While the anti-malware industry is still working on agreeing standards for effective product testing, the criminals already know it’s no longer all about the files.
A few years ago, criminals figured out that traditional anti-malware solutions could be overcome by a surge in the volume of malicious files. If malware code could be rolled often enough, then by the time the security companies had a pattern file available it would already be out of date. This realisation is responsible for the exponential growth in malware we have seen over the past three or so years, a growth that has put a serious dent in overal detection rates of file-centric security solutions. One of the services that has grown up around this explosion of variants is the file-scanning on demand against multiple security vendors, which I have previously blogged about.
Of course it was always going to happen, but the criminals have seen the industry’s response to the threat of volume and their service offerings are evolving to cope. Any decent security solution now will include detection for the threat as a whole, examining not only the malicious file, but the source email or the destination website or IP to get a holistic view. So it is becoming important for criminals to know not only when their file is being detected, but also when their web presence for distribution of Command & Control gets blacklisted, and they need that information real-time.
Enter AdwareSpywareDetective, a file scanning service that has been online since October of 2009. A colleague pointed out to me yesterday that their service has evolved. Now not only do they offer file scanning by subscription but will also include Domain, IP and URL scanning against sixteen different databases, including ZeuS Tracker, Malware Domain List, Spamhaus, Google Safe Browsing, Microsoft SmartScreen and a litany of others (not yet including Trend Micro).
The service boasts that they made their 500,000th check on the 23rd February against their 27 different AV vendors and 16 domain, IP or URL databases.
In fact their site boasts
“This service is about to help you in anonymous check of different anti-virus system. This check will be made by numbers of anti-virus system and no reports will be send to developers of this anti-virus system. You can be fully sure that your files will not be send to anti-virus databases. All reporting system in our version of anti-virus engines was disabled MicrosoftSpyNet, ESET ThreatSense.Net Early Warning System etc.
Updates of all anti-viruses made each hour, most of main anti-virus system made updates in real-time.
We give you maximum speed of scanning, 10 files will be scanned by all anti-virus system starting from 30 second.
We support periodic checks. You need to select amount of time that check will be happened, and select method system will contact you after found something suspicious.”
Unfortunately it’s true that as soon as you build a better mousetrap, some rat comes along and eats all the cheese.