Three-quarters of malware samples uploaded to “no-distribute scanners” are never shared on “multiscanners” like VirusTotal, and hence, they remain unknown to security firms and researchers for longer periods of time.
Although some antivirus products will eventually detect this malware at runtime or at one point or another later in time, this leaves a gap in terms of operational insight for security firms hunting down up-and-coming malware campaigns.
What are multiscanners and no-distribute scanners?
A multiscanner is a service like Google’s VirusTotal that aggregates antivirus (AV) scanning engines into one big melting pot, allowing users to upload a suspicious file and scan it simultaneously on all the AV engines hosted on the service.
If at least one of the multiscanner’s engines finds the file suspicious, the service shares the result among all AV companies, allowing cyber-security firms insight on new types of malware that their engines are not currently detecting.
On the other hand, a no-distribute scanner is a service similar to a multiscanner, only that its operators modify the AV engines so they cannot report back to their respective vendors, hence limiting their ability to see the malware uploaded on such a service.
As you’d image, no-distribute scanners are quite in demand on the cyber-criminal underground, and they have been in demand for years, with several services appearing and disappearing across the years, some going down on their own, while others after law enforcement intervention [1, 2, 3].
No-distribute scanner data is hard to come by
But besides not sharing data with AV makers, no-distribute scanners have another downside, and that’s the fact they don’t provide APIs or open their data to outsiders.
As such, the only way someone would know what has been uploaded and scanned on a no-distribute scanner is by having a direct link to a scan result.
Such links are only available if malware authors who are advertising their malware share the results on forums, marketplaces, Telegram channels, private websites, or in other places.
Collecting these links is what Recorded Future, a US-based cyber-security firm, has been doing in the past months. From January 1, 2018, to May 18, 2018, the company’s experts have been gathering such links and comparing the MD5 hashes of the scanned files with the files scanned on multiscanners like VirusTotal.
“Only 25 percent [of these files] can be found on at least one traditional multiscanner, while the remaining 75 percent have never been seen,” Recorded Future experts said in a report last week.
“Of the 25 percent [files] detected by multiscanners, 45 percent were first seen by a no distribute scanner and 55 percent were first seen by a traditional multiscanner,” they added.
Malware authors know better by now
The results can be interpreted in various ways. First and foremost, this means that most malware authors are generally aware of the fact they should not upload their malware on multiscanners, especially in the in-dev and post-launch stage of their malware’s development cycle.
Those who do might find that AV engines might become fully-aware of their tools and have detection rules in place by the time they deploy their malware in real-world campaigns, or just hours or days after they’ve started distribution efforts.
These results also show that cyber-security firms do not have all the answers, and creating a good antivirus engine is not always enough.
Most companies will also need an astute threat intelligence hunting team that can track down these links wherever they might be shared and add detection for malware not uploaded on places like VirusTotal.