by Anonymous Coward · · Score: 0

      Tapping into the hobbyist malware writer territory at a low cost seems like a good idea, there's only so many malware writers you can hire and still make a good profit.

    2. Re:Inevitable by Nikker · · Score: 4, Insightful

      Black hats are notorious for being paranoid when it comes to "sharing". Why would any of them even bother when they could just as easily set up multiple VM's with different OS's and different anti virus solutions and test them out in close to real time? How can they trust that these sites won't rat them out? How can they trust a similar service isn't set up as a honey pot for this very reason? It might scare Jane and Jon Q Public but in reality it's not going to make much of a difference overall. Why should someone trust the guy on the other end of the Internet that they won't expose them and their little virus baby to the big bad corporate overlords?

      --
      A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
    3. Re:Inevitable by jonbryce · · Score: 1

      Indeed. I thought sites like virustotal existed to enable people to test their warez against different virus scanners to get a second opinion as to whether or not they were infected, or safe to install on their machine.

  2. Makes sense by WiiVault · · Score: 4, Insightful

    The big AV companies have created a market of people who are behind a wall, but one that only exists as based on the guardianship of the AV maker. We know they are untrustworthy, and their very presence and size encourages this type of activity. Having a fairly consolidated market with a few vendors having a major share allows "hackers" to target those programs thus making these services useful to a wannabe testing out his exploit.

    1. Re:Makes sense by leuk_he · · Score: 1

      Since these AV monopolies are untrustworthy, why would they not have proactively created these "scan and burn" sites? Best to to gather signatures is to get them directly from the source in these scan services.

    2. Re:Makes sense by WiiVault · · Score: 1

      I was actually simply referring to the past nefarious actions on their part and the fact that their software is mostly a bloated joke which slows down most PCs just as much as the adware its meant to remove.

  3. Just like gun runners... by greg_barton · · Score: 4, Insightful

    ...selling to both sides in a war.

  4. Honor among thieves by Shoten · · Score: 4, Interesting

    It would seem to me that, since most malware writers are essentially in competition with each other (as can be seen by past examples of malware that removes other, competing forms) that using a service like this would be against the best wishes of the attacker. I can only imagine that anyone who would provide a service like this would also be diversified enough to have their own stable of malware, and would gain value from having a copy of everything that gets submitted to them.

    --

    For your security, this post has been encrypted with ROT-13, twice.
    1. Re:Honor among thieves by misexistentialist · · Score: 1

      There is value to the aging script-kiddie (now a daddy) in becoming a productive member of society as a "virus tester". Alternatively, it is not disadvantageous for the community-minded hacker to make his malware get along with others rather than compete.

  5. Re:Karma Fail by Anonymous Coward · · Score: 0

    lol- you suck!

  6. VirusZoo by skyriser2 · · Score: 5, Interesting

    You can also check out our site VirusZoo, that lets you safely test different viruses and malware on a shared virtual machine.

    It's more for fun than a serious tool...

    http://www.viruszoo.com/

    1. Re:VirusZoo by dark_knight_ita · · Score: 4, Funny

      Mandatory xkcd reference: http://xkcd.com/350/

  7. Re:Karma Fail by Anonymous Coward · · Score: 0

    Maybe it's a Y2K10 glitch? Who knows. Best to try doing things to get your karma back up and hope this bad luck passes.

  8. It is run by the NSA by Anonymous Coward · · Score: 0

    This is the only logical conclusion.

  9. Any Reason... by sycodon · · Score: 0, Flamebait

    ...these people should not be hunted down and set to Gitmo for some water boarding then a firing squad?

    --
    When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    1. Re:Any Reason... by MrMr · · Score: 4, Insightful

      But these people may be US citizens. Your procedure only applies to foreigners.

    2. Re:Any Reason... by sycodon · · Score: 0, Troll

      When my machine gets infected, I don't care who they are. Just on principal, they should be shot.

