If you’ve ever seen me, or any of the NetWitness crew, speak on malware, advanced threats or the current threat environment, you’ll generally hear more than one recurring theme, one of which is:
Your anti-virus solution isn’t working like you think it is.
This is occurring for a variety of reasons and is ultimately the result of a business-based exploitation cycle in the criminal underground. This cycle includes software support, licensing, and ongoing quality assurance. One of the best examples I’ve ever seen to illustrate this concept is in the case of “scan4u.biz”.
Brian Krebs posted about this particular cybercrime endeavor in his blog here a few months ago:
However, recent intelligence gathering efforts have revealed that this particular business venture has been extended and improved using the same resilience concepts used in most large legitimate corporate infrastructures.
A brief overview of “scan4u.biz”
Scan4u.biz is essentially a “criminal virustotal plus”. That is, it is a service where a miscreant can submit a newly created malware binary to gauge the detection rate of various antivirus vendors. While similar to virustotal in this regard, the key is that scanned binaries aren’t submitted to the antivirus vendors in question, as is done with virustotal.
Let’s surf the service for examples:
What we see here is a general overview of the service (translated from russian) with the following key points:
- The service doesn’t submit to anti-virus vendors.
- Antivirus clients are updated hourly to maintain a current definition set
- Submitted binaries are rechecked on a schedule and customers are emailed about new detections
Digging deeper we see an example of the current signature state of included antivirus engines, which includes the vendor name, signature update version number and last update time:
And it’s even affordable and easy to pay for…$25 a month or 15 cents per scan, and a discount for referrals. As well as flexible payment options and multiple contact points (I’ve blocked the specifics out):
How long has this service been running?
“News” updates indicate that this service has been running since at least October of 2009 and is being consistently upgrade and maintained:
How do we kill it?
So to take this down, we’d just get the domain name suspended right? Well..it appears that that has already been done as is evident with a quick dig:
Not found: scan4u.biz
>>>> Whois database was last updated on: Sun May 30 14:07:49 GMT 2010 <<<<
So how is it still accessible?
At this moment, this service is being hosted or proxied through a criminal infrastructure, known in the industry as Gumblar. Gumblar was recently referenced in a large scale compromise of blogs at most major hosting companies and has been an ongoing presence in the malware world for the past few years. At last check, the infrastructure has at least 376 verified domains, mostly in the .ru tld, across at least 43 different IPs in geographically disperse locations.
This hosting model is, in effect, a content distribution network, as used by most major online presences. In this case, it’s being used to both hide the miscreants actual operating location, as well as provide fault tolerance from ongoing takedown efforts by the security community.
Extending beyond antivirus checks
As well as antivirus checks, the miscreants running the service appear to have extended their checks into the online blacklist area:
“Domain check on presence in black list: ZeuS domain blocklist, ZeuS IP blocklist, ZeuS Tracker, MalwareDomainList (MDL), Google Safe Browsing (FireFox), PhishTank (Opera, WOT, Yahoo! Mail), hpHosts, SPAMHAUS SBL, SPAMHAUS PBL, SPAMHAUS XBL, MalwareUrl,SmartScreen (IE7/IE8 malware & phishing Web site),Norton Safe Web, Panda Antivirus 2010, (Firefox Phishing and Malware Protection), SpamCop.net and RFC-Ignorant.Org.”
This update indicates ongoing blacklist checks across a variety of services, including:
- Security researcher and community published blacklists (zeustracker, malwaredomainlist,malwareurl,phishtank,spamhaus)
- Browser-based anti-phishing technology (google safe browsing,smartscreen)
- Vendor blacklists (Norton, Panda, etc)
So in essence, miscreants using this service have a one-stop shop for both the detection of malicious binaries as well as the existence of their delivery systems in disparate blacklists across the internet.
They also understand researcher and malware analysis activity:
“Add ability to get execution result of find/pdfid/pefile/trid utility (“Save file on server” option must be on)”
- PDFID is Didier Steven’s excellent PDF analysis tool.
- PEFILE is a python module used to assist in reverse engineering binaries to detect packing and other indicators of maliciousness.
- TRID is a tool used to identify files from their binary signatures.
What all of this should tell you is that criminal miscreants continue to upgrade and enhance their services to assist in perpetuating their business model, penetrate your networks, and make money!
Watch your network, because they certainly are!
Alex Cox, Principal Research Analyst