Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Services Let Virus Writers Check Their Work

Posted by ScuttleMonkey on from the better-faster-stronger dept.

An anonymous reader writes "Former Washington Post Security Fix blogger Brian Krebs has launched a new blog at krebsonsecurity.com, and his first story highlights a pair of underground antivirus scanning services that cater to virus writers. Scanning services like virustotal.com scan submitted files against dozens of antivirus products, and share the results with each of the vendors so that all benefit from learning about threats they don't yet detect. But there are number of budding online services that allow customers to pay per scan, and promise that the results will never get reported back to the antivirus companies. One service even tests how well web site 'exploit packs' are detected, while others promise additional layers of protection. 'The service claims that it will soon be rolling out advanced features, such as testing malware against anti-spyware and firewall programs, as well as a test to see whether the malware functions in a virtual machine.'"

41 of 61 comments (clear)

  1. Inevitable by Spad · · Score: 4, Informative

    As I've said before on this subject, there's a whole economy around spam, website exploits and malware, you've got people who will QA your malware for you to check for bugs and these services that will run them against common AV software and suggest ways to evade them. Then you can sell your malware to someone who will use the network of compromised sites they bought off someone else to build botnets which they then sell time on to other people who are using them to send spam emails and perform DDOS attacks on behalf of *other* people.

    1. Re:Inevitable by Nikker · · Score: 4, Insightful

      Black hats are notorious for being paranoid when it comes to "sharing". Why would any of them even bother when they could just as easily set up multiple VM's with different OS's and different anti virus solutions and test them out in close to real time? How can they trust that these sites won't rat them out? How can they trust a similar service isn't set up as a honey pot for this very reason? It might scare Jane and Jon Q Public but in reality it's not going to make much of a difference overall. Why should someone trust the guy on the other end of the Internet that they won't expose them and their little virus baby to the big bad corporate overlords?

      --
      A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
    2. Re:Inevitable by jonbryce · · Score: 1

      Indeed. I thought sites like virustotal existed to enable people to test their warez against different virus scanners to get a second opinion as to whether or not they were infected, or safe to install on their machine.

  2. Makes sense by WiiVault · · Score: 4, Insightful

    The big AV companies have created a market of people who are behind a wall, but one that only exists as based on the guardianship of the AV maker. We know they are untrustworthy, and their very presence and size encourages this type of activity. Having a fairly consolidated market with a few vendors having a major share allows "hackers" to target those programs thus making these services useful to a wannabe testing out his exploit.

    1. Re:Makes sense by leuk_he · · Score: 1

      Since these AV monopolies are untrustworthy, why would they not have proactively created these "scan and burn" sites? Best to to gather signatures is to get them directly from the source in these scan services.

    2. Re:Makes sense by WiiVault · · Score: 1

      I was actually simply referring to the past nefarious actions on their part and the fact that their software is mostly a bloated joke which slows down most PCs just as much as the adware its meant to remove.

  3. Just like gun runners... by greg_barton · · Score: 4, Insightful

    ...selling to both sides in a war.

  4. Honor among thieves by Shoten · · Score: 4, Interesting

    It would seem to me that, since most malware writers are essentially in competition with each other (as can be seen by past examples of malware that removes other, competing forms) that using a service like this would be against the best wishes of the attacker. I can only imagine that anyone who would provide a service like this would also be diversified enough to have their own stable of malware, and would gain value from having a copy of everything that gets submitted to them.

    --

    For your security, this post has been encrypted with ROT-13, twice.
    1. Re:Honor among thieves by misexistentialist · · Score: 1

      There is value to the aging script-kiddie (now a daddy) in becoming a productive member of society as a "virus tester". Alternatively, it is not disadvantageous for the community-minded hacker to make his malware get along with others rather than compete.

  5. VirusZoo by skyriser2 · · Score: 5, Interesting

    You can also check out our site VirusZoo, that lets you safely test different viruses and malware on a shared virtual machine.

    It's more for fun than a serious tool...

    http://www.viruszoo.com/

    1. Re:VirusZoo by dark_knight_ita · · Score: 4, Funny

      Mandatory xkcd reference: http://xkcd.com/350/

  6. Real interesting story here by IamTheRealMike · · Score: 3, Interesting

    Brian Krebs now has a blog. He has written some of the most consistently interesting, unique and accurate coverage of the internet [in]security world in the past few years. Subscribed.

    1. Re:Real interesting story here by oasisbob · · Score: 1

      Indeed. I started crying like an eight year old girl when I heard he was leaving WaPo. His coverage has been excellent, especially on things like banking security, the Heartland breach, etc.

      I stopped sobbing when I heard he was going to start blogging instead.

  7. It's a dog-eat-dog world by insufflate10mg · · Score: 1

    Would it be possible to legally hold the company to their agreement? Having built up a few botnets several years ago (just for the sake of doing it, no spam/DDoS), I wouldn't trust them. It makes sense that the authors of malicious code wouldn't risk their creation on what could be a sting by AV companies without some sort of legal ramifications... Also, I couldn't imagine it would be *too* difficult to create your own antivirus sand beach for newly-created viruses to test themselves in. A lot of the aforementioned AV's are cheap or free for the sake of the advantages they would give and the edge one's malware could have.

