Malware authors work rigorously to ensure their creations will go undetected by security defenses. Though some adversaries engage in their own hands-on testing, many of them turn to third-party services known as "no-distribute scanners."
Unlike multiscanners such as VirusTotal, which are commonly employed by the defenders, the no-distribute versions of these services scan the attacker’s file with popular AV tools without sharing the sample with security vendors. These dynamics can have meaningful implications on vendors that rely on a steady supply of new malware samples for detection efficacy and on enterprises who rely on these vendor solutions.
Security Vendors’ Need for Samples
Antivirus engines, both those that have been around for a while and those that emerged on the scene as part of the “next-gen” wave of products, strive on a diet of malware samples. AV vendors fingerprint newly-discovered malicious files to create signatures, which are still an important component of many malware detection strategies. Even the much-lauded machine learning models typically rely on large data sets of files to train the model for distinguishing between legitimate and malicious artifacts.
AV companies have many sources for new files, including the suspicious files discovered by their own AV engines as well as intra-industry file sharing arrangements. Multiscanning and similar malware analysis sites play an important role in these data gathering activities. The usefulness of such data might explain why Alphabet’s Chronicle recently started paying attention to the commercial potential of its multiscanner, releasing VirusTotal Enterprise. It could also be one of the reasons for CrowdStrike’s acquisition of Payload Security.
Maintaining Stealth for Malware Samples
The longer it takes security vendors to spot the malicious file, the longer the specimen will remain effective in the wild. This is one of the reasons attackers shun malware scanning sites like VirusTotal and Payload Security. Once a sample finds its way to such a repository, it gets shared across the AV industry, so the participating vendors can update their signatures, train their models or otherwise improve their detection rate.
Using a no-distribute scanner allows the attacker to test the malware against the AV engines without the risk of AV vendors learning about the file. This allows the adversary to tweak the malware if necessary, iterating through evasive techniques until the sample succeeds at bypassing the relevant antivirus tools.
Researchers at Recorded Future examined the samples submitted to no-distribute scanners over a period of several months. They discovered that 75% of the malware uploaded to no-distribute scanners were, at the time, unknown to traditional multiscanner repositories.
Defending Against Unknown Malware
The existence of no-distribute scanners illustrates the edge that malware authors get by making it harder for security vendors to acquire their samples. It sheds light on the malicious practices of repeatedly testing samples to bypass AV engines. And it highlights the need for enterprises to test the solution’s ability to prevent unknown malware attacks that, despite many AV vendors claims, will find a way past their existing security defenses. We also held a webinar about how enterprises can evaluate endpoint security products.
This is the context where Minerva’s Anti-Evasion Platform is at its peak. Minerva’s solution doesn’t rely on detection to prevent evasive threats that otherwise would’ve compromised the endpoint. Our approach covers the gap inherent to antivirus-like products on the endpoint, providing an additional layer of prevention without duplicating functionality. To learn how Minerva can strengthen your anti-malware posture request a demo today or download our whitepaper: How and Why Your Anti-Malware Strategy Needs to Evolve Beyond Antivirus