Yet more proof, if any were needed, of the firmly established underground criminal economy in the form of Scanning-as-a-Service.
Illicit competition for Virustotal has appeared in the form of a Russian website offering automated malware scanning-as-a-service to help their malware continue to fly under the radar of pattern-based detection.
Virustotal is an award-winning, entirely legitimate service that allows users to upload files and scan them against all the major security vendors up-to-date products, free of charge. Because they are above board though, that means they work with those same security vendors to ensure that samples of malicious files are received by the security industry to improve detection rates. Clearly this is Not A Good Thing™ for the criminals who are constantly trying create new malware that remains undetected.
Cue “The Anti Virustotal” I won’t share the URL here, because I don’t want to advertise their services. This Russian site is currently advertising its newly launched service on underground forums. They offer scanning against 18 well-known AV products that are “updated every day”, files can be uploaded directly or pulled from a URL and the scanning process can be scheduled to run every 1, 6, 12 or 24 hours. Subscribers receive detection status reports over Jabber or ICQ, the implication being that as soon as their junk begins to be detected they can re-engineer it to continue to evade the scanners. The service is a commercial offering and its pricing structure is designed to encourage repeated large-scale use.
A recent addition to that paid offering is a free service (as long as you don’t have a zero account balance) checking against the Malware Hash Registry operated by the respected Team Cymru. I can only assume they offer this as a free service because they didn’t want to do anything illegal like violate Team Cymru’s licensing, after all, the Russian site describes itself as a “Trusted vendor of AV service checking“. Yes, of course they are…