An integral part of modern cybercrime and the successful release of new botnet malware components lies with quality assurance (QA) – i.e. testing malware samples against current antivirus technologies prior to release, and guaranteeing evasion.
Over the years there have been a number of online services that have been exploited by botnet masters for the purpose of QA. For example, popular free scanning portals like www.virustotal.com and virusscan.joitti.com allow anonymous Internet users to submit binary files for scanning and receive a list of results from several dozen antivirus products. For quite some time, these sites were popular with malware authors – until the sites started to automatically pass submitted samples on to the antivirus vendors – which resulted in them shifting to other malware scanning portals that professed to not pass samples on to the antivirus vendors.
Hacking websites that promote the development, sharing and selling or malware and botnet DIY construction kits are littered with advice on which scanning portals people should use – along with warnings that use of sites such as VirusTotal will get you thrown out (because samples end up going to the antivirus vendors).
For the last six months there has been an explosion in malware scanning portals that cater specifically to the demands of professional malware authors and botnet masters. These portals provide guarantees on privacy of submitted samples and include specialized services designed to suit their criminal clientele – for example, the ability to bulk-upload caches of new samples for testing, CSV formatted reports, automatic tweaking of samples to avoid certain antivirus engines, continuous testing of samples (i.e. alerting of when an antivirus update appears that is capable of detecting a submitted sample) and multiple alerting features (e.g. email, SMS text messaging, IRC/Jabber alerts, etc.). All these services come at a price though!
One such commercial malware QA service is Virtest.com.
This Russian malware testing portal utilizes the latest versions of 26 of the most popular desktop antivirus products likely to be encountered by botnet operators. To access the service, a prepaid account is required (via WebMoney):
1 scan 1-26 AV engines (up to 5 files in archive file for one check) = 1$
1 scan exploit pack dumps 1-26 AV engines = 1$
* We introduce a policy of discounts, proportional to the number of performed scans:
* For every 10 single scans you get 5 scans for free (10$->15 scans)
* For every 15 single scans you get 10 scans for free ($15 ->25 scans)
* For every 25 single scans you get 15 scans for free ($25 -> 40 scans)
unlimited account (unlimited num of scans for 1 month + free exploits pack check + 3 files on offline autoscan + up to 5 files in archives for one check + remote API scans) = 40$
vip-unlimited account (unlimited num of scans for 1 month + free exploits pack check + 5 files on offline autoscan + up to 10 files in archives for one check + remote API scans) = 50$
Virtest.com is an interesting portal. It’s very well presented and professionally run, and offers a number of interesting services. For example:
- Full anonymous scanning which will never be passed through to the antivirus vendors.
- Ability to scan folders and archives of malware in bulk format – and to receive +/- notification on antivirus detection
- “Highspeed” scanning using all 26 antivirus engines (10 files in 70 seconds)
- Scheduling of malware sample scanning
- Selective control of which antivirus engines to be used in the scanning process
- Antivirus profile management
- Antivirus engines are automatically updated every hour
- Additional info about each malware sample – in “realtime”
This last feature includes:
Additional info about each scanned fileĀ is available immediately during the scan itself and at any moment in the future: MD5, SHA1 and SHA256 hashes of the file, control sum CRC32, PE structure of the file^ access point, timedatestamp, machinetype, sections table, virtual addresses, characteristics of each section, detection of the file by PEID signatures, PeTools, TriDId characteristics of the file with convenient visual diagram.
The most interesting feature of this service though is the ability to scan malicious infecting payloads. Subscribers to the service can provide the URL(s) of their drive-by-download infector sites and scan them using this service – checking to see whether their malicious javascripts, latest exploit kits and payloads, and shellcode escape detection. This is the best representation of a exploit scanning service I’ve come across so far.
From the site – by way of explaination for this exploit scanning service:
Exploits pack check. What is it and how to use it?
For the owners of unlimited accounts on our service this feature can be used for free. Not the script from your exploit server pack are checked but the resulting generated code of the pages, that are received by all of the popular browswers users. If the generated code causes warnings on the user side, the exploit simply won’t work and u’ll be wasting traffic without even knowing it, even if your binaries are absolutely clean. The new feature will help you to estimate the users’ loss in time and adeguately and to clean it in time. The new feature is easy to use: Main menu ->Exploit pack check. Enter the urlin question, select the needed antiviruses and in a minute you’ll be getting the full log of exploit’s detectivity for all popular browsers (ie6, ie7, ie8, ff, opera, chrome. the full list of included user-agents can be found at the site (http://virtest.com/UA.php), if you’d like to modify their list, write to support). For the sakes of easy checking of pdf and swf exploits their urls can be added to the page for being downloaded and checked additionaly for all of your exploit-packs.
During the scan process at the top of the results table you can see the file dumps of the pack fro all of teh 6 browsers. Each file can be checked for additional info. You can also see the file’s content (first 1000bytes)
ya.ru\index-(ff).html
ya.ru\index-(ie6).html
ya.ru\index-(ie7).html
ya.ru\index-(ie8).html
ya.ru\index-(opera).html
Virtest.com is an interesting example of this growing malware QA service industry. It’s polished site supposedly attracts 800+ users per day (based upon site stats on statbrain), which is a little lower than some of the other sites out there – but it’s also a bit newer than many competing service sites, so I’m sure it’s popularity will grow over time.
– Gunter Ollmann, VP Research