VirusTotal and its analogues, as “firing” viruses

VirusTotal — a free service that analyze suspicious files and links to identify viruses, worms, Trojans and various malware. The results of the file scanning service does not depend on any one manufacturer of antivirus software. In VirusTotal uses several dozen anti-virus systems, which will allow to draw more reliable conclusions about the dangers of file.

It is clear that the majority of virus writers are interested in that their a virus as long as possible “live” users. The more time malware is on the computer, the more money you potentially can earn. The main threat to them — antivirus. The vast majority of cases, to protect harm from evil signature/heuristic detect antivirus virus writers use cryptory. Market scriptorem quite extensive, and there are many proposals because cryptory demand.

After the file is “covered” by the Cryptor virus makers test his anti-virus software (otherwise you can produce something that will have to detectas). Everyone knows that there are services that allow you to scan files from a bunch of AV engines. For example, VirusTotal or Jotti Virscan.

VirusTotal

Jotti Virscan

Everything is convenient — many CMS, a slight “brake”, etc. But for those who are going to release the next version, for example, a blocker, these services have a small disadvantage: these companies are in some cases send the scanned file in the AV office.

Virscan from Jotti: the file Sent to us can be sent to antivirus companies so that they could improve on the detection of their products. Read more about this in our privacy policy. If you don’t want your files transferred to third parties, do not send them at all

From the VirusTotal FAQ: “Instead of your engine you will receive all files submitted to VirusTotal that are not detected by your product, but are detected at least one other vendor + report”

It is logical to assume that mavromichali this should not rejoice, as their files will be sent to the AV company for analysis, and, accordingly, this will reduce the time that sampl unnoticed. That is why they use the services of companies that provide a service similar to VirusTotal, but at the same time ensuring anonymity. (so at least it is written on sites with scanners, but we can not know for sure)

For example, there is such a service:

On one of the forums I found a list of what else can this office:

“Available:

— scheduled alerts via email to jabber

— auto-registration and auto-refill the account via Webmoney

On our AV-checker are the current versions of antivirus and their latest updates.” Comfortable enough to e-mail or in another place a notification that some vendor thedetected the next build. Two other offices that provide services to anonymous file scanning.

Of course, there are many more, but it is worth noting that all of these services very quickly satisfy the needs of their customers. Also, there is a support, an API for working with the service, GUI client, etc. This suggests that the market there is competition and struggle for the client.

However, all such services there is a significant disadvantage — they scan only a separate file or a separate domain. It’s not exactly the most popular schemes of infection. All modern antivirus programs present tiered protection. So often to check the file itself may not be reached. In the case of circuits of drive-by attacks antivirus can block one of the domains through which the redirect virus evil iframe or script or an exploit. But if malware got on the computer and start, there already is a sandbox or proactive protection, which in the execution phase analyzes the behavior of the program. In those services I saw, there was no information about the test detectivenet proactive protection — it is understandable — it is difficult to implement. Don’t forget about the cloud, which can block the file by its reputation. So, despite all the efforts of the attackers, many real situations will not play, which makes the test a single object signature/heuristic scanner simply inadequate.

Source