    1. Re:It's a dog-eat-dog world by Bert64 · · Score: 1

      If you're doing something as illegal as creating a botnet for the purposes of spam/ddos, then the additional illegality of pirating a bunch of av products isn't a huge stretch...
      As for a sting, most malware authors these days continually make new changes to their malware, often very simple changes can render something undetectable and extend the lifetime of a particular codebase.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  8. Hmm by ShooterNeo · · Score: 1

    I'm no malware writer : but I have to ask...how hard would it be to make self-modifying undetectable code? Essentially you'd have your malware executable, however many bytes of assembled code that do stuff. Then you'd insert various dummy instructions that are randomly chosen but cancel each other out throughout the code. (so you might have an add instruction followed by a subtract instruction, etc). Every time the malware installs itself on a new PC, it randomly creates a new set of dummy instructions.

    So the malware would still have a constant codebase that is doing the work, but wouldn't the dummy instructions prevent anti-virus/anti-malware software from being able to "see" the executable? In a similar manner, any registry entries that the malware needs would be randomly chosen character strings. The server address that the malware uses to communicate with would be scrambled via a randomly chosen encryption key as well.

    What I'm describing isn't hard at all : a basic project that a junior or senior cs student could easily complete.

    1. Re:Hmm by insufflate10mg · · Score: 1

      It is possible, look up polymorphic code. I've seen it implemented personally by my mentor though I've never worked with it myself. Neat stuff.

    2. Re:Hmm by Anonymous Coward · · Score: 1, Interesting

      The main problem is: if a virus infects the same PC over and over, possibly 1000s of times, it slows down too much, limiting the chance of infecting other victims or simply crashing the target completely . This means your malware should have a way to detect its own self, and stop deploying. This, in turn, means you need a signature or something very much like it.

    3. Re:Hmm by Josef+Meixner · · Score: 1

      You have one little problem, the program has to know, which instructions cancel out. So you probably have a list of pairs in there somewhere. As soon as that is known, the program can be normalized back to the "core code". The other problem is, that you would have to be very careful to remove the canceling instructions in the virus before you rescramble it or the size would quickly get prohibitively large.

      The randomly chosen registry keys won't help you, you have to get the thing to be executed, so you have to write something in a fixed number of keys. That should be enough to detect it.

      The "scrambled" server key is a tactic Conficker is using. It generates and queries a large number of domains, but obviously the sequence has to be in the code somewhere so a server can be setup which has the right name at the time the thing tries to connect to it. Just scrambling the address in the "client" is useless, if there is no server.

    4. Re:Hmm by Bert64 · · Score: 1

      When it connects to a server in its pseudo-random sequence, does it do anything to verify the server or does it connect blindly?
      I wonder if they used public/private rsa keys to verify that the host it connects to is really a genuine one or not...

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    5. Re:Hmm by Spad · · Score: 1

      Polymorphic malware is getting increasingly sophisticated, to the point that can be impossible to detect the malware except at run time by virtue of what it attempts to do to the system it's infecting. I thought that this little trick was a pretty neat one, the code only decrypts itself correctly at certain times on certain days, so AV vendors can't easily analyse the code and write detection signatures.

  9. Re:Any Reason... by MrMr · · Score: 4, Insightful

    But these people may be US citizens. Your procedure only applies to foreigners.

  10. Re:Waste of bullets by Icarium · · Score: 1

    Wouldn't execution by robot, virus or worm be more fitting?

  11. Re:Waste of bullets by sycodon · · Score: 3, Funny

    I could lock them in a room with my dogs. They would gas the SOBs

    --
    When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
  12. They aren't poor to begin with by Ilgaz · · Score: 1

    If you buy all those packages (besides pirating) at the virustotal.com, it will cost far less than $6000 which a Rolex costs.

    That mob leader wears Rolex watch you know, it is not like he won't be able to buy dozens of antivirus, virtual machine solution.

    The days of "hacking for a bottle of Vodka" is really over, if ever existed.

    Virustotal should be a security organization's free service with costs shared by AV vendors rather than being a "underground" (???) service. It does nothing rather than doing a real life check of current antiviruses. If I was a AV vendor who trusts their solution, I would even donate a blade to them. Being the only vendor finding a virus in suspected file can't be more decision making than anything including 1000s of white papers.

    PS: If a black hat trusts to that file scanner, he is more than dumb since the virustotal or any offline file checker (including clam or stuff OS X users keep buying) doesn't have heuristics which can be only performed on a up and running windows OS.

  13. "Capitalism" is descriptive, not normative by QuoteMstr · · Score: 2, Insightful

    Markets happen whether they're intended or not. They're as natural as water flowing downhill, even in ostensibly destructive fields. Capitalism is not more a "choice" than gravity is: what matters is how you deal with it.

    Clearly, we don't have enough incentives to either 1) discourage these people from writing malware, or 2) encouraging them to do other things.

