Can't tell the players without a program
How can ordinary folks tell the good guys from the bad guys? Case in point: the online service Virscan.org . I stumbled upon last week while trying to help a friend with her malware problems. Looks like a nice, simple service that scans uploaded files using multiple AV software with latest signatures (25 total). But then it dawned on me that it might be much more useful to bad guys (malware writers and distributors) than for good guys. They could use it as part of their development/test cycle to refine their malware so that it is not detected by any of the AV services. Easy, peasy!
Who does Virscan.org serve? Who supports it financially? Is it really a Black Hat operation, or just a well-intentioned White Hat operation that is easy to subvert? How would I or anyone know?
According to Alexa, 70% of Viruscan.org’s visitors are from China, where it is the 5,973rd most popular web site. Hmmmm, makes me suspicious. Reviews and evaluations are here , here, and here. It’s hosted in China, and appears to have been in existence since the summer of 2007. But this information isn’t conclusive. I’m still scratching my head.
I wish there were some sort of map of the Black Hat ecosystem that would reveal the existence and role of such “fellow traveler” services that appear legit’ but aren’t. This would make it easier for everyone involved in security to know who they are dealing with — White Hat, Black Hat, and otherwise. If anyone knows of such a map, please give me a link.
[Update: This isn’t the same as http://www.virusscan.org which redirects to http://www.mcafee.com/us/ . McAfee has a product called Virus Scan. ]
[Update #2: On further thought, virscan.org could even be a super-secret covert white hat operation acting as a honey pot for malware developers and their malware code, masquarading as a black hat service which is masquarading as a white hat service. Whoah! Spooky stuff! 🙂 ]