in these before releasing new software company, Microsoft, apple and they will be tested code, to ensure that the software running, and check whether there is a bug. And hackers and cyber espionage, too, if you are them, you should want to see in the most are the Trojan virus exposure of his own to storm victims system. And, more importantly, you don’t want to victims of antivirus engine detects you put those malicious tools.
so what should you do? You will submit your code to VirusTotal let it to you for the first test, if can pass its testing, So want to stolen So easy. Here, you might want to know whether VirusTotal is a what kind of god, don’t worry, we will talk about it soon.
you have such a doubt for quite a long time, hackers and national spy before the official opening of the malicious software, will use Google antivirus engine test, but has not been true. Not long ago, the independent security researcher Brandon Dixon tracking several high-profile hacking group, including two high-profile national hacking team, in their by VirusTotal hone code technology, development of tradecraft, Brandon Dixon caught them a present.
“VirusTotal against being used,” Dixon said: “this is really a satire. I never thought a country would use a public test system for such a thing.” VirusTotal is a free online services, founded in 2004 by Hispasec Sistemas founded in Spain, in 2012 and was bought by Google. It set including Symantec (Symantec), Kaspersky (Kaspersky Lab), security (such as f-secure) kill soft launch of more than 30 kinds of virus scanning program. The researchers or others if found suspicious files in a system, can be uploaded to VirusTotal, see if the scanner is to identify it as malicious files. But VirusTotal this in order to protect the system and the existence of engine, but inadvertently give hackers provides opportunity, allowing them to adjust the test their own code, until the code can fool anti-virus tools.
Dixon has for years been to upload the file data for online tracking, now he has identified some hackers and hacking team, they have been using VirusTotal refine the code.
he is able to do this, because each a file will be uploaded to the VirusTotal metadata. These data include file and upload time, still can store the IP address of the uploader is compressed, by IP address, we can know in which country these files are uploaded. Although Google hid the IP address, prevent user information, but through the hash, we can still know which several files from the same IP address submitted. And, oddly, Dixon monitoring several hacker groups like to submit the malicious code with the same IP address, don’t understand the word of a wily rabbit has three burrows.
use of their own to create a set of analytical algorithm of metadata, Dixon found some documents submitted by the patterns and rules, he speculated that the metadata belong to two well-known network spy team, one of the points should be haunted by Iran. Dixon has spent months of observations of these organizations, they use VirusTotal gradually perfect code, soon, the scanner is more and more difficult to detect these after grinding of malicious software. Dixon watched them closely, and in some cases, Dixon can predict when they will attack, and even when users suffered attacks – when he saw some once again tested code appear on the VirusTotal, when some victims found them on the machine, and submit them VirusTotal test.
as to Dixon is how think of metadata research VirusTotal so instead of means, that is because there are security researchers repeated the hackers use the site as a testing tool. Until now, he still not willing to publicly discuss his research on metadata, he knows that it will make hackers change strategy, more difficult to catch them after the fox’s tail. But he also said that the current VirusTotal database has enough historical data, enough for other researchers to study and find out those he didn’t find the net. So not long ago he openly developed code, the code can better analyze metadata, so others can also began to study independently.
Dixon said, get data can find out the hidden BOSS this upgrade is not exist. “Find out they are a very difficult thing, when I just begin to pay close attention to these data, just a confused, very anxious to grab land, I don’t know what I should look for, also don’t know how the hacker is tempered, until I find a hacker.”
Dixon track to Iran of an unknown hacker or hacking group, in the past only a month in June, file upload about 1000 virus, thus acquired a lot of the soft kill experience. In some cases, they can always keep not hair, until the successful completion of the adjustment, to bypass any anti-virus software.
now hacker groups on VirusTotal activities have been exposed, but there is no doubt that they will not converge, will continue to use this engine, just will change the way, let you more difficult to find them. Dixon happy about this. As long as the security company to determine who test on VirusTotal malicious code, they can find the opportunity to find their clues, grasp the features of them, before these code drop out, create good corresponding defense mechanism.