Saturday, October 14, 2017

VirusTotal, Equifax, and Antimalware Products

There is a subtle precision in the statement “VirusTotal only showed three antimalware scanners detecting malware.” If you think that means only three scanners on VirusTotal detected the malware, then read it again more carefully; that is not what it says and that is not what it means.

Before I continue to talk about VirusTotal mythology, there are a few things I would like to clarify concerning my find of a malicious link on the Equifax website.

  • The site was not hacked, but as stated in the title of my blog, it was compromised. There is a difference; there were no exploits, no backdoors, etc.
  • There was no malware and there were no malicious pages on the site.
  • There is no indication or probability that data was stolen as a result of the compromise.
  • Equifax’s security team is blameless for this one. They were sucker-punched so badly by a third party who was in turn compromised.  The whole food chain was poisoned.
  • Infection required two clicks, a download and an install. It was not a drive-by.
  • There was a serious threat to people who clicked on the link and fell for the attack. This was really nasty malware.

I do not understand why the Experian page was down for two days. I have a theory, but I will wait for the producers of Ancient Aliens to tell me what some people believe before I publish.

Speaking of antimalware, I hope that Kim Komando will agree to write some guest blogs under the pen name “Auntie Malware.” How cool would that be? But I digress. At the 2017 Virus Bulletin Conference in Madrid Spain I presented VirusTotal tips, tricks, and myths. I believe the full presentation will be available soon. The content of the presentation was submitted to my friends at VirusTotal to validate accuracy. I am going to do a series of blogs about VirusTotal mythology.

There are multiple reasons why one cannot assume that only the scanners that display detection on VirusTotal are the only ones that have detection of the threat. Just as importantly you cannot assume that if the scanner you did not display detection of the threat you were not protected.

VirusTotal uses command-line versions the scanners. Command-line antimalware scanner cannot be expected to perform the same way that the GUI versions do. There are undocumented switches that can boost heuristic detections to a levels not available in commercial offerings. Antimalware vendors can hide detection on VirusTotal. Sometimes you do not want the malware authors to know what you know. The commercial versions may very well have detection.

There is more to say on the subject, but for now know that “Displayed on VirusTotal” does not mean that only those scanners that display detection provide detection. Don’t forget protection; it is not the same as detection, but it matters. I know for a fact that at least one product that did not demonstrate detection offered protection. I have a very high degree of confidence that other scanners did too.
In the next series of blogs, which may not be sequential, I am going to dispel the following myths:

  • VirusTotal can be used to perform comparative testing
  • Detection of malware on VirusTotal means the scanner can detect it
  • Lack of detection means the file is safe
  • False Positive means false positive
  • Detection by more scanners means better coverage
  • Malicious website means malicious website

I am going end this blog by summing up VirusTotal in one neat little quote by Alan Greenspan.

“I know you think you understand what you thought I said
but I'm not sure you realize that what you heard is not what I meant”

Randy Abrams
Independent Security Analyst

No comments:

Post a Comment