Jump to content

75% of Malware Uploaded on “No-Distribute” Scanners Is Unknown to Researchers


steven36

Recommended Posts

Three-quarters of malware samples uploaded to "no-distribute scanners" are never shared on "multiscanners" like VirusTotal, and hence, they remain unknown to security firms and researchers for longer periods of time.

 

Although some antivirus products will eventually detect this malware at runtime or at one point or another later in time, this leaves a gap in terms of operational insight for security firms hunting down up-and-coming malware campaigns.

What are multiscanners and no-distribute scanners?

A multiscanner is a service like Google's VirusTotal that aggregates antivirus (AV) scanning engines into one big melting pot, allowing users to upload a suspicious file and scan it simultaneously on all the AV engines hosted on the service.

 

If at least one of the multiscanner's engines finds the file suspicious, the service shares the result among all AV companies, allowing cyber-security firms insight on new types of malware that their engines are not currently detecting.

 

On the other hand, a no-distribute scanner is a service similar to a multiscanner, only that its operators modify the AV engines so they cannot report back to their respective vendors, hence limiting their ability to see the malware uploaded on such a service.

 

As you'd image, no-distribute scanners are quite in demand on the cyber-criminal underground, and they have been in demand for years, with several services appearing and disappearing across the years, some going down on their own, while others after law enforcement intervention [1, 2, 3].

 

https://s7d1.turboimg.net/sp/941cdc8ffb39a42f961f77d0bdc07546/no-distribute-scanners-timeline.png

 

No-distribute scanner data is hard to come by

But besides not sharing data with AV makers, no-distribute scanners have another downside, and that's the fact they don't provide APIs or open their data to outsiders.

 

As such, the only way someone would know what has been uploaded and scanned on a no-distribute scanner is by having a direct link to a scan result.

 

Such links are only available if malware authors who are advertising their malware share the results on forums, marketplaces, Telegram channels, private websites, or in other places.

 

Collecting these links is what Recorded Future, a US-based cyber-security firm, has been doing in the past months. From January 1, 2018, to May 18, 2018, the company's experts have been gathering such links and comparing the MD5 hashes of the scanned files with the files scanned on multiscanners like VirusTotal.

 

"Only 25 percent [of these files] can be found on at least one traditional multiscanner, while the remaining 75 percent have never been seen," Recorded Future experts said in a report last week.

 

"Of the 25 percent [files] detected by multiscanners, 45 percent were first seen by a no distribute scanner and 55 percent were first seen by a traditional multiscanner," they added.

 

https://s7d7.turboimg.net/sp/9e3948c5d1b5cd584088563f7af5559e/no-distribute-scanners.png

 

Malware authors know better by now

The results can be interpreted in various ways. First and foremost, this means that most malware authors are generally aware of the fact they should not upload their malware on multiscanners, especially in the in-dev and post-launch stage of their malware's development cycle.

 

Those who do might find that AV engines might become fully-aware of their tools and have detection rules in place by the time they deploy their malware in real-world campaigns, or just hours or days after they've started distribution efforts.

 

These results also show that cyber-security firms do not have all the answers, and creating a good antivirus engine is not always enough.

 

Most companies will also need an astute threat intelligence hunting team that can track down these links wherever they might be shared and add detection for malware not uploaded on places like VirusTotal.

 

Source

Link to comment
Share on other sites

  • Replies 4
  • Created
  • Last Reply
17 hours ago, humble3d said:

YES, I KNOW FAR LESS THAN WHAT I DON'T KNOW...

AND SO IT GOES...:huh:

Before Google bought out VT everyone use to upload to VT ..  now days i don't bother very often   I just use  NOD32 and  if it flags something ill check because i know more scanners will have it ..It's like a 75% chance they want have it at all, by the time scanners get it within  a few days they all have it and if you have real time anti malware  it can prevent it, and this is the reason malware witers stop uploading to there , vendors are notified of malware  i think they pay for this service even , if you're a small startup they want even let you in ,  if you are already infected best thing to do is reformat to make sure  it's gone .  The way  Google censor malware results  on the WWW now ,were you cant even hardly find them unless you pay for there service or upload it yourself no wonder no one uses it hardly anymore,  they hoard all the data for the government , big companies and themselves . 

