Forgot your password?
typodupeerror
Security IT

Online Services Let Virus Writers Check Their Work 61

Posted by ScuttleMonkey
from the better-faster-stronger dept.
An anonymous reader writes "Former Washington Post Security Fix blogger Brian Krebs has launched a new blog at krebsonsecurity.com, and his first story highlights a pair of underground antivirus scanning services that cater to virus writers. Scanning services like virustotal.com scan submitted files against dozens of antivirus products, and share the results with each of the vendors so that all benefit from learning about threats they don't yet detect. But there are number of budding online services that allow customers to pay per scan, and promise that the results will never get reported back to the antivirus companies. One service even tests how well web site 'exploit packs' are detected, while others promise additional layers of protection. 'The service claims that it will soon be rolling out advanced features, such as testing malware against anti-spyware and firewall programs, as well as a test to see whether the malware functions in a virtual machine.'"
This discussion has been archived. No new comments can be posted.

Online Services Let Virus Writers Check Their Work

Comments Filter:
  • Inevitable (Score:5, Informative)

    by Spad (470073) <slashdot@sp[ ]co.uk ['ad.' in gap]> on Friday January 01, 2010 @02:11PM (#30615112) Homepage

    As I've said before on this subject, there's a whole economy around spam, website exploits and malware, you've got people who will QA your malware for you to check for bugs and these services that will run them against common AV software and suggest ways to evade them. Then you can sell your malware to someone who will use the network of compromised sites they bought off someone else to build botnets which they then sell time on to other people who are using them to send spam emails and perform DDOS attacks on behalf of *other* people.

    • Any Reason... (Score:1, Flamebait)

      by sycodon (149926)

      ...these people should not be hunted down and set to Gitmo for some water boarding then a firing squad?

      • Re:Any Reason... (Score:5, Insightful)

        by MrMr (219533) on Friday January 01, 2010 @02:59PM (#30615376)
        But these people may be US citizens. Your procedure only applies to foreigners.
        • Re: (Score:1, Troll)

          by sycodon (149926)

          When my machine gets infected, I don't care who they are. Just on principal, they should be shot.

          • by RobertLTux (260313)

            Hanging is good swords are good you need to do this in a "green manner"

          • by Bert64 (520050)

            Why not just make sure you DONT get infected?
            Being infected with malware, like falling for the various scams spread by spam, depends on a high level of stupidity and/or incompetence and i have very little sympathy for such people.

            • Why not just make sure you DONT run windows?
              Being infected with windows, like falling for the various scams spread by microsoft, depends on a high level of stupidity and/or incompetence and i have very little sympathy for such people.

      • I remove malware for a living. Because I work in strangers' houses in unfamiliar neighborhoods, I also carry a large powerful handgun [glock.com].

        If I met someone who credibly claimed to be an author or distributor of malware, I fear I might "lose" several 80-cent bullets [doubletapammo.com]...
    • Re:Inevitable (Score:5, Insightful)

      by Nikker (749551) on Friday January 01, 2010 @04:05PM (#30615808)
      Black hats are notorious for being paranoid when it comes to "sharing". Why would any of them even bother when they could just as easily set up multiple VM's with different OS's and different anti virus solutions and test them out in close to real time? How can they trust that these sites won't rat them out? How can they trust a similar service isn't set up as a honey pot for this very reason? It might scare Jane and Jon Q Public but in reality it's not going to make much of a difference overall. Why should someone trust the guy on the other end of the Internet that they won't expose them and their little virus baby to the big bad corporate overlords?
      • by jonbryce (703250)

        Indeed. I thought sites like virustotal existed to enable people to test their warez against different virus scanners to get a second opinion as to whether or not they were infected, or safe to install on their machine.

    • Markets happen whether they're intended or not. They're as natural as water flowing downhill, even in ostensibly destructive fields. Capitalism is not more a "choice" than gravity is: what matters is how you deal with it.

      Clearly, we don't have enough incentives to either 1) discourage these people from writing malware, or 2) encouraging them to do other things.

    • HONEYPOT (Score:3, Insightful)

      by Sleen (73855)

      There is an economy, but the players are all using layers upon layers of aliases. Inevitable is a fresh mask on carnivore and this is merely one of them. How could you possibly trust a service NOT to report a ZDE? Find one, submit and see if it shows up in other scanners or see if there are reports of anyone out there using it. The service could be a front for carnivore, a front for a virus broker, or a front for a majority vendor. The simple rule is this: if there is money to be made and this is the

      • by AHuxley (892839)
        Your local fence was on a state task force or fed?
        Your fellow anti war protester was a local cop or fed.
        Your mid ranking dealer was working for a state task force or fed?
        Your 'adult' forum had a few adims, one was on a state task force or fed?
        Your CC and hacking forum was a total state task force or fed set up?
        Your virus all in one test site was was a state task force or fed IP trap.
        Same old games, digital age :)
  • Makes sense (Score:5, Insightful)

    by WiiVault (1039946) on Friday January 01, 2010 @02:11PM (#30615114)
    The big AV companies have created a market of people who are behind a wall, but one that only exists as based on the guardianship of the AV maker. We know they are untrustworthy, and their very presence and size encourages this type of activity. Having a fairly consolidated market with a few vendors having a major share allows "hackers" to target those programs thus making these services useful to a wannabe testing out his exploit.
    • by leuk_he (194174)

      Since these AV monopolies are untrustworthy, why would they not have proactively created these "scan and burn" sites? Best to to gather signatures is to get them directly from the source in these scan services.