  14. HONEYPOT by Sleen · · Score: 2, Insightful

    There is an economy, but the players are all using layers upon layers of aliases. Inevitable is a fresh mask on carnivore and this is merely one of them. How could you possibly trust a service NOT to report a ZDE? Find one, submit and see if it shows up in other scanners or see if there are reports of anyone out there using it. The service could be a front for carnivore, a front for a virus broker, or a front for a majority vendor. The simple rule is this: if there is money to be made and this is the only principle protecting the submission, it is INEVITABLE that someone else will offer more. And if the price per submission is affordable, and the functions advertized then its certainly not underground but engaging in some simple advertizing.

    Most hackers have heard of honeypots...

    1. Re:HONEYPOT by AHuxley · · Score: 1

      Your local fence was on a state task force or fed?
      Your fellow anti war protester was a local cop or fed.
      Your mid ranking dealer was working for a state task force or fed?
      Your 'adult' forum had a few adims, one was on a state task force or fed?
      Your CC and hacking forum was a total state task force or fed set up?
      Your virus all in one test site was was a state task force or fed IP trap.
      Same old games, digital age :)

      --
      Domestic spying is now "Benign Information Gathering"
  15. Re:Waste of bullets by zill · · Score: 1

    No, they should instead share a cell with men who have enlarged their penises, taken Viagra and are looking for a new relationship.

  16. Re:Isn't this easily solved? by selven · · Score: 1

    Software freedom is more important than software safety, just like everywhere else.

  17. Re:Isn't this easily solved? by mysidia · · Score: 1

    On a proprietary OS platform, it's only appropriate that the antivirus programs contain license restrictions against using them for evil, or using them to circumvent other users' need to buy their own copy and update subscriptions.

    These programs already contain very restrictive EULAs. It's logical for them to contain a restriction against this type of abuse.

    Otherwise... someone could just write a free "stub AV" everyone installs on their desktop, that uses an outsourced, online scanner to actually do all the file checking.

    Then the manufacturer of the AV scanner loses all their business to the "outsourced AV programs"...

    This is proprietary software. They profit by selling copies of the software, not by enabling as much freedom as possible.

    Don't fool yourself into thinking you have software freedom, or software freedom principles, somehow apply to someone else's closed source, "pay for use, but restricted" software product.

    All commercial AVs are in that category... in general, basically all AVs are in that category (except the likes of ClamAV)

  18. Re:Any Reason... by Bert64 · · Score: 1

    Why not just make sure you DONT get infected?
    Being infected with malware, like falling for the various scams spread by spam, depends on a high level of stupidity and/or incompetence and i have very little sympathy for such people.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  19. Re:Isn't this easily solved? by Bert64 · · Score: 1

    Do you think underground vendors who are already doing questionable things like selling malware and selling infected machines, will really care about using an unlicensed av product?
    Most likely all the av they use are pirated anyway...

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  20. Re:Isn't this easily solved? by mysidia · · Score: 1

    I have no doubt underground vendors are willing to do questionable things.

    But it would at least help to force them to actually go underground, rather than use a public exposed website for anonymous scanning (without sample sharing), make their service harder for novices to access, increase the price.

    And reduce the "legitimacy" or "credibility" of the service designed to facilitate malware authors.

    The DMCA and various DMCA-inspired laws passed by various countries and the notion of 'takedown letters' really sucks, but maybe it can be put to one good use ...

  21. Obvious honeypot is obvious by phantomcircuit · · Score: 1

    The title says it all.

  22. Windows 7 is devouring that hand by spywhere · · Score: 2, Interesting

    Vista and 7 are much less prone to malware infestation. Since Vista came out, I've seen less than a dozen compromised Vista computers... virtually all of my malware work is on XP.
    That market is disappearing.

    1. Re:Windows 7 is devouring that hand by adolf · · Score: 1

      Coincidentally, since Vista came out, I've seen less than a dozen Vista computers -- total.

      It either Just Works, or it's really unpopular. I suspect both, though I never had any particular problems with it on my own machines...

      --
      Kid-proof tablet..
  23. Re:Any Reason... by GNUALMAFUERTE · · Score: 1

    Why not just make sure you DONT run windows?
    Being infected with windows, like falling for the various scams spread by microsoft, depends on a high level of stupidity and/or incompetence and i have very little sympathy for such people.

    --
    WTF am I doing replying to an AC at 5 A.M on a Friday night?
  24. Re:Isn't this easily solved? by hughperkins · · Score: 1

    Yes, because an anti-virus scanner running on a single computer uses negligible resources, and a service that scanned people's computers remotely would scale wonderfully and make a huge zero-cost profit :-P

  25. Re:Isn't this easily solved? by selven · · Score: 1

    Wait, so you're saying that freedom is useless unless I have full freedom? I disagree, every small bit of freedom is a good thing. I don't think my software principles apply to proprietary AVs, I think an AV that respects them even slightly more is better than an equivalent one that doesn't.

  26. I'm just going to drop this here by symbolset · · Score: 1

    click

    --
    Help stamp out iliturcy.