 

People who use cracked software and upload to VT are kind of like Kodi users that complain  to there ISP that there pirate streams want play . If and AV knows you're using cracked most are going to flag it . Avast does it all the time you upload it to VT it will be fine ,  2 weeks latter it will be flagged lol. :tooth:

Link to comment
Share on other sites

  • Administrator
48 minutes ago, steven36 said:

Before Google bought out VT everyone use to upload to VT ..  now days i don't bother very often   I just use  NOD32 and  if it flags something ill check because i know more scanners will have it ..It's like a 75% chance they want have it at all, by the time scanners get it within  a few days they all have it and if you have real time anti malware  it can prevent it, and this is the reason malware witers stop uploading to there , vendors are notified of malware  i think they pay for this service even , if you're a small startup they want even let you in ,  if you are already infected best thing to do is reformat to make sure  it's gone .  The way  Google censor malware results  on the WWW now ,were you cant even hardly find them unless you pay for there service or upload it yourself no wonder no one uses it hardly anymore,  they hoard all the data for the government , big companies and themselves . 

 

People who use cracked software and upload to VT are kind of like Kodi users that complain  to there ISP that there pirate streams want play . If and AV knows you're using cracked most are going to flag it . Avast does it all the time you upload it to VT it will be fine ,  2 weeks latter it will be flagged lol. :tooth:

 

I will not fully rely on that though. I have found that some AVs do indeed miss badware and some of them take time to catch up to it.

Link to comment
Share on other sites

1 hour ago, DKT27 said:

 

I will not fully rely on that though. I have found that some AVs do indeed miss badware and some of them take time to catch up to it.

You better not put much faith in any scanner the last time i got infected with malware was like 2008 was a keygen for winzip  that i downloaded from p2p packed in a scene release when i put it on virus total only 2 scanners flagged it  once you clicked on the keygen if you had 99% of scanners it was too late and almost every keygen has one or two false positives  and now days much more. Most malware writers pack  it so they want detect it. I sent it off  to another site  back then were tested it they knew what it was. Some of the older members here remembers this happening . Scanning something to Virus Total is not testing for malware it dont check the file to see what it does. Only the scanners have the signatures on virus total once someone has tested it in a lab.

 

My firewall  and winpatrol detected it  was the reason i knew i had been infected . my antivirus failed. now days there much smarter than they was back then they no longer upload to VT. If you have a good interactive Firewall  like i do on windows now,  nothing can call home unless you allow it or connect to the net without you knowing it.  Back in the early 2000s people got infected all the time using antivirus because Windows xp came with a crappy firewall.So a good firewall is more important than a AV  even  . And most noobs don't know how to a use a interactive Firewall  they use these set it and forget it jobs . Windows firewall  only blocks inbound by default  and some devs have figured out how to make installers   that can get around this . Potplayer  installer will write allow rules to you're inbound  and you're  windows firewall want even warn you.and outbound has free reign and it cant block outbound  unless you turn outbound on or use a piggy back or 3 party full firewall.   I don't use a antivirus at all on Linux just browser security addons  , conman sense and a firewall  and i been fine without a AV.

 

I don't use windows software in Linux ether i only use Linux software in Linux   all windows software i use on Windows witch I have scanned with NOD32 and malwarebtyes and pass my firewall  that it's OK. Malwarebtyes is full of false positives with cracks  too  so you have to  test it with a firewall  and use conman sense . I try to stay away from cracked apps that need internet nowadays  unless it's  just a  trial rest , keygened or a serial . Its just like all these cracked YouTube downloaders there not needed there open source ones that work better. If i know the crackers work then its not a problem but most stuff that goes online has a server check and will be nuked on and a update so unless it has a trial reset you better off buying it if you need it.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...