• 75% of Malware Uploaded on “No-Distribute” Scanners Is Unknown to Researchers

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » 75% of Malware Uploaded on “No-Distribute” Scanners Is Unknown to Researchers

    • This topic has 3 replies, 2 voices, and was last updated 7 years ago.

    Tags:

    Author
    Topic
    Kirsty
    Manager
    June 19, 2018 at 1:07 am #198646

    75% of Malware Uploaded on “No-Distribute” Scanners Is Unknown to Researchers
    By Catalin Cimpanu | June 18, 2018

     
    Three-quarters of malware samples uploaded to “no-distribute scanners” are never shared on “multiscanners” like VirusTotal, and hence, they remain unknown to security firms and researchers for longer periods of time.

    Although some antivirus products will eventually detect this malware at runtime or at one point or another later in time, this leaves a gap in terms of operational insight for security firms hunting down up-and-coming malware campaigns.
    What are multiscanners and no-distribute scanners?

    A multiscanner is a service like Google’s VirusTotal that aggregates antivirus (AV) scanning engines into one big melting pot, allowing users to upload a suspicious file and scan it simultaneously on all the AV engines hosted on the service.

    If at least one of the multiscanner’s engines finds the file suspicious, the service shares the result among all AV companies, allowing cyber-security firms insight on new types of malware that their engines are not currently detecting.

    On the other hand, a no-distribute scanner is a service similar to a multiscanner, only that its operators modify the AV engines so they cannot report back to their respective vendors, hence limiting their ability to see the malware uploaded on such a service.

     
    Read the full article here

    3 users thanked author for this post.
    Elly, geekdom, HiFlyer
    Reply | Quote
    Viewing 1 reply thread
    Author
    Replies
    • Ascaris
      AskWoody MVP
      June 19, 2018 at 7:12 am #198665

      The article as written seems to assume a working knowledge of malware practices and definitions, so the impact of this may not be clear to everyone.

      The “no distribute” scanners are not tools that ordinary folks would use to see if a suspicious file is safe.  They’re meant to be used by malware authors to scan their latest “creations” to make sure that they are not detectable, so that there will be some time that their malware flies under the radar before any of the anti-malware programs are able to detect it.

      The vendors of anti-malware software have an agreement that any malware that is known to one will be distributed to all, so there is no such thing as hoarding samples that only any one malware scanner can find (because its author never told anyone else about the sample).  If you submit a sample to McAfee, and they verify that it is malware, they will send it to the other antimalware companies too.

      Multi-scanners like VirusTotal don’t use just one anti-malware engine to scan a sample… they use lots of them.  As the article mentioned, if any one of the many engines it uses detects malware in a sample, it sends that sample to the authors of all the other scanners too.  Note that this does not automatically mean that a given file contains new malware.  It could be a false positive, which would soon be evident to the authors of the erroneous scanner when all the other antimalware engine authors can’t find any malware in the sample.

      It could also be a piece of malware that all of the other scanners are supposed to be able to detect, but for some reason, not all of them did.  By receiving the sample that was able to fool their scanner, the authors of the ones that did not detect the known malware can figure out what went wrong.

      Of course, it could be that it is, in fact, a new malware, in which case all of the antimalware engines would be updated very soon to reflect the new malware.

      Obviously, multiscanning engines would be of great value to the bad guys as well as the good.  They want to be certain their malware is not detected by any of the scanning engines.  But they can’t risk submitting it to a legit one like VirusTotal; if it is detected as bad, they’ve just shot themselves in the foot, ensuring that every other malware scanner out there knows about it.

      As such, some of the bad guys make their own version of VirusTotal that doesn’t report the detection to all the other scanner authors.  The one scanner that detected malware thinks this is just a regular malware detection; they happen all the time.  They have no way of knowing that the other scanners didn’t catch it, or that this particular sample is somehow different from any other garden-variety malware that every scanner can detect.

      The other scanners, which got the sample with the malware in it but didn’t detect anything, don’t have any reason to pay any special attention to that one file.  It’s got malware inside, but they don’t know that.  It already passed their scan, so to them it looks like any one of the millions of “safe” files they are asked to scan every day.  They can’t possibly study every one of them in detail to see if they really are malware… that is time and labor intensive, and even the biggest antimalware companies in the world don’t have the resources to do that with every file they scan.

      Thus, this article is interesting, but it doesn’t really tell us anything we didn’t already know.  75% of the malware submitted to the no-distribute scanners is unknown malware.  Sounds scary, but consider the target audience of the no-distribute scanners: malware authors, and for the purpose of testing new malware to make sure it’s (un)safe.  One in four of these new malwares ends up being flagged as malware even though it’s new, which may mean that some code that was reused from a previous version of malware (they don’t rewrite from scratch every time; other than the fact that they’re the bad guys, it’s just like legitimate software development in many ways) was the basis of the “signature” used by the virus scanner that caught it.  For the malware author, it means he needs to make some changes and try again.

      Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
      XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
      Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

      6 users thanked author for this post.
      Bill C., Elly, Kirsty, b, geekdom, windows7wasthebest
      Reply | Quote
      • Kirsty
        Manager
        June 19, 2018 at 5:41 pm #198797

        Great post, thx @ascaris!

        Ascaris wrote:

        Thus, this article is interesting, but it doesn’t really tell us anything we didn’t already know. 75% of the malware submitted to the no-distribute scanners is unknown malware.

        Sometimes it’s good to have a reminder to not rely wholeheartedly on such scanners (or other tools) – it’s all to easy to forget to use commonsense as well, even though they are a useful tool in the toolbox.

        Reply | Quote
    • Kirsty
      Manager
      June 19, 2018 at 10:27 pm #198823

      Coincidentally, elsewhere today:


      VirusTotal now protects developers from becoming false positives

      By Frederic Lardinois | June 19, 2018

       
      It’s been six years since Google acquired VirusTotal, a service that allows users to upload any file to check it for malware and viruses against the databases and algorithms of 70 antivirus and domain blacklisting services. Over the years, VirusTotal, which is now part of Alphabet’s Chronicle, has established itself as a neutral public service that has the trust of both users and developers, who can also access its service through an API.

      Today, the company is expanding on its core services by launching a new tool that allows developers to scan new code against the systems of its antivirus partners to help ensure that those partners don’t mistakenly identify their code as malware. These kind of false positives are surprisingly common and can obviously create massive headaches for developers who aren’t in the malware business.

      With VirusTotal Monitor, which is now available to all developers, developers can upload their code, have VirusTotal check it and if it’s mistakenly flagged as malware by one of the company’s partners, VirusTotal notifies both its partners and the developers– and connects them to make sure they can figure out a solution.

       
      Read the full article here

      Reply | Quote
    Viewing 1 reply thread
    Reply To: 75% of Malware Uploaded on “No-Distribute” Scanners Is Unknown to Researchers

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    June 2025
    S M T W T F S
    1234567
    891011121314
    15161718192021
    22232425262728
    2930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.