Can't tell the players without a program
How can ordinary folks tell the good guys from the bad guys? Case in point: the online service Virscan.org . I stumbled upon last week while trying to help a friend with her malware problems. Looks like a nice, simple service that scans uploaded files using multiple AV software with latest signatures (25 total). But then it dawned on me that it might be much more useful to bad guys (malware writers and distributors) than for good guys. They could use it as part of their development/test cycle to refine their malware so that it is not detected by any of the AV services. Easy, peasy!
Who does Virscan.org serve? Who supports it financially? Is it really a Black Hat operation, or just a well-intentioned White Hat operation that is easy to subvert? How would I or anyone know?
According to Alexa, 70% of Viruscan.org’s visitors are from China, where it is the 5,973rd most popular web site. Hmmmm, makes me suspicious. Reviews and evaluations are here , here, and here. It’s hosted in China, and appears to have been in existence since the summer of 2007. But this information isn’t conclusive. I’m still scratching my head.
I wish there were some sort of map of the Black Hat ecosystem that would reveal the existence and role of such “fellow traveler” services that appear legit’ but aren’t. This would make it easier for everyone involved in security to know who they are dealing with — White Hat, Black Hat, and otherwise. If anyone knows of such a map, please give me a link.
[Update: This isn’t the same as http://www.virusscan.org which redirects to http://www.mcafee.com/us/ . McAfee has a product called Virus Scan. ]
[Update #2: On further thought, virscan.org could even be a super-secret covert white hat operation acting as a honey pot for malware developers and their malware code, masquarading as a black hat service which is masquarading as a white hat service. Whoah! Spooky stuff! 🙂 ]
Your suspicion is not misplaced. But I know many of these services share samples with the mainstream AV vendors. That’s a good sign.
Also a good sign: In public “hacking” forums, someone inevitably submits a “sample” to one of these services and forgets to check the quarantine box that prevents the service from sharing samples. File gets dinged by all major AV vendors and hilarity ensues and they fingerpoint and find someone to blame.
If you think the bad guys don’t already have copies of all of the major AV products then you are sorely mistaken. Also, do you really think that the miscreants would be foolish enough to upload new code to a service that’s might share its results with the AV vendors?
@Dave — Yes, I’m sure the bad guys have all these capabilities, and then some. I also imagine that a “grey” service like VirSCAN.org is to the hacker community what Guitar Hero is to the musician community — mostly serving wanna-be’s.
The point of my post was about how a non-specialist could better understand the Black Hat world (and Grey Hat) so we can make better decisions. I’m asking for some sort of ecosystem map to help with this education process.
Regarding whether “miscreants would be foolish”, I think there are plenty of examples of sting operations that capture bad guys behaving foolishly, e.g. nabbing 200 suspects by mailing them “You are a winner…” letters for a fake lottery where they had to show up in person to collect their winnings. http://news.google.com/newspapers?nid=1314&dat=19890914&id=hfoRAAAAIBAJ&sjid=CvADAAAAIBAJ&pg=3618,2152691
Great post. I’ll definately bookmark you. Cheers