
A Google Site Meant to Protect Is Helping Hackers Attack - ghosh
http://www.wired.com/2014/09/how-hackers-use-virustotal/
======
Kenji
I don't see what's the problem here. Of course hackers test their malicious
code against anti-virus programs, and Virustotal is just one of the most
convenient checkers. If there was no Virustotal, hackers would simply use
other similar checkers or set up their own checker. Virustotal is not at fault
at all, it's the concept of virus checkers that's failing. The headline makes
it look like Google knowingly exposes us to hackers. It does not, of course.

~~~
schoen
The article's title is even stranger in context of what the article says,
which is mainly that Google researchers were able to _detect_ this kind of
use, and were able to learn much more about the attackers' identities,
methods, and targets as a result of this use. The article says they're now
inviting other researchers to use the data for the same purposes.

So in some ways it's a lot more like "A Google Site Meant to Protect You is
Helping Hackers Attack You And Thereby Expose Their Affiliations, Methods,
Targets, and Schedules to Security Researchers".

------
cognibits
I'm an adviser for one of the companies that partnered with VirusTotal. I
cannot go too much into details, but as a partner, we have access to the live
submission feed which we analyze in real-time to discover new threats etc. I
can assure you that we are not the only one. Furthermore, most partners sync
their data not in real-time which could yield incorrect scanning results,
making the hackers think they're good to go.

I can also say that the more serious groups/hackers do not use VirusTotal to
check their malware. They have their own verified, anonymous services that do
the same thing, just without submitting the malware to the anti-virus company.

~~~
Dublum
This is all true. There exist essentially blackhat versions of virustotal that
don't submit the samples, and don't have a feed delay that are pretty popular
among the virus writing community.

One of the ways that virustotal IS used however is by checking the hash of
their malware to see if it has shown up yet. That lets them know if someone
has taken an interest in it yet, and if they have, it means they need to start
rolling a new version.

~~~
josu
>One of the ways that virustotal IS used however is by checking the hash of
their malware to see if it has shown up yet. That lets them know if someone
has taken an interest in it yet, and if they have, it means they need to start
rolling a new version.

But once they upload the file to see if the hash already exists, they can no
longer check, since their hash will already be indexed. No?

~~~
Dublum
you can check a hash without uploading the file in question. VT only stores a
set of results if it has seen the actual file, not if a hash is checked
against it. This is why, when doing incident response, a lot of people suggest
not uploading suspicious files to VT, because it lets the attackers change up
and start using new malware

------
tlrobinson
Malware authors giving you their samples directly, before they ever unleash
them into the wild? This seems like a great way to find new malware and
0-days, and a huge wasted opportunity if Google/VirusTotal isn't privately
doing this same sort of analysis internally.

~~~
sp332
I have to take back my previous comment. It looks like VT has to maintain
"neutrality" and avoid stepping on any commercial AV companies' toes, in order
to get them to cooperate. "The most important rule governing VirusTotal's
usage is that none of its publicly offered services/applications should be
used in commercial products, commercial services or for any commercial
purpose."
[https://www.virustotal.com/en/about/](https://www.virustotal.com/en/about/)

An example of what I was talking about earlier: a third-party found malware
and then used VT to find interesting info about it.
[http://www.spamfighter.com/News-19068-F-Secure-Intercepts-
Ne...](http://www.spamfighter.com/News-19068-F-Secure-Intercepts-New-Sample-
of-BlackEnergy-Uploaded-on-VirusTotal.htm)

------
joshbaptiste
TLDR - Hackers use Virustotal.com to test and refine their malicious code.

~~~
shitlord
Not just hackers, but also nation states and APTs (who may have ties to nation
states).

------
tkmcc
It is common knowledge that VirusTotal analyzes and shares submitted files
with security researchers. The only blackhats who use VT to check their own
files are those who are either incapable of setting up their own multi-
scanning systems or paying to use one of the many "underground" services[0][1]
that offer similar functionality and do not share submitted files. The fact
that allegedly state-sponsored groups from China did not use these services is
yet another example of the striking difference between their apparent lack of
operational technical proficiency and the amazing results they achieve.

[0]: [http://krebsonsecurity.com/2009/12/virus-scanners-for-
virus-...](http://krebsonsecurity.com/2009/12/virus-scanners-for-virus-
authors/) [1]: [http://krebsonsecurity.com/2010/04/virus-scanners-for-
virus-...](http://krebsonsecurity.com/2010/04/virus-scanners-for-virus-
authors-part-ii/)

------
joosters
This reminds me of the early days of SpamAssassin. It used to have a fairly
simple set of regexes that would catch a great deal of spam. Then as it became
popular, spammers used it themselves to pre-filter and tweak their messages
until they passed the filters.

------
hhsnopek
This has been done for a long time - a couple years ago when I was learning
about exploits, this was one of the ways to check who would discover your
exploit. Pretty nifty trick

