Slashdot Mirror
75% of Malware Uploaded on 'No-Distribute' Scanners Is Unknown To Researchers (bleepingcomputer.com)
Catalin Cimpanu, writing for BleepingComputer: Three-quarters of malware samples uploaded to "no-distribute scanners" are never shared on "multiscanners" like VirusTotal, and hence, they remain unknown, US-based security firm Recorded Future reports, to security firms and researchers for longer periods of time. Although some antivirus products will eventually detect this malware at runtime or at one point or another later in time, this leaves a gap in terms of operational insight for security firms hunting down up-and-coming malware campaigns.
So the title and summary make absolutely no sense. I read the article and they're saying that virus scanners that don't share malware samples with other companies do in fact not share malware samples with other companies? Reeeeeeeally? You don't say.
A multiscanner is a service like Google's VirusTotal that aggregates antivirus (AV) scanning engines into one big melting pot, allowing users to upload a suspicious file and scan it simultaneously on all the AV engines hosted on the service.
If at least one of the multiscanner's engines finds the file suspicious, the service shares the result among all AV companies, allowing cyber-security firms insight on new types of malware that their engines are not currently detecting.
On the other hand, a no-distribute scanner is a service similar to a multiscanner, only that its operators modify the AV engines so they cannot report back to their respective vendors, hence limiting their ability to see the malware uploaded on such a service.
Although I'm not really sure what the article's point is - that no-distribute scanners are mostly used by criminals and therefore should have an open API? That's like saying speakeasy's during prohibition should've posted their locations on local walls so everybody could share the info!
Is this article basically about the fact that people making malware are making more of it then is caught by the average virus detector? Is there a useful quantification here perhaps? not my greatest area off expertise but maybe I missed something.
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Which of course highlights the futility of modern antivirus software. Malware writers will keep tweaking their code 'till Norton, Avast and McAfee check out. This makes the malware undetectable for most users. I just use Windows Defender (solely because it doesn't install any nasty kernel drivers that mess up the OS) and I just don't download unsigned junk or stuff from dubious vendors... Yes I pay for software now...
Thats nice if the only way malware gets pushed down into a computer is with users doing "download".br? Malware is pushed down by via ads, sites, networks. No user to download software is needed.
Domestic spying is now "Benign Information Gathering"
That article was so horrendous, I'm going to attempt to rewrite it with more context:
Malware authors want to slip their malware into a victim's PC undetected, which means they need to know, ahead of time, whether it will be detected by antivirus tools. So they scan it with antivirus tools. However, there are so many such tools (and it's difficult to know which one a victim might have), it's time-efficient to centralize the scanning. This is done with a "multiscanner", which is a website that runs a bunch of antivirus tools to inspect any file that a user uploads. The results from the (dozens of) scanning tools are presented to the user in a webpage.
There are two kinds of multiscanners, however: Those run by/for the "good guys", where Jane Doe can go and upload a fishy file to see what the scan result looks like (as part of deciding whether she wants to run/install/trust it). These scanners send copies of uploaded files (at least, those which smell suspicious to a first-pass heuristic) to antivirus companies so they can be hand-evaluated, and folded into future detection signatures. If a malware author uploads their newest creation to check that it slips through undetected, chances are that a few hours later, that result will change!
Aaaaand, those run by/for the "bad guys", which work just the same way, except they don't send copies of the fishy files back to AV companies. This is most useful to malware authors who want to make sure their payloads are still stealthy, without tipping their hand to the AV companies. Just like the other multiscanners, this type presents the results to a user in a web page.
In either case, the link to the results page contains the checksum of the submitted file; it's just an easy way for such things to work.
The article's central point is that this latter class of multiscanner is very popular. Sometimes, malware authors will share a link to their results page as a way of asserting that their payload is undetected by any scanners. By skulking around the seedier parts of the internet, looking at malware advertisements, researchers collected a lot of these links, and then looked for the checksums on other multiscanner sites. Only about 25% of them showed up in a timely fashion.
[Ed. note: This can be improved by you, the reader, by uploading suspicious files to sites like Virustotal.]
