Online Services Let Virus Writers Check Their Work 61
An anonymous reader writes "Former Washington Post Security Fix blogger Brian Krebs has launched a new blog at krebsonsecurity.com, and his first story highlights a pair of underground antivirus scanning services that cater to virus writers. Scanning services like virustotal.com scan submitted files against dozens of antivirus products, and share the results with each of the vendors so that all benefit from learning about threats they don't yet detect. But there are number of budding online services that allow customers to pay per scan, and promise that the results will never get reported back to the antivirus companies. One service even tests how well web site 'exploit packs' are detected, while others promise additional layers of protection. 'The service claims that it will soon be rolling out advanced features, such as testing malware against anti-spyware and firewall programs, as well as a test to see whether the malware functions in a virtual machine.'"
Inevitable (Score:5, Informative)
As I've said before on this subject, there's a whole economy around spam, website exploits and malware, you've got people who will QA your malware for you to check for bugs and these services that will run them against common AV software and suggest ways to evade them. Then you can sell your malware to someone who will use the network of compromised sites they bought off someone else to build botnets which they then sell time on to other people who are using them to send spam emails and perform DDOS attacks on behalf of *other* people.
Any Reason... (Score:1, Flamebait)
...these people should not be hunted down and set to Gitmo for some water boarding then a firing squad?
Re:Any Reason... (Score:5, Insightful)
Re: (Score:1, Troll)
When my machine gets infected, I don't care who they are. Just on principal, they should be shot.
Waste of bullets (Score:1, Offtopic)
Hanging is good swords are good you need to do this in a "green manner"
Re: (Score:2)
Wouldn't execution by robot, virus or worm be more fitting?
Re: (Score:1)
Re:Waste of bullets (Score:4, Funny)
I could lock them in a room with my dogs. They would gas the SOBs
Re: (Score:2)
Why not just make sure you DONT get infected?
Being infected with malware, like falling for the various scams spread by spam, depends on a high level of stupidity and/or incompetence and i have very little sympathy for such people.
Re: (Score:1)
Why not just make sure you DONT run windows?
Being infected with windows, like falling for the various scams spread by microsoft, depends on a high level of stupidity and/or incompetence and i have very little sympathy for such people.
think globally, act locally (Score:1, Flamebait)
If I met someone who credibly claimed to be an author or distributor of malware, I fear I might "lose" several 80-cent bullets [doubletapammo.com]...
Windows 7 is devouring that hand (Score:3, Interesting)
That market is disappearing.
Re: (Score:2)
Coincidentally, since Vista came out, I've seen less than a dozen Vista computers -- total.
It either Just Works, or it's really unpopular. I suspect both, though I never had any particular problems with it on my own machines...
Re:Inevitable (Score:5, Insightful)
Re: (Score:2)
Indeed. I thought sites like virustotal existed to enable people to test their warez against different virus scanners to get a second opinion as to whether or not they were infected, or safe to install on their machine.
"Capitalism" is descriptive, not normative (Score:3, Insightful)
Markets happen whether they're intended or not. They're as natural as water flowing downhill, even in ostensibly destructive fields. Capitalism is not more a "choice" than gravity is: what matters is how you deal with it.
Clearly, we don't have enough incentives to either 1) discourage these people from writing malware, or 2) encouraging them to do other things.
HONEYPOT (Score:3, Insightful)
There is an economy, but the players are all using layers upon layers of aliases. Inevitable is a fresh mask on carnivore and this is merely one of them. How could you possibly trust a service NOT to report a ZDE? Find one, submit and see if it shows up in other scanners or see if there are reports of anyone out there using it. The service could be a front for carnivore, a front for a virus broker, or a front for a majority vendor. The simple rule is this: if there is money to be made and this is the
Re: (Score:2)
Your fellow anti war protester was a local cop or fed.
Your mid ranking dealer was working for a state task force or fed?
Your 'adult' forum had a few adims, one was on a state task force or fed?
Your CC and hacking forum was a total state task force or fed set up?
Your virus all in one test site was was a state task force or fed IP trap.
Same old games, digital age
Makes sense (Score:5, Insightful)
Re: (Score:1)
Since these AV monopolies are untrustworthy, why would they not have proactively created these "scan and burn" sites? Best to to gather signatures is to get them directly from the source in these scan services.
Re: (Score:2)
Just like gun runners... (Score:5, Insightful)
...selling to both sides in a war.
Honor among thieves (Score:5, Interesting)
It would seem to me that, since most malware writers are essentially in competition with each other (as can be seen by past examples of malware that removes other, competing forms) that using a service like this would be against the best wishes of the attacker. I can only imagine that anyone who would provide a service like this would also be diversified enough to have their own stable of malware, and would gain value from having a copy of everything that gets submitted to them.