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    3. Re:Any Reason... by Bert64 · · Score: 1

      Why not just make sure you DONT get infected?
      Being infected with malware, like falling for the various scams spread by spam, depends on a high level of stupidity and/or incompetence and i have very little sympathy for such people.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    4. Re:Any Reason... by Anonymous Coward · · Score: 0

      Why don't you just STFU?

    5. Re:Any Reason... by GNUALMAFUERTE · · Score: 1

      Why not just make sure you DONT run windows?
      Being infected with windows, like falling for the various scams spread by microsoft, depends on a high level of stupidity and/or incompetence and i have very little sympathy for such people.

      --
      WTF am I doing replying to an AC at 5 A.M on a Friday night?
    6. Re:Any Reason... by Anonymous Coward · · Score: 0

      Easier said than done.
      I've just got a nasty piece of malware from my flash which got it from my boss's PC which got it from a client's flash which got it from another employee which got it from an internet cafe which probably got it from some random guy downoading porn.

      On it's way onto my PC it evaded Avast, AVG, Kaspersky, Malware Bytes, McAfee, Norton, Nod32, Spybot, Spyware Doctor, Windows Antivirus, Windows Firewall and Zone Alarm.

  10. Real interesting story here by IamTheRealMike · · Score: 3, Interesting

    Brian Krebs now has a blog. He has written some of the most consistently interesting, unique and accurate coverage of the internet [in]security world in the past few years. Subscribed.

    1. Re:Real interesting story here by oasisbob · · Score: 1

      Indeed. I started crying like an eight year old girl when I heard he was leaving WaPo. His coverage has been excellent, especially on things like banking security, the Heartland breach, etc.

      I stopped sobbing when I heard he was going to start blogging instead.

  11. Windows is not Internet-ready by David+Gerard · · Score: 0, Flamebait

    Good Lord. We need to cut to the chase and just ban Windows from the Internet as unsafe at any speed.

    --
    http://rocknerd.co.uk
  12. It's a dog-eat-dog world by insufflate10mg · · Score: 1

    Would it be possible to legally hold the company to their agreement? Having built up a few botnets several years ago (just for the sake of doing it, no spam/DDoS), I wouldn't trust them. It makes sense that the authors of malicious code wouldn't risk their creation on what could be a sting by AV companies without some sort of legal ramifications... Also, I couldn't imagine it would be *too* difficult to create your own antivirus sand beach for newly-created viruses to test themselves in. A lot of the aforementioned AV's are cheap or free for the sake of the advantages they would give and the edge one's malware could have.

    1. Re:It's a dog-eat-dog world by Bert64 · · Score: 1

      If you're doing something as illegal as creating a botnet for the purposes of spam/ddos, then the additional illegality of pirating a bunch of av products isn't a huge stretch...
      As for a sting, most malware authors these days continually make new changes to their malware, often very simple changes can render something undetectable and extend the lifetime of a particular codebase.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  13. Hmm by ShooterNeo · · Score: 1

    I'm no malware writer : but I have to ask...how hard would it be to make self-modifying undetectable code? Essentially you'd have your malware executable, however many bytes of assembled code that do stuff. Then you'd insert various dummy instructions that are randomly chosen but cancel each other out throughout the code. (so you might have an add instruction followed by a subtract instruction, etc). Every time the malware installs itself on a new PC, it randomly creates a new set of dummy instructions.

    So the malware would still have a constant codebase that is doing the work, but wouldn't the dummy instructions prevent anti-virus/anti-malware software from being able to "see" the executable? In a similar manner, any registry entries that the malware needs would be randomly chosen character strings. The server address that the malware uses to communicate with would be scrambled via a randomly chosen encryption key as well.

    What I'm describing isn't hard at all : a basic project that a junior or senior cs student could easily complete.

    1. Re:Hmm by insufflate10mg · · Score: 1

      It is possible, look up polymorphic code. I've seen it implemented personally by my mentor though I've never worked with it myself. Neat stuff.