Malware pushed by:
Ads -- thats why we have Ad-Blockers ... ... I presume you mean via badly secured Web Browsers. Thats why we have NoScript or equivalent (and do not use crap from Microsoft)
Sites -- whatever that means
Networks -- Don't know what this means.
Yes, the user is required. The only type of "malware" that does not require user intervention is called a "worm", and there are very very very very very very very very few of those.
AC the user does not have to approve an ad or what a "trusted" web site that is infected with malware does. Ad-Blockers work to block ads that are well understood.
Script that link to another site will be blocked. What if the malware is the same site thats trusted?
Thats why good quality AV software is another wise product to support.
As the malware attempts to change and stay deep in the OS, an AV product might just detect that new action. Then report that action and protect all other users of that AV product....
Stopping expected ads and blocking other linked websites that are not trusted is not going to stop new malware thats part of a once trusted site.
Domestic spying is now "Benign Information Gathering"
>[Ed. note: This can be improved by you, the reader, by uploading suspicious files to sites like Virustotal.]
So i can improve the situation that malware authors are using other services? Other than redirect the "other" services to VT in my network there is nothing left to do. And there will be zero impact. The root problem is the open market for multi-av-scanners, and this can not and should not be fixed. Even if you drain all the non-sharing sites, there is nothing you can do when an author decides to test it in their own closed environment with as many av-products as they like.
Sometimes, malware authors will share a link to their results page as a way of asserting that their payload is undetected by any scanners.
Why even bother? It does not matter if it actually is a real mutli-scanner service or just a husk that states everything is fine. The user can't tell the difference. This is a task for training.
Overall the article just reads as a whiny "i don't get the biggest cut from the cake".
All modern computers have automatic OS updates and automatic browser updates and Flash pre-disabled. If you went out of your way to change those settings, you should live with the consequences.
I wonder why the AV companies don't just run fake sites or take over the malicious ones with the help of authorities?
Re "automatic OS updates" that can take a while and some testing with OS brands. .. is not going to help the user later with a site they "trust" thats now spreading malware.
Re "automatic browser updates"
Re "the consequences".. Invest in some good AV and the user could be protected. If not at least the malware is discovered...
Domestic spying is now "Benign Information Gathering"
See subject: I had 'em rescinded/cleared on 9 false positives of ~70 total on https://linux.slashdot.org/comments.pl?sid=12245954&cid=56806764/ w/ Mr. Steven Burn of Malwarebytes help.
They were baidu, arcavir, clamav, comodo, mcafee, nod32/eset, norton, sophos, & trend.
A few above in a later version of my work REPEATED THAT MISTAKE AGAIN, no less, lol - had it removed on the fact they MADE THAT MISTAKE BEFORE (& admitted it to myself & Mr. Burn) but have NOT altered their faulty "rules" for detection!
Sentinelone, emsisoft (cleared), qihoo360 (cleared) + crowdstrike later did in later builds of it too on INCORRECT GROUNDS as they did before also (using exe compression - that does NOT make a program a 'virus' @ all - heck, my work is VIRUS-PROOF by checking itself for size change in EVERY function/procedure no less & if it changes by even 1 byte (no virus attaching @ program tail to alter jmp tables is THAT small), it shuts down signalling users to reload it) - they removed the false accusation 1 by 1.
* They're FAR from perfect on their detection rates AND RULES (& ask Tavis Ormandy how "SOLID" their code is (lol, it's FAULTY AS HELL full of security issues too no less)).
APK
P.S.=> I do agree that ALL security lists should be more complete AND CONSOLIDATED into 1 place, hence WHY I built my Hosts program to help w/ that for END USERS but it doesn't cover SECURITY SITES (they are a GREAT SOURCE) like securi for instance (& 25 others I scan daily for malicious servers/sites) - it'd be NICE to see a SINGLE SITE that consolidates them all... apk
See subject & APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).
Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address (that most firewalls use)) more efficiently/FASTER + NATIVELY 4 less!
(... Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ bugs (DNS/AntiVir) + their overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).
* Created in FreePascal/Lazarus 1.8.2 using GTK3 on OpenGL 3.1 via KDE Plasma desktop on Kubuntu 18.04 plus patches.
