CyberWire Daily - No Distribute Scanners help sell malware. [Research Saturday]
Episode Date: July 7, 2018Sellers of malware on Dark Web forums often use No Distribute malware scanning tools to help verify the effectiveness of their wares, while preventing legitimate virus scanning tools from adding the m...alware to their database. Daniel Hatheway is a Senior Security Analyst at Recorded Future, and he takes us through their recently published research, Uncover Unseen Malware Samples with No Distribute Scanners.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So there's lots of different types of scanners out there, but most people are familiar with
these multi-scanners that will, you know, scan your sample against all the different
antivirus engines that are available to give you that feedback.
That's Daniel Hathaway. He's a senior security analyst at Recorded Future.
The research we're discussing today is titled
Uncover Unseen Malware Samples with
No Distribute Scanners. And what happens is those multi-scanners that we all use and love
for research every day, well then if there's just one, usually if there's just one detection,
they will then share that sample with all the other vendors. So what happens is it's a way
to distribute what one vendor knows to all the other vendors that just kind of keeps the malware at bay, if you will. So anytime that one of these comes up with something
that's novel, it sends it out to all these scanners and then they can add that to their
list of potential problems. That's correct. And also, you know, there's lots of different
multi-scanners that have paid tiers for researchers like myself and many others
to utilize and mine for other data and search for things as well. I see. And so that leads us to
these other types of scanners, these no-distribute scanners. How do they work?
Well, they're very much similar. They may not have all the same antivirus engines. It kind of
depends on the service that's available,
but they pride themselves on not sharing the sample. And when they do that, the URL does not
contain the hash either. So there's really no way to kind of guess these paths to go and look at.
And since they're not sharing the sample, it kind of, it stays private with the person that smits
it. So they get used a lot by, you know, people with malicious intent,
but they also get used by people who have privacy concerns as well.
Now, can we back up a little bit? Can you describe to me, you mentioned that it doesn't
use the hash in the URL. What is the typical functionality through a regular multi-scanner?
How does it work on that end?
Well, so normally it'll be like, you know, the name of a service, you know, slash,
and then the hash of the file. And then it gives you to the report that tells you all the different
antivirus engines that detected it, right? By making their own hashing algorithm or changing
that in some way, it's harder for researchers to kind of get in there and find a whole bunch
of samples because you can't just kind of guess. And what is the nature of these no distribute sites? They've been around for a while. Is there
a variety of them? And do they try to stay under the radar? Well, it's funny, you know,
some of them really don't try to stay on the radar. Scan4U has been around for a very long time.
And they typically get targeted by law enforcement, because they're very interested in these as well.
So they don't really try to stay under.
You'll see a lot of advertisements for them on criminal forms or forms in general that potentially have malicious intent.
When you say they're targeted by law enforcement, are they overtly doing anything wrong?
Or is it more that law enforcement just sees them as a way to keep an
eye on things? I think it's the first one, but some of them have been shut down and I'm not
exactly sure what the legal stance on it was, why it was shut down. So let's walk through the process
that you all did to take a look at this. What was your collection process? Well, so it was
interesting. Every time we've actually interacted with an actor, you know,
in discussing their malware or their exploits or whatever the piece may be, they've always
shared this link with us of a no-distribute scanner. And then when you start going back
and you look at historically all the different forms that we collect from are either vetted
access or publicly available, but just, you know, you need to authenticate against them. We've noticed that there's a lot of people that will start scanning
their malware and they share that link in order to advertise that their service is doing what
they are telling you it's doing. And if they did that with a typical multi-scanner, then of course,
with just one detection, it's going to go to everybody. By having these no distributes,
they are able to show that they are doing what they say without risking their sample being distributed to a
wider audience. And so how do you all look for that? So what we did is through our normal collections,
we always have information about these forms because we collect all the information from the
forms that we have access into. And I just started running a search that
says, anytime I see this URL for virus checkmate or nodistribute.com or scan for me or run for me
and all these different ones. And I said, pull those URLs out. And then we started making a
collection process that will automatically find those URLs within our data set, and then it would go to those pages,
and then it would collect all the appropriate metadata we could,
like file name, file hash, the detection names, if there are any,
and just kind of the post that it came from,
which allowed us to kind of relate it back to what that person was selling as well.
I see.
So you're doing a lot of cross-referencing
to figure out, you know,
what are these things,
how are these things being sold,
how are they being distributed,
and who might be buying them?
If they post publicly on the buying, yes,
but a lot of times it's just like
direct messages to them in that form,
so we can't actually see that.
I see.
Sure, yeah, that makes sense.
So you're looking around on these
dark web forums and finding these things. What can you tell us about what you were seeing?
Run some of the numbers by us. Yeah. So, I mean, just like, you know, in percentage terms,
you know, 75% of the data set that we collected was not seen by the traditional multi-scanners
that we were talking about previously.
And then 25% of them were.
And what was interesting about that 25%, because it's hard to really do research on that 75%
because one, we don't have the samples,
just the metadata about it.