    2. Re:Hmm by Anonymous Coward · · Score: 0

      http://en.wikipedia.org/wiki/Polymorphic_codehttp://en.wikipedia.org/wiki/Metamorphic_code

    3. Re:Hmm by Anonymous Coward · · Score: 1, Interesting

      The main problem is: if a virus infects the same PC over and over, possibly 1000s of times, it slows down too much, limiting the chance of infecting other victims or simply crashing the target completely . This means your malware should have a way to detect its own self, and stop deploying. This, in turn, means you need a signature or something very much like it.

    4. Re:Hmm by Josef+Meixner · · Score: 1

      You have one little problem, the program has to know, which instructions cancel out. So you probably have a list of pairs in there somewhere. As soon as that is known, the program can be normalized back to the "core code". The other problem is, that you would have to be very careful to remove the canceling instructions in the virus before you rescramble it or the size would quickly get prohibitively large.

      The randomly chosen registry keys won't help you, you have to get the thing to be executed, so you have to write something in a fixed number of keys. That should be enough to detect it.

      The "scrambled" server key is a tactic Conficker is using. It generates and queries a large number of domains, but obviously the sequence has to be in the code somewhere so a server can be setup which has the right name at the time the thing tries to connect to it. Just scrambling the address in the "client" is useless, if there is no server.

    5. Re:Hmm by Bert64 · · Score: 1

      When it connects to a server in its pseudo-random sequence, does it do anything to verify the server or does it connect blindly?
      I wonder if they used public/private rsa keys to verify that the host it connects to is really a genuine one or not...

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    6. Re:Hmm by Spad · · Score: 1

      Polymorphic malware is getting increasingly sophisticated, to the point that can be impossible to detect the malware except at run time by virtue of what it attempts to do to the system it's infecting. I thought that this little trick was a pretty neat one, the code only decrypts itself correctly at certain times on certain days, so AV vendors can't easily analyse the code and write detection signatures.

  14. Waste of bullets by RobertLTux · · Score: 0, Offtopic

    Hanging is good swords are good you need to do this in a "green manner"

    --
    Any person using FTFY or editing my postings agrees to a US$50.00 charge
    1. Re:Waste of bullets by Icarium · · Score: 1

      Wouldn't execution by robot, virus or worm be more fitting?

    2. Re:Waste of bullets by sycodon · · Score: 3, Funny

      I could lock them in a room with my dogs. They would gas the SOBs

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    3. Re:Waste of bullets by zill · · Score: 1

      No, they should instead share a cell with men who have enlarged their penises, taken Viagra and are looking for a new relationship.

  15. They aren't poor to begin with by Ilgaz · · Score: 1

    If you buy all those packages (besides pirating) at the virustotal.com, it will cost far less than $6000 which a Rolex costs.

    That mob leader wears Rolex watch you know, it is not like he won't be able to buy dozens of antivirus, virtual machine solution.

    The days of "hacking for a bottle of Vodka" is really over, if ever existed.

    Virustotal should be a security organization's free service with costs shared by AV vendors rather than being a "underground" (???) service. It does nothing rather than doing a real life check of current antiviruses. If I was a AV vendor who trusts their solution, I would even donate a blade to them. Being the only vendor finding a virus in suspected file can't be more decision making than anything including 1000s of white papers.

    PS: If a black hat trusts to that file scanner, he is more than dumb since the virustotal or any offline file checker (including clam or stuff OS X users keep buying) doesn't have heuristics which can be only performed on a up and running windows OS.

  16. Isn't this easily solved? by mysidia · · Score: 0

    AV makers should include a clause in the EULA, that: the software may not be used to provide a virus scanning service for more than one third party. You may not scan a file for another person without purchasing an additional license to be permanently assigned to each person.

    And then they can send their army of lawyers at any "paid AV scanning website" that doesn't have an agreement with them.

    1. Re:Isn't this easily solved? by selven · · Score: 1

      Software freedom is more important than software safety, just like everywhere else.

    2. Re:Isn't this easily solved? by mysidia · · Score: 1

      On a proprietary OS platform, it's only appropriate that the antivirus programs contain license restrictions against using them for evil, or using them to circumvent other users' need to buy their own copy and update subscriptions.

