Attackers have been using legitimate online services such as VirusTotal and others to check their new pieces of malware against various security suites for some time now, but that’s become less and less effective recently. Now, the creators of some exploit kits are beginning to include less well-known, underground malware-checking services as part of their offerings to buyers of their kits.
VirusTotal and other services like it are designed to enable users to check a specific file or URL and determine whether it’s malicious. The services do this by running the file or URL through all of the major anti-malware programs and seeing what comes out the other side. It’s a handy way for users or admins to ge a quick answer about a suspicious file.
However, it’s also an easy way for malware authors to see whether their latest creations are being detected by the security vendors yet. The services typically are anonymous and many of them are free, so they’re easy for the attackers to use. The people behind the legitimate services know this, and some, such as VirusTotal and Jotti, send new files and URLs passed through the service to the anti-malware vendors.
However, there also are a number of underground file-checking services that don’t subscribe to that model. Recently, security researchers at M86 Labs found that a newer version of the well-known Siberia exploit kit is providing a file- and URL-checking service as part of the kit itself. The researchers discovered that the kit is using an API provided by an underground service called Scan4you.biz, which is known among security researchers as a tool for attackers to test their malware and exploits.
“Of course, this service is not free. The
cost is 0.15¢ for every file check or $25 for a one month license. The
website offers several scans:
- File scan – Regular Anti-Virus scan
- URL scan – Anti-Virus scan of URL
- Blacklist / Filter scan – Check detection of URL in URL filtering services
- Exploit Pack scan – Check detection of toolkit name in URL filtering services
Eventually, in order to implement this service in Siberia Exploit’s Kit, or in any other toolkit, the underground Anti-Virus check service publishes an API for remote scanning,” Daniel Chechik of M86 wrote in his analysis of the kit.
There are a number of other services similar to Scan4you.biz, some of which offer monthly subscription models for maximum convenience. AVhide.com, for example, offers a package of unlimited FUD (fully undetectable) crypts for $150 a month.
The inclusion of a file- and URL-checking service as part of an exploit kit is another indication of the evolution of the thinking of the attackers. There are enough exploit kits out there creating customized exploits for customers around the world that it’s not difficult for an aspiring attacker to find one that will generate the kind of exploit he’s looking for. But the creators of the exploit kits themselves know that the more services they can provide to make their customers successful, the more money they’ll make selling their kits.