And there's no way for us to get that
unless we find it elsewhere.
But that 25% that was on those other multi-scanners,
we're able to download those, right?
So when we did that and look at all the metadata they had about it and when they've seen it and so forth,
I think it was 14% were seen on the traditional multiscanners first,
and then the others were on the no-distribute first,
which allowed us to kind of gauge how important it was because those percentages were so close together
that it made it to
where that if we actually were to alert on these hashes that we see, we know that about
a little less than half the time we're going to get notified ahead of time, if that makes
sense.
Right.
So by tracking these on these forums, the no publish scanners, does that give you a
head start on knowing what might
be queued up, being keyed up to be sent out there? Yes, in some cases it does. Yeah, so the
interesting one is the gold digger miner was a cryptocurrency piece, a cryptocurrency miner,
and we saw the actor selling it or talking about making it on criminal forums and then selling it.
And then with that, it was a link to a no-distribute site.
And shortly after, we see it hit one of the multi-scanners.
I see.
About 30 days leeway.
And is the assumption that when it hits one of the multi-scanners, it's out in the wild?
That's correct.
Yeah, that's the assumption here.
So how can people use this information to better protect themselves?
So this information can actually, you know, because we don't actually have a file, we just have the metadata.
It should be something that's probably alerted on within your environment.
So you would have this list of hashes that you would want to compare to in like your SIM or at your egress point or anywhere it crosses your network.
You'd probably want to be notified of these because, you know, it's not just that this file was sent to a no-distribute site. It's that we collected the link from a criminal form to a no-distribute site. So you're talking kind of more
about, you know, two kind of gray areas that you're looking into matching up. Yeah. So you're
sort of building a case based on indirect evidence, I suppose.
Exactly. So is this a matter of folks being able to be more proactive than reactive when it comes
to preparing themselves for these sorts of things? That's the hopes. A lot of times in our industry,
we're always being reactive and it's very few and far between when we actually get a chance
to be proactive. You know, like the Shodan rack controller is a way to be proactive.
There's lots of different pieces to be proactive, but they're just much harder to come by.
And so this is just hopefully another arrow in the quiver to help our customers and just the community in general.
Now, when it comes to monitoring these forums, how bold are the folks who are out there selling these things?
That kind of varies depending on the actor.
We've seen some be extremely bold, and we've also seen some take some very precautious steps,
only selling to people that have a certain reputation in the forums, only interacting with people that have X number of posts.
only interacting with people that have X number of posts.
But we also see it to where they will just, you know,
reach right out to you on Telegram or any other type of service that they choose.
And do you suppose that this will lead to a reaction on their part? If they know that this is being kept an eye on,
do you suppose they may shift to something else?
You know, it's quite possible.
Adversaries are always adapting to anything that
we in the security community do. So, you know, that might be something. But I think what we're
going to end up seeing is more and more of these services, because from what I can tell, people are
having a hard time trusting these even even within their own community because they don't know how
legit they really are. When you say trusting these, what do you mean? Well, so I mean, you're kind of taking them at their word that they're not
distributing the sample or that they're not, you know, sharing them with the security community as
a whole. You know, who knows really who you're submitting these samples to, right? I see. So
there's a reputational issue with the no distribute services themselves. Yeah, it seems that way
because, you know, a lot of times I see, and this is seems that way because a lot of times I see,
and this is just my assumption, a lot of times I see when people are selling a sample, they will
submit it to maybe three of the no-distribute sites and they'll put all three links on their
post when they're selling something. And I don't know if that's maybe they're trying to get better
coverage to show their samples not being affected or if they just have preferences of one or the
other.
And is there nothing that can be done from the virus checker manufacturer's point of view?
I guess if their services are out there, it's hard for them to keep an eye on this.
It's hard for them to know that their services are being aggregated for something like this.
Well, there's actually a really interesting article I read kind of similar to that. And basically what it was doing is these no-distribute sites will try to block communication back to the antivirus company.
That way, a lot of these will, we don't have a reputation on this file, but send it to the cloud and they will do some sort of analysis on it and give it back.
So they turn that functionality off.
And the reason is because they don't want that hash to go up to the antivirus company.
But there was a post about it to where one particular antivirus company was monitoring that because the people running the no-distribute site forgot to block their site.
So they were getting all the data back and they were working with law enforcement to share that data.
Yeah, so that sort of cat and mouse game that we often talk about continues.
Exactly.
I just think it's really important to notice that there are about four or five other services
that are available that we have not built collectors for yet, but we see the links being
shared.
So we're going to have some more data sets on these as well.
But even just as we released the article, I think there were two other ones that just
popped up.
So they are coming up and down
as fast as you can keep up with them.
Yeah, that game of whack-a-mole
we often talk about, right?
Yep, that is correct.
Our thanks to Daniel Hathaway
from Recorded Future for joining us.
You can check out their research,
Uncover Unseen Malware Samples
with No Distribute Scanners.
That's on the Recorded Future website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday
is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.