Cyber-crooks are looking for ways to test their creations before distributing them, and have their own forums and pages where they collaborate.
An investigation conducted by the malware analysis and detection laboratory at Panda Security, has shown that cyber-crooks are collaborating to develop test tools that replicate the scans of some of the leading security solutions. This allows hackers to check their creations will be undetected before launching them.
“The tool is very similar to Hispasec’s legitimate VirusTotal tool,” explains Jeremy Matthews, head of Panda Security’s sub-Saharan operations. “Incidentally, the surge of interest in these new tools coincides with the removal of the “do not distribute the sample” option in VirusTotal which allowed files to be scanned without sending the sample to security companies.”
These tools are just another manifestation of the new malware dynamic – coined “Malware 2.0” by analysts – in which cyber-crooks no longer seek to cause widespread alerts and make the headlines, but use subterfuge to make profit from their increasingly sophisticated malware creations.
Obviously, they therefore want to check their creations are undetected by security solutions before launching them.
“When VirusTotal was developed a few years ago, some people were claiming that it was being used by malware developers to test their creations,” continues Matthews. “In some cases, we knew it was true, as we have seen ‘boasting’ in forums about scanning results from VirusTotal that prove that certain malware was not detected by any vendor.”
Since VirusTotal removed the "Do not distribute the sample" option earlier this year, PandaLabs has noticed that some underground communities have been developing several projects that allow users to have a tool for analysing their creations.
One such example is KIMS. Though it appears to be a useful tool, it has one big disadvantage: users have to install each and every antivirus product locally.