      These programs already contain very restrictive EULAs. It's logical for them to contain a restriction against this type of abuse.

      Otherwise... someone could just write a free "stub AV" everyone installs on their desktop, that uses an outsourced, online scanner to actually do all the file checking.

      Then the manufacturer of the AV scanner loses all their business to the "outsourced AV programs"...

      This is proprietary software. They profit by selling copies of the software, not by enabling as much freedom as possible.

      Don't fool yourself into thinking you have software freedom, or software freedom principles, somehow apply to someone else's closed source, "pay for use, but restricted" software product.

      All commercial AVs are in that category... in general, basically all AVs are in that category (except the likes of ClamAV)

    3. Re:Isn't this easily solved? by Bert64 · · Score: 1

      Do you think underground vendors who are already doing questionable things like selling malware and selling infected machines, will really care about using an unlicensed av product?
      Most likely all the av they use are pirated anyway...

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    4. Re:Isn't this easily solved? by mysidia · · Score: 1

      I have no doubt underground vendors are willing to do questionable things.

      But it would at least help to force them to actually go underground, rather than use a public exposed website for anonymous scanning (without sample sharing), make their service harder for novices to access, increase the price.

      And reduce the "legitimacy" or "credibility" of the service designed to facilitate malware authors.

      The DMCA and various DMCA-inspired laws passed by various countries and the notion of 'takedown letters' really sucks, but maybe it can be put to one good use ...

    5. Re:Isn't this easily solved? by hughperkins · · Score: 1

      Yes, because an anti-virus scanner running on a single computer uses negligible resources, and a service that scanned people's computers remotely would scale wonderfully and make a huge zero-cost profit :-P

    6. Re:Isn't this easily solved? by selven · · Score: 1

      Wait, so you're saying that freedom is useless unless I have full freedom? I disagree, every small bit of freedom is a good thing. I don't think my software principles apply to proprietary AVs, I think an AV that respects them even slightly more is better than an equivalent one that doesn't.

  17. "Capitalism" is descriptive, not normative by QuoteMstr · · Score: 2, Insightful

    Markets happen whether they're intended or not. They're as natural as water flowing downhill, even in ostensibly destructive fields. Capitalism is not more a "choice" than gravity is: what matters is how you deal with it.

    Clearly, we don't have enough incentives to either 1) discourage these people from writing malware, or 2) encouraging them to do other things.

  18. HONEYPOT by Sleen · · Score: 2, Insightful

    There is an economy, but the players are all using layers upon layers of aliases. Inevitable is a fresh mask on carnivore and this is merely one of them. How could you possibly trust a service NOT to report a ZDE? Find one, submit and see if it shows up in other scanners or see if there are reports of anyone out there using it. The service could be a front for carnivore, a front for a virus broker, or a front for a majority vendor. The simple rule is this: if there is money to be made and this is the only principle protecting the submission, it is INEVITABLE that someone else will offer more. And if the price per submission is affordable, and the functions advertized then its certainly not underground but engaging in some simple advertizing.

    Most hackers have heard of honeypots...

    1. Re:HONEYPOT by AHuxley · · Score: 1

      Your local fence was on a state task force or fed?
      Your fellow anti war protester was a local cop or fed.
      Your mid ranking dealer was working for a state task force or fed?
      Your 'adult' forum had a few adims, one was on a state task force or fed?
      Your CC and hacking forum was a total state task force or fed set up?
      Your virus all in one test site was was a state task force or fed IP trap.
      Same old games, digital age :)

      --
      Domestic spying is now "Benign Information Gathering"
  19. think globally, act locally by spywhere · · Score: 0, Flamebait

    I remove malware for a living. Because I work in strangers' houses in unfamiliar neighborhoods, I also carry a large powerful handgun.

    If I met someone who credibly claimed to be an author or distributor of malware, I fear I might "lose" several 80-cent bullets...

    1. Re:think globally, act locally by Anonymous Coward · · Score: 0

      "I remove malware for a living. [...] If I met someone who credibly claimed to be an author or distributor of malware, I fear I might "lose" several 80-cent bullets." That sounds rather like biting the hand that feeds you.

