An investigation conducted by the malware analysis and detection laboratory at Panda Security has shown that cyber-crooks are collaborating on different forums and pages to develop test-tools that replicate the scans of many security solutions. This allows hackers to check that their creations will be undetected before launching them.<\/p>\n
"The tool is very similar to Hispasec’s legitimate VirusTotal tool," explains Jeremy Matthews, head of Panda Security’s sub-Saharan operations. "Incidentally, the surge of interest in these new tools coincides with the removal of the "do not distribute the sample" option in VirusTotal which allowed files to be scanned without sending the sample to security companies."<\/p>\n
These tools are just another manifestation of the new malware dynamic – coined "Malware 2.0" by analysts – in which cyber-crooks no longer seek to cause widespread alerts and make the headlines, but use subterfuge to make a profit from their increasingly sophisticated malware creations. Obviously they want to check their creations are undetected by security solutions before launching them, Panda says.<\/p>\n
"When VirusTotal was developed a few years ago, some people were claiming that it was being used by malware developers to test their creations," continues Matthews. "In some cases, we knew it was true, as we have seen ’boasting’ in forums about scanning results from VirusTotal that prove that certain malware was not detected by any vendor."<\/p>\n
Since VirusTotal removed the "Do not distribute the sample" option earlier this year, PandaLabs has noticed that some underground communities have been developing several projects that allow users to have a tool for analysing their creations.<\/p>\n
One such example is KIMS. Though it appears to be a useful tool, it has one big disadvantage: you have to install each and every antivirus product locally.<\/p>\n
Another tool is one known as Scanlix, with a very simple but very effective interface. It uses an "install & forget" philosophy – when you install it, you do not need to do anything else, except for updating it from time to time. If you take a look at the update option, you’ll see that the different signature files will be updated. Its disadvantage is the limited number of engines it uses, though they are likely to improve it considerably in future versions.<\/p>\n
"One of the latest projects in this field has been the Multi AVs Fixer, a scanner provided with a wide range of engines," says Matthews. "However, more than an evolution, it follows the pattern of KIMS, sharing the same disadvantage, as it is necessary to install the anti-virus programs locally."<\/p>\n