      • by WiiVault (1039946)
        I was actually simply referring to the past nefarious actions on their part and the fact that their software is mostly a bloated joke which slows down most PCs just as much as the adware its meant to remove.
  • by greg_barton (5551) <{moc.oohay} {ta} {notrab_gerg}> on Friday January 01, 2010 @02:28PM (#30615192) Homepage Journal

    ...selling to both sides in a war.

  • Honor among thieves (Score:5, Interesting)

    by Shoten (260439) on Friday January 01, 2010 @02:31PM (#30615210)

    It would seem to me that, since most malware writers are essentially in competition with each other (as can be seen by past examples of malware that removes other, competing forms) that using a service like this would be against the best wishes of the attacker. I can only imagine that anyone who would provide a service like this would also be diversified enough to have their own stable of malware, and would gain value from having a copy of everything that gets submitted to them.

    • There is value to the aging script-kiddie (now a daddy) in becoming a productive member of society as a "virus tester". Alternatively, it is not disadvantageous for the community-minded hacker to make his malware get along with others rather than compete.
  • VirusZoo (Score:5, Interesting)

    by skyriser2 (179031) on Friday January 01, 2010 @02:34PM (#30615240)

    You can also check out our site VirusZoo, that lets you safely test different viruses and malware on a shared virtual machine.

    It's more for fun than a serious tool...

    http://www.viruszoo.com/ [viruszoo.com]

  • by IamTheRealMike (537420) <mike@plan99.net> on Friday January 01, 2010 @02:47PM (#30615304) Homepage
    Brian Krebs now has a blog. He has written some of the most consistently interesting, unique and accurate coverage of the internet [in]security world in the past few years. Subscribed.
    • by oasisbob (460665)

      Indeed. I started crying like an eight year old girl when I heard he was leaving WaPo. His coverage has been excellent, especially on things like banking security, the Heartland breach, etc.

      I stopped sobbing when I heard he was going to start blogging instead.

  • Would it be possible to legally hold the company to their agreement? Having built up a few botnets several years ago (just for the sake of doing it, no spam/DDoS), I wouldn't trust them. It makes sense that the authors of malicious code wouldn't risk their creation on what could be a sting by AV companies without some sort of legal ramifications... Also, I couldn't imagine it would be *too* difficult to create your own antivirus sand beach for newly-created viruses to test themselves in. A lot of the afor
    • by Bert64 (520050)

      If you're doing something as illegal as creating a botnet for the purposes of spam/ddos, then the additional illegality of pirating a bunch of av products isn't a huge stretch...
      As for a sting, most malware authors these days continually make new changes to their malware, often very simple changes can render something undetectable and extend the lifetime of a particular codebase.

  • I'm no malware writer : but I have to ask...how hard would it be to make self-modifying undetectable code? Essentially you'd have your malware executable, however many bytes of assembled code that do stuff. Then you'd insert various dummy instructions that are randomly chosen but cancel each other out throughout the code. (so you might have an add instruction followed by a subtract instruction, etc). Every time the malware installs itself on a new PC, it randomly creates a new set of dummy instructions.

    • It is possible, look up polymorphic code. I've seen it implemented personally by my mentor though I've never worked with it myself. Neat stuff.
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      The main problem is: if a virus infects the same PC over and over, possibly 1000s of times, it slows down too much, limiting the chance of infecting other victims or simply crashing the target completely . This means your malware should have a way to detect its own self, and stop deploying. This, in turn, means you need a signature or something very much like it.

    • You have one little problem, the program has to know, which instructions cancel out. So you probably have a list of pairs in there somewhere. As soon as that is known, the program can be normalized back to the "core code". The other problem is, that you would have to be very careful to remove the canceling instructions in the virus before you rescramble it or the size would quickly get prohibitively large.

      The randomly chosen registry keys won't help you, you have to get the thing to be executed, so you have

      • by Bert64 (520050)

        When it connects to a server in its pseudo-random sequence, does it do anything to verify the server or does it connect blindly?
        I wonder if they used public/private rsa keys to verify that the host it connects to is really a genuine one or not...

    • by Spad (470073)

      Polymorphic malware is getting increasingly sophisticated, to the point that can be impossible to detect the malware except at run time by virtue of what it attempts to do to the system it's infecting. I thought that this little trick [sophos.com] was a pretty neat one, the code only decrypts itself correctly at certain times on certain days, so AV vendors can't easily analyse the code and write detection signatures.

  • If you buy all those packages (besides pirating) at the virustotal.com, it will cost far less than $6000 which a Rolex costs.

    That mob leader wears Rolex watch you know, it is not like he won't be able to buy dozens of antivirus, virtual machine solution.

    The days of "hacking for a bottle of Vodka" is really over, if ever existed.

    Virustotal should be a security organization's free service with costs shared by AV vendors rather than being a "underground" (???) service. It does nothing rather than doing a real

  • The title says it all.

You scratch my tape, and I'll scratch yours.

Working...