RSA Admin

They are watching youand your security vendors.

Blog Post created by RSA Admin Employee on Aug 22, 2012

REPOST - ORIGINALLY POSTED MAY 30, 2010

 

If you’ve ever seen me, or any of the NetWitness crew, speak on malware, advanced threats or the current threat environment, you’ll generally hear more than one recurring theme, one of which is:

 

Your anti-virus solution isn’t working like you think it is.

 

This is occurring for a variety of reasons and is ultimately the result of a business-based exploitation cycle in the criminal underground.   This cycle includes software support, licensing, and ongoing quality assurance.  One of the best examples I’ve ever seen to illustrate this concept is in the case of “scan4u.biz”.

 

Brian Krebs posted about this particular cybercrime endeavor in his blog here a few months ago:

 

http://krebsonsecurity.com/tag/scan4u-biz/

 

However, recent intelligence gathering efforts have revealed that this particular business venture has been extended and improved using the same resilience concepts used in most large legitimate corporate infrastructures.

 

A brief overview of “scan4u.biz”

 

Scan4u.biz is essentially  a “criminal virustotal plus”.  That is, it is a service where a miscreant can submit a newly created malware binary to gauge the detection rate of various antivirus vendors.  While similar to virustotal in this regard, the key is that scanned binaries aren’t submitted to the antivirus vendors in question, as is done with virustotal.

 

Let’s surf the service for examples:

44646


What we see here is a general overview of the service (translated from russian) with the following key points:

 

  • The service doesn’t submit to anti-virus vendors.
  • Antivirus clients are updated hourly to maintain a current definition set
  • Submitted binaries are rechecked on a schedule and customers are emailed about new detections

 

Digging deeper we see an example of the current signature state of included antivirus engines, which includes the vendor name, signature update version number and last update time: 

44647

And it’s even affordable and easy to pay for…$25 a month or 15 cents per scan, and a discount for referrals.  As well as flexible payment options and multiple contact points (I’ve blocked the specifics out):

 

44648

 

How long has this service been running?

 

“News” updates indicate that this service has been running since at least October of 2009 and is being consistently upgrade and maintained:

 

News

2010-05-01 – 2010-05-10 – Our support will be online, less often

2010-04-23 – Add Domain/IP/Url check in NOD32 antivirus

2010-04-21 – Add Domain/IP/Url check in Kasperky Anti-Phishing database

2010-04-19 – Today we will do hardware upgrade, posible some down time.

2010-04-15 – The check of sheaves is finished, now we pull out all that is possible. The check goes only from one IP(our web IP). So do not forget to null stats before the check or to switch off blocking on IP.

2010-04-12 – We upgrade Dr Web to 6.0 version.

2010-03-31 – Today/Tomorow we will do hardware upgrade, posible some down time.

2010-03-22 – Add Trend Micro Internet Security Pro Antivirus.

2010-03-21 – Add eTrust-Vet Internet Security Antivirus.

2010-03-19 – Add VirusBuster Internet Security Antivirus.

2010-03-19 – Update API, now you can turn some AV off for check, add support for Exploits Pack check. Add ability to get execution result of find/pdfid/pefile/trid utility (“Save file on server” option must be on)

2010-03-18 – We upgrade Avast and NOD32 antiviruses to new version. Avast now have Avast5 version and NOD32 now 4.0437 version.

2010-03-11 – We second day under DOSS attack, we apologize for any interference. Our technical team is working on this.

2010-03-03 – Add New type of check, “Exploit Pack”.

2010-02-25 – Add Domain/IP/Url check in SpamCop.net and RFC-Ignorant.Org.

2010-02-23 – Today we make our 500K check.

2010-01-28 – Add new features: now reports can be send to Jabber and GTalk accounts.

2010-01-20 – Upgrade Notrton Antivirus to Norton Internet Security.

2010-01-19 – Update Internet Explorer 8, now found more “Unsafe Website”.

2009-12-08 – Add Webroot Internet Security Essentials Antivirus.

2009-12-08 – Add F-Secure Internet Security 2010 Antivirus.

2009-12-02 – Add COMODO Internet Security Antivirus.

2009-11-25 – Add Domain/IP/Url check in Firefox Phishing and Malware Protection

2009-11-17 – Add Domain/IP/Url check in Panda Antivirus 2010

2009-11-11 – Add Domain/IP/Url check in Norton Safe Web

2009-11-10 – new support ICQ 588-391-779. Old number temporarily not work.