Re: (Score:1)
VirusZoo (Score:5, Interesting)
You can also check out our site VirusZoo, that lets you safely test different viruses and malware on a shared virtual machine.
It's more for fun than a serious tool...
http://www.viruszoo.com/ [viruszoo.com]
Re:VirusZoo (Score:4, Funny)
Mandatory xkcd reference: http://xkcd.com/350/ [xkcd.com]
Real interesting story here (Score:4, Interesting)
Re: (Score:2)
Indeed. I started crying like an eight year old girl when I heard he was leaving WaPo. His coverage has been excellent, especially on things like banking security, the Heartland breach, etc.
I stopped sobbing when I heard he was going to start blogging instead.
I'm just going to drop this here (Score:1)
It's a dog-eat-dog world (Score:1)
Re: (Score:2)
If you're doing something as illegal as creating a botnet for the purposes of spam/ddos, then the additional illegality of pirating a bunch of av products isn't a huge stretch...
As for a sting, most malware authors these days continually make new changes to their malware, often very simple changes can render something undetectable and extend the lifetime of a particular codebase.
Hmm (Score:2)
I'm no malware writer : but I have to ask...how hard would it be to make self-modifying undetectable code? Essentially you'd have your malware executable, however many bytes of assembled code that do stuff. Then you'd insert various dummy instructions that are randomly chosen but cancel each other out throughout the code. (so you might have an add instruction followed by a subtract instruction, etc). Every time the malware installs itself on a new PC, it randomly creates a new set of dummy instructions.
Re: (Score:1)
Re: (Score:1, Interesting)
The main problem is: if a virus infects the same PC over and over, possibly 1000s of times, it slows down too much, limiting the chance of infecting other victims or simply crashing the target completely . This means your malware should have a way to detect its own self, and stop deploying. This, in turn, means you need a signature or something very much like it.
Re: (Score:2)
You have one little problem, the program has to know, which instructions cancel out. So you probably have a list of pairs in there somewhere. As soon as that is known, the program can be normalized back to the "core code". The other problem is, that you would have to be very careful to remove the canceling instructions in the virus before you rescramble it or the size would quickly get prohibitively large.
The randomly chosen registry keys won't help you, you have to get the thing to be executed, so you have
Re: (Score:2)
When it connects to a server in its pseudo-random sequence, does it do anything to verify the server or does it connect blindly?
I wonder if they used public/private rsa keys to verify that the host it connects to is really a genuine one or not...
Re: (Score:2)
Polymorphic malware is getting increasingly sophisticated, to the point that can be impossible to detect the malware except at run time by virtue of what it attempts to do to the system it's infecting. I thought that this little trick [sophos.com] was a pretty neat one, the code only decrypts itself correctly at certain times on certain days, so AV vendors can't easily analyse the code and write detection signatures.
They aren't poor to begin with (Score:2)
If you buy all those packages (besides pirating) at the virustotal.com, it will cost far less than $6000 which a Rolex costs.
That mob leader wears Rolex watch you know, it is not like he won't be able to buy dozens of antivirus, virtual machine solution.
The days of "hacking for a bottle of Vodka" is really over, if ever existed.
Virustotal should be a security organization's free service with costs shared by AV vendors rather than being a "underground" (???) service. It does nothing rather than doing a real
Re: (Score:2)
Software freedom is more important than software safety, just like everywhere else.
Re: (Score:1)
On a proprietary OS platform, it's only appropriate that the antivirus programs contain license restrictions against using them for evil, or using them to circumvent other users' need to buy their own copy and update subscriptions.
These programs already contain very restrictive EULAs. It's logical for them to contain a restriction against this type of abuse.
Otherwise... someone could just write a free "stub AV" everyone installs on their desktop, that uses an outsourced, online scanner to actually
Re: (Score:1)
Yes, because an anti-virus scanner running on a single computer uses negligible resources, and a service that scanned people's computers remotely would scale wonderfully and make a huge zero-cost profit :-P
Re: (Score:2)
Wait, so you're saying that freedom is useless unless I have full freedom? I disagree, every small bit of freedom is a good thing. I don't think my software principles apply to proprietary AVs, I think an AV that respects them even slightly more is better than an equivalent one that doesn't.
Re: (Score:2)
Do you think underground vendors who are already doing questionable things like selling malware and selling infected machines, will really care about using an unlicensed av product?
Most likely all the av they use are pirated anyway...
Re: (Score:1)
I have no doubt underground vendors are willing to do questionable things.
But it would at least help to force them to actually go underground, rather than use a public exposed website for anonymous scanning (without sample sharing), make their service harder for novices to access, increase the price.
And reduce the "legitimacy" or "credibility" of the service designed to facilitate malware authors.
The DMCA and various DMCA-inspired laws passed by various countries and the notion of 'takedown letters'
Obvious honeypot is obvious (Score:2)
The title says it all.