Malware developers are no different from their legitimate counterparts and are testing their code before releasing it on the Internet public.
Panda Security says cyber-crooks are collaborating on different forums and pages to develop test-tools that replicate the scans of some of the leading security solutions. This allows hackers to tweak their creations so they will be undetectable before launching them.
"The tool is very similar to Hispasec's legitimate VirusTotal tool," says Jeremy Matthews, head of Panda Security's sub-Saharan operations.
"Incidentally, the surge of interest in these new tools coincides with the removal of the 'do not distribute the sample' option in VirusTotal, which allowed files to be scanned without sending the sample to security companies."
These tools are another manifestation of the new malware dynamic - coined "Malware 2.0" by analysts - in which cyber-crooks no longer seek to cause widespread alerts and make the headlines, but use subterfuge to make profit from their increasingly sophisticated malware creations.
"Obviously, they, therefore, want to check their creations are undetected by security solutions before launching them," Matthews says.
"When VirusTotal was developed a few years ago, some people were claiming it was being used by malware developers to test their creations," continues Matthews. "In some cases, we knew it was true, as we have seen 'boasting' in forums about scanning results from VirusTotal that prove that certain malware was not detected by any vendor."
Since VirusTotal removed the "do not distribute the sample" option earlier this year, PandaLabs noticed that some underground communities have been developing several projects that allow users to have a tool for analysing their creations.
Virus toolkit
One such example is KIMS. Though it appears to be a useful tool, it has one big disadvantage: each and every anti-virus product has to be installed locally, says Panda.
Another tool is one known as Scanlix, with a simple, but effective interface. It uses an "install and forget" philosophy - when installing it, the user does not need to do anything else, except for updating it from time to time. Its disadvantage is the limited number of engines it uses, though it is likely to be improved considerably in future versions.
"One of the latest projects in this field has been the Multi AVs Fixer, a scanner provided with a wide range of engines," says Matthews. "However, more than an evolution, it follows the pattern of KIMS, sharing the same disadvantage, as it is necessary to install the anti-virus programs locally.
"Fortunately, these tools are still unable to check if the Trojan would be detected by a proactive behaviour technology," says Matthews. "...we will be keeping an eye on future development in this field."
Related stories:
Banks more trustworthy than govt
BlackBerry safe in India
Office vulnerability bites Apple
MonaRonaDona uses scare tactics
Cyber-criminals look to other platforms
Airlines beef up IT security
Share