Friday, December 12, 2014

What happens when you upload malware to a scanning service?

First, it's been too long since I last blogged.  Sorry about that.  It's been busy to say the least.

Earlier this week, it was reported that the a variant of the Destover malware used in the Sony attack had been signed with one of Sony's own certificates and was circulating in the wild.  However, it was later discovered that this was not true.  The malware was signed by a researcher who found the certificate in a dump of Sony data.  The researcher then signed the malware with the certificate and uploaded it to VirusTotal, perhaps to check the number of antivirus software variants that detected the newly signed malware file.

VirusTotal, not good for OPSEC
I always warn clients that VirusTotal distributes the files that are uploaded to antivirus vendors (and anyone else with a subscription).  This of course may include attackers.  In this case, Kaspersky discovered the new signed copy of the Destover malware and wrote a blog post on it. But it could just have easily been the attackers.  Don't forget that some of the malware used in the Sony attacks contained hard code usernames and passwords for the Sony environment.  If Sony had discovered this malware and uploaded it to VirusTotal, attackers could have realized that they had been discovered in the network.  Kaspersky discovered the malware using some binary pattern matching, but attackers have a much easier task since they can simply search for a file hash.