2009-11-10 – Add Polish Antivirus ArcaVir.

2009-11-09 – Today we add chinese Antivirus Rising to our system.

2009-11-05 – Add Sophos Antivirus.

2009-11-02 – Add AntiVir (Avira) Antivirus.

2009-10-27 – Add Utility that help you makes checks on your own system (see Links page).

2009-10-23 – Add Norman Antivirus.

2009-10-21 – Add Domain/IP/Url check in SmartScreen (IE7/IE8 malware & phishing Web site defense).

2009-10-19 – Add ability to check Domain/IP/Url in blacklist and Filter databases. At now we support following checks: ZeuS domain block-list, ZeuS IP block-list, ZeuS Tracker, MalwareDomainList (MDL), Google Safe Browsing (FireFox), PhishTank (Opera, WOT, Yahoo! Mail), hpHosts, SPAMHAUS SBL, SPAMHAUS PBL, SPAMHAUS XBL, MalwareUrl.

2009-10-15 – Add Microsoft Security Essentials Antivirus.

2009-10-06 – Add IKARUS Antivirus.

2009-10-02 – Add 2 new antivirus Quick Heal and A-Squared.

2009-10-01 – At present at us 16 antivirus Solo, McAfee, BitDefender, Panda, F-Prot, Avast!, VirusBlokAda, ClamAV, Kaspersky, Vexira, Norton, DrWeb, AVG, A-Squared, ESET NOD32, G DATA.

2009-10-01 – Today we have started our service on check of files on presence of viruses and malware.


How do we kill it?

 

So to take this down, we’d just get the domain name suspended right?   Well..it appears that that has already been done as is evident with a quick dig:

 

Not found: scan4u.biz

 

 

>>>> Whois database was last updated on: Sun May 30 14:07:49 GMT 2010 <<<<


So how is it still accessible?

 

At this moment, this service is being hosted or proxied through a criminal infrastructure, known in the industry as Gumblar.  Gumblar was recently referenced in a large scale compromise of blogs at most major hosting companies and has been an ongoing presence in the malware world for the past few  years.   At last check, the infrastructure has at least 376 verified domains, mostly in the .ru tld, across at least 43 different IPs in geographically disperse locations.

 

This hosting model is, in effect, a content distribution network, as used by most major online presences.  In this case, it’s being used to both hide the miscreants actual operating location, as well as provide fault tolerance from ongoing takedown efforts by the security community.

 

Extending beyond antivirus checks

 

As well as antivirus checks, the miscreants running the service appear to have extended their checks into the online blacklist area:

 

“Domain check on presence in black list: ZeuS domain blocklist, ZeuS IP blocklist, ZeuS Tracker, MalwareDomainList (MDL), Google Safe Browsing (FireFox), PhishTank (Opera, WOT, Yahoo! Mail), hpHosts, SPAMHAUS SBL, SPAMHAUS PBL, SPAMHAUS XBL, MalwareUrl,SmartScreen (IE7/IE8 malware & phishing Web site),Norton Safe Web, Panda Antivirus 2010, (Firefox Phishing and Malware Protection), SpamCop.net and RFC-Ignorant.Org.”

 

This update indicates ongoing blacklist checks across a variety of services, including:

 

  • Security researcher and community published blacklists (zeustracker, malwaredomainlist,malwareurl,phishtank,spamhaus)
  • Browser-based anti-phishing technology (google safe browsing,smartscreen)
  • Vendor blacklists (Norton, Panda, etc)

 

So in essence, miscreants using this service have a one-stop shop for both the detection of malicious binaries as well as the existence of their delivery systems in disparate blacklists across the internet. 

 

They also understand researcher and malware analysis activity:

 

Add ability to get execution result of find/pdfid/pefile/trid utility (“Save file on server” option must be on)”

 

  • PDFID is Didier Steven’s excellent PDF analysis tool.
  • PEFILE  is a python module used to assist in reverse engineering binaries to detect packing and other indicators of maliciousness.
  • TRID is a tool used to identify files from their binary signatures.

 

What all of this should tell you is that criminal miscreants continue to upgrade and enhance their services to assist in perpetuating their business model, penetrate your networks, and make money!

 

Watch your network, because they certainly are!

 

Alex Cox, Principal Research Analyst

Outcomes