APK
P.S.=> Enjoy - it's much better vs. the Windows model on many fronts (speed & efficiency, mostly (plus new "merge" feature))... apk
Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017
(APK's work), I've flat out said it's good by BronsCon February 11 2016
his hosts program is actually pretty good by xenotransplant August 10 2015
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015
I like your host file system by Karmashock September 09 2015
I do use APK's host file on all my systems at home by OrangeTide December 01 2017
I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
* See subject: Best part is this Linux 64-bit model is faster & more efficient (does 2x the work in 1/2 the time, literally)
APK
P.S.=> Enjoy a faster/safer/more reliable internet... apk
Shit for brains APK lies. Since the malware described here is unknown to researchers it would also be unknown to his pathetic host files. It will be time for him to try an deflect criticism away once he realizes that he has been called out. I guess he really wants to lose some more. If you really want to make him look dumb bring up false negatives.
See subject & realize MANY malware share servers (ones I've blocked LONG ago) & I get the new ones as soon as possible too!
See - I've been following HOW malware online works for decades (since 1997) & see the fact I just noted from roughly 50 total reputable security sites I monitor daily - & when they provide the hostnames to block the sources of these infectors, I put them into my hosts file (& my program allows users to do the same, for free).
* You should TRY to create something as useful yourself (obviously you LACK THE SKILL to do so, "Jealous JOWIE" (lol)) vs. STALKING ME by UNIDENTIFIABLE anonymous posts & being a WASTE on your part...
APK
P.S.=> If ANYONE's LOSING, it's you (including losing your MIND (such as it is, "InFeRiOr OnE", lol))... apk
Yet they still provide better security than your shitty little blacklist ever could. For someone who claims to be a great as you do it sure seems like it takes a phenomenally long time for you to port a program that combines several lists of strings into one, sorts that list, eliminates duplicates, and writes it to a file. Your skills aren't what you claim and your knowledge of security is severely limited. Hosts only stops a very small set of attacks long after they were initially launched.
Tavis Ormandy found TONS of security issues in almost EVERY antivirus program (others found more since) & sources are blocked so YOU CAN'T BE INFESTED!
No POINT in antivirus program then!
I ran Windows 7 for the past 7 yrs. w/ NO ANTIVIRUS slowing me (hosts speed you up 2 ways by comparison in adblocking & doing local resolution (faster vs. remote DNS by FAR)) & NEVER infested.
* I get sources threats as FAST as possible & my program does MORE than you state & does it BETTER vs. ANY PROGRAM OF THIS KIND (15 popped up after mine on Windows, mine's the original) in checking valid tld/gtld, providing local resolution of sites you spend MOST time @ (faster & safer vs. DNS security redirect poisonings & tracking logs), & more, for less.
APK
P.S.=> Most threats use hostnames vs. IP addresses (that most firewalls are limited to) & there is NO QUESTION I stop attacks galore via hosts... apk
nothing about sharing my confidential file with a bunch of other companies means "good guys" ... It's called privacy, and normal people might want some of it when scanning their damn files
Interesting right after the news of the recent no-distribute scanner bust I see Dave Aitel asking around on his mailing list for any alternative sites. That's right, there's also "good guys" using these scanners to write up offensive security tools. This just brings back the old argument that it's not the tool which is good or evil but how it's used. (Arguments against offensive security apps notwithstanding)
Cwm, fjord-bank glyphs vext quiz
nicely put, i understood the article as a net/sysadmin but I am not heavy into security side of the house. Are these no distro scanners essentially sandboxes like offline cuckoo servers? or are they more than a cuckoo?
these ngav & 0day prevention heuristic solutions and DFIR (since VT was mentioned, google rapid response DFIR for example) scraping the environment for running hashes seem good to trap your run of the mill malware. but sophisticated malware and things like process doppelganger announced at blackhat 2017 which i was surprised process/thread forking wasn't common before..?
evilwrap repackers exes is cheezy as a DDoS for 2018, but the doppleganger i was surprised not to be known in the wild sooner.
lazy non logged in admin vs anonymous coward