MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

26.11.09

Russian service online to check the detection of malware

One thing of concern to the creators/distributors of malware is whether the virus is able to detect their binary and thus ruin their economic plans.

One possible way to test the detection capability of these binary antivirus is up to sites like VirusTotal, which to date, using 41 different antivirus engines.The big problem is that these sites often work in collaboration with antivirus companies, providing feedback on the samples. Therefore, although at the time of analysis it's possible that only a few of the antivirus (or none at worst) are able to identify the evil qualities of the binary in question, most likely the detection rate will increase to full speed in a short space of time.

This has opened a niche business, and in May this year appeared posts in various forums in announcing a new service (then free) to analyze the level of detection without alerting the antivirus houses. VirTest born.


Currently this page, of Russian origin (although it has its English version) offers 26 different antivirus engines, with the possibility to choose what you want them to be used to check the sample. Here you can see a list of antivirus engines and their respective versions. On the website specified in detail how often is updated each virus, depending on each company's policy to continue to publish new signatures.
The analysis of binary display a table that is why antivirus recognizes the malicious code and which not. Clicking the link to the file name will open a box where we can see information about the file type and size, different hashes of the same information on its structure (if an .exe), among others.

If we then click on the link "See file" will display the file itself a fragment of 1000 bytes in size.

However, the added feature that makes this service a differentiator with respect to similar services is the ability to analyze a type crimeware Exploit Pack, giving the url that is hosted.
FAQ In the words of the service, don't really check the script, but the resulting code will be received by the different types of browsers. The tests are performed with Firefox, IE6, IE7, IE8, Opera and Chrome.

Clicking on any of the links we can see the box before extending the analysis information.

To perform one of these tests is necessary to create an account and have cash in it, as it has become a paid service with the following prices:

The payment of contributions is done exclusively via WebMoney. There is at least one other similar service is free and is currently in beta enuentra. We suppose that soon will be a toll too.

In summary, further evidence that not only the exploitation of malware generates profits but also moves parallel money on services to this industry. And in some cases like the present one, have to see if you can consider this service as a criminal act or not.

Related information
Software as a Service on the malware industry
Creating Online PoisonIvy based polymorphic malwar...
Panorama actual del negocio originado por crimewar...
Prices of Russian crimeware. Part 2

Ernesto Martín
Malware Research
Pistus Malware Intelligence

4 comentarios:

KLESK said...

"In summary, further evidence that not only the exploitation of malware generates profits but also moves parallel money on services to
this industry. And in some cases like the present one, have to see if you can consider this service as a criminal act or not."

Wow and why would this service be criminal act?

It's clear to me that someone has a year work in a software like this scanner and he want to make money with it.
If you don't like it don't use it. Noone forces you to pay for it or submit files there but since I see you are a little wanker
blogger who does not respect others work I giving it to you straight.

You have no inside experience in the antivirus industry whatsoever otherwise you would know that VirusTotal distributes 200K files/day
to antivirus companies for FREE. AV companies are shit on online scanners, they wouldn't even contact you if you would ask them about file
distribution and they definately wouldn't support an online scanner so what else can these services do to remain online?

Before you criticizing others work put something down on the table little frustrated shit...

Jorge Mieres said...

Dear, I understand your concern. Anyway, I tell you that we at no time have we said that this is a criminal act but we leave that assessment to the satisfaction of people using it, which certainly aren't antivirus companies, as they do with services like (e.g. Virustotal).

Still, within the security industry, is often governed under the banner of ethics and precisely what is evident through this "service" is that ethics doesn't matter (nor is it important for cyber-criminals) . Consequently, what we talk about is the intention that lies behind this.

Otherwise, why not a free service? Why not available so it can be used by the security community? Why not report this situation to antivirus companies?

Sorry if this caused an offense against your person, but I still see the reason for that offense. The user still deciding if it's used or not, but I can assure you that those who use it daily aren't professional computer security but criminals often make available the clandestine sale of Exploits Pack and other crimeware.

Developers ... yes they are, and would certainly be much more productive if that effort is applied to those we work with across the sidewalk and we publish this information, not randomly but after a preliminary investigation that endorses what published.

I hope you understand because I think we can all live together in the same ecosystem. If I can convince you better, otherwise we will continue to exchange views healthily. And yet this does not mean you know more than the other because the issue does not pass there, so what any campaign to introduce a rumor, misinformation or any act that attempts to put into question our credibility will not work.

I send warm greetings and thanks for the information.

kaleida said...

Good article, thank you!

giedrius majauskas said...

There is one "valid" reason not to submit the files to tools, submitting to AV companies:
You are working with one of them and you do not want competition to get the sample or info about it.
It is unlikely, though.
a) you would have enough in-house facilities to test
b) you would use credit cards for payment.

Post a Comment