  20. Obvious honeypot is obvious by phantomcircuit · · Score: 1

    The title says it all.

  21. Windows 7 is devouring that hand by spywhere · · Score: 2, Interesting

    Vista and 7 are much less prone to malware infestation. Since Vista came out, I've seen less than a dozen compromised Vista computers... virtually all of my malware work is on XP.
    That market is disappearing.

    1. Re:Windows 7 is devouring that hand by adolf · · Score: 1

      Coincidentally, since Vista came out, I've seen less than a dozen Vista computers -- total.

      It either Just Works, or it's really unpopular. I suspect both, though I never had any particular problems with it on my own machines...

      --
      Kid-proof tablet..
  22. I'm just going to drop this here by symbolset · · Score: 1

    click

    --
    Help stamp out iliturcy.
  23. |Z| by Anonymous Coward · · Score: 0

    Is it really so dangerous to send new malwares to virustotal? I don't think so.
    Here are two scans results of the same malware:

    http://www.virustotal.com/analisis/8997c271747fbb83d870ffe9f6ad034d
    http://www.virustotal.com/analisis/a5b12389a3f23687c787eeb0a2ab12bf

    The first was scanned on 2008.11.11 with detection rate of 6/36, the second scan was performed on 2009.03.18 with detection rate 9/39. One of the 3 new AV vendors detecting it were new in virustotal at all, and two of them detect it because they have already found what the malware is about. Although this is only one case, I bet everybody can find such examples in a very short time.

    It is said that the samples are sent real-time to AV vendors. But it looks like they do nothing with the samples for months...

  24. Re:I'm just dropping the bomb on you, big talker by Anonymous Coward · · Score: 0

    SymbolNOBODY: You said what's quoted below from you, here -> http://slashdot.org/comments.pl?sid=1476008&cid=30428430

    "It's tolerated (perhaps encouraged) in part because these annoying actors are otherwised engaged in improving Linux. Major Debian and BSD contributors, for example, use slashdot as a workspace for their human-machine interaction side experiments, of which APK is probably one. In addition many of these trolls post links which, if you follow them, will completely hose a Windows machine. This is part of the game. - by symbolset (646467) on Monday December 14, @01:15AM (#30428430) Journal

    I took offense to the BOLDED part... & ALL you EVER seem to have is "ad hominem" based attacks on people, not the points they make. So, "symbolNOBODY": The day you can make something like this (& that got you PAID for it, & that has done as well for others online):

    http://www.tcmagazine.com/forums/index.php?s=b861a743aa23c4568b7d73e07ef7ecec&showtopic=2662

    That's also gone over 250.000 views worldwide in 1++ yrs.' time online, & across 15 forums where that guide for Windows Security has been made either an:

    1.) "Sticky/Pinned" thread
    2.) An "Essential Guide"
    3.) Rates 5/5 stars (etc.)

    AND, gets "feedback" like this from users that have applied it:

    ----

    http://www.xtremepccentral.com/forums/showthread.php?t=28430

    PERTINENT QUOTE/EXCERPT:

    "...recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual. Now I don't recommend this for the average joe, but it if can work for a kids PC it can work for anything! Now, i substituted OpenDNS and activated the Adult Content filter with them for this kids computer. I know its not perfect, but will catch over 99.5% of said sites."

    and

    http://www.xtremepccentral.com/forums/showthread.php?s=10f9ba9ad5ff990aaae1e7ec91f593a2&t=28430&page=3

    "Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)"

    Thronka - forums member @ xtremepccentral.com

    ----

    THEN, when you have done so, on THAT account? THEN, you can talk (and, ESPECIALLY about that which you said about myself which I quoted from you above shows YOU, libelling ME, clearly. It's clearly immaterial & outright b.s. from you, vs. the kind of feedback my guide on securing Windows gets, quoted above from others? It CLEARLY disproved your outright b.s., period...)

    Also?

    When you have done all of this as I have over time in this Art & Science of computing:

    "My Na