- SandBox Information Center
- Malware Analysis Search
- Articoli sulla sicurezza
- Blog sulla sicurezza [EN]
- Livello di pericolosità [EN]
- Minacce attuali di virus
- Tipi di malware [EN]
- Descrizione dei virus [EN]
- Statistiche sulla posta elettronica [EN]
- Testi, white paper generici ed altro
- La tecnologia Norman
Subscription to malware testing
Introduction
The title may imply that this article is about subscription services for email checking, like Norman Online Protection. Rather not! This time we shall examine yet another way that criminal activity imitates legitimate business.
Quality control
In a security article earlier this year - Cyber crime imitates legitimate business - we discussed software kits for malware creation, and the fact that techniques to avoid "illegally" copying of these kits were implemented.
However, commercial criminal activity also has other needs that are similar to those felt by legitimate businesses. One such is to check the functionality of the product prior to release - quality control.
Benign products
There are several free online services that enables any user to upload a suspicious file to check if it is malicious - or at least to check if antivirus products detect it as such. Norman's own SandBox Center may be used to submit files for analysis by Norman SandBox® technology.
Among the more popular, which offer scanning by multiple antivirus products, are VirusTotal and Jotti. These organizations use several different antivirus scanners - continuously updated - to check the files that are uploaded. Detection of a malicious file may of course differ between the various antivirus products. As part of the setup used by these organizations, an exchange policy between the antivirus vendors is in place. The two organizations refer to this as follows:
VirusTotal:
When you submit a sample file to VirusTotal for scanning, we may store it and share these with anti-malware and security companies (normally the companies participants in VirusTotal receives the samples cataloged as malware that theirs engines do not detect). The samples can be analysed by automatic tools and security analysts to detect malicious code and to improve anti-virus engines.
Jotti:
We (temporarily) store files you send in for scanning and share these with anti-malware companies. We do this for one simple reason: to help anti-malware companies improve detection accuracy in their security products. (...) Your files will probably be analysed (and thus read) by security analysts. If you do not want other people or companies reading your files, please do not send these files in for scanning. (...) Files are not shared with entities outside the anti-virus/security industry.
Obviously any person with malicious intent does not want her malware to be detected by antivirus products when it is released. The services above may therefore also be utilized by criminals to check if the program is detected or not (or by few/many antivirus products). As we have seen from the submission conditions above however, a file that is detected as malicious by some vendors' antivirus products may be sent to the rest of the vendors for subsequent addition in their virus signature files. That part is not in the malicious person's interest, as she wants to keep her secrets as close to her chest as possible.
The need fulfilled
One axiom in marketing is that whenever there is a demand for something it will be supplied. It seems like this also applies here.
There are now several web sites that offer a service similar to the ones mentioned above, but with one crucial difference. Their marketing pitch is that they do not share the analyzed files with any third party. The person who is fine tuning her malware can now do this without fearing that early versions are sent to the antivirus industry before release of the finalized version.
This service is available as a pay-for-each-submission or as a subscription fee.
An additional functionality that is being offered, is alerting when a particular malware eventually is detected by antivirus products. The malware creator then knows that it is time for her to release a new version of her product.
An illegal service?
Most would agree that it is morally dubious to offer such a service. Someone may even argue that services like these are illegal.
Of course it is impossible for us to know the legal systems in all countries around the world. We can, however, examine some legal aspects on a general basis:
Prohibited use of antivirus products
Providing the antivirus products are purchased legally in the first place, it is dubious if it is a breach of license regulations to use antivirus products in this way. End user license agreements would normally not include regulations that software cannot be used in such manners.
Illegal per se to offer such a service
This cannot apply unless it is also illegal to offer an almost identical service like the legitimate - and obviously useful - service provided by the organizations mentioned above. It seems far-fetched to argue that whether the files uploaded for scanning are forwarded to antivirus vendors or not, should decide the service's legality.
Accomplice to crime
This may perhaps be the best path to follow in order to show that such services are illegal.
One may argue that the service's intent is obviously to (indirectly) participate in the planning of a future crime.
The counter-argument is obviously that the hostess of the service does not know that criminal activity was planned. For all she knew the person who uploaded a file only wanted to check that the file were not falsely detected as malicious...
Presumably country legislation and courts will decide the outcome of the service's lawfulness or not.