News broke yesterday that three-quarters of malware samples uploaded to “no-distribute scanners” are never shared on “multiscanners” like VirusTotal, and hence, they remain unknown to security firms and researchers for longer periods of time. Andy Norton, Director of Threat Intelligence at Lastline commented below.
Andy Norton, Director of Threat Intelligence at Lastline:
“A big part of using no-distribute scanning sites, is so that you don’t have to share the sample with VirusTotal, and other legitimate scanning portals. The no distribute site allows the malware author to see the current level of detection for their malware in the Anti-Virus community, they can alter the malware until they build a variant that is FuD (Fully UnDetectable). This FuD then becomes the template for all new hashes and they then can create infinite amounts of new hashes of the same file to distribute in email campaigns to potential victims. 65% of the resulting file hashes that are used in malware campaigns spawned from the original FuD are only ever seen by one target victim. Whilst you can always alter the hash, code or structure of a piece of malware, you cannot alter its motive, to behave in a malicious way. Security firms and researchers are having to increasingly turn to behavioural analysis as the last line of defense against these hash swarms.”