Sellers of malware on Dark Web forums often use No Distribute malware scanning tools to help verify the effectiveness of their wares, while preventing legitimate virus scanning tools from adding the malware to their database.
Daniel Hatheway is a Senior Security Analyst at Recorded Future, and he takes us through their recently published research, Uncover Unseen Malware Samples with No Distribute Scanners.
Dave Bittner: [00:00:03] Hello everyone and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative.
Dave Bittner: [00:00:10] I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [00:01:02] And thanks also to our sponsor Enveil, who's revolutionary ZeroReveal solution closes the last gap in data security-- protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze search and perform calculations on sensitive data all without ever decrypting anything, all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible within Enveil. Learn more at and Enveil.com.
Daniel Hatheway: [00:01:42] So there's lots of different types of scanners out there but most people are familiar with these multiscanners that will scan your sample against all the different antivirus engines that are available to give you that feedback.
Dave Bittner: [00:01:53] That's Daniel Hathaway. He's a senior security analyst at Recorded Future. The research we're discussing today is titled "Uncover Unseen Malware Samples With No Distribute Scanners."
Daniel Hatheway: [00:02:05] And what happens is, those multiscanners that we all use and love for research everyday. Well then if there's just one, usually if there's just one detection, they will then share that sample with all the other vendors. So, what happens is it's a way to distribute what one vendor knows to all the other vendors, that just kind of keeps the malware at bay, if you will.
Dave Bittner: [00:02:24] So any time that one of these comes up with something that's novel, it sends it out to all these scanners and then they can add that to their list of potential problems.
Daniel Hatheway: [00:02:35] That's correct. And also you know there's lots of different multiscanners that have paid tiers for researchers like myself and many others to utilize and mine for other data and search for things as well.
Dave Bittner: [00:02:45] I see. And so that leads us to these other types of scanners, these no distribute scanners. How do they work?
Daniel Hatheway: [00:02:54] Well they're very much similar. They may not have all the same antivirus engines. It kind of depends on the service that's available. But they pride themselves on not sharing the sample. And when they do that, the URL does not contain the hash either. So there's really no way to kind of guess these paths to go and look at. And since they're not sharing a sample that kind of stays private with the person that submits it. So they get used a lot by, you know, people with malicious intent, but they also get used by people who have privacy concerns as well.
Dave Bittner: [00:03:27] Now can we back up a little bit? Can you describe to me, you mentioned that it doesn't use the hash in the URL, what is the typical functionality through a regular multiscanner or how does it work on that end?
Daniel Hatheway: [00:03:38] So normally it'll be like you know the name of a service, you know slash, and then hash of the file and then it gives you to the report that tells you all the different antivirus engines that detected it, right? By making their own hashing algorithm or changing that in some way, it's harder for our researchers to kind of get in there and find a whole bunch of samples and this kind of guess.
Dave Bittner: [00:04:01] And what is the nature of these no distribute sites? They've been around for a while, is there are a variety of them and do they try to stay under the radar?
Daniel Hatheway: [00:04:11] Well it's funny you know some of them really don't try to stay on the radar. Scan4You has been around for a very long time and they typically get targeted by law enforcement because they're very interested in these as well.
Daniel Hatheway: [00:04:25] So they don't really try to stay under. You'll see a lot of advertisements for them on criminal forums, or you know forums in general but you know potentially have malicious intent.
Dave Bittner: [00:04:34] When you say they're targeted by law enforcement, are they overtly doing anything wrong? Or is it more that law enforcement just sees them as a way to keep an eye on things.
Daniel Hatheway: [00:04:44] I think it's the first one. But some of them have been shut down and I'm not exactly sure what the legal stance on it was, why it was shut down.
Dave Bittner: [00:04:52] So let's walk through the process that you all did to take a look at this, what was your collection process?
Daniel Hatheway: [00:04:58] Well, so it was interesting, every time we've actually interacted with an actor, you know in discussing their malware or their exploits, or whatever the piece may be, they've always shared this link with us of a no distribute scanner. And then when you start going back and you look at historically all the different forms that we collect from, are either vetted access or publicly available. But just you know you need to authenticate against them. We've noticed that there's a lot of people that will start scanning their malware and they share that link in order to advertise that their service is doing what they are telling it's doing. And if they did that with a typical multiscanner then of course it's just one detection is going to go to everybody. By having these no distributes they are able to to show that they are doing what they say without risking their sample being distributed to a wider audience.
Dave Bittner: [00:05:48] So how do you all look for that?
Daniel Hatheway: [00:05:50] So what we did is, through our normal collections we always have information about these forums could we collect all the information from the forums that we have access into. And I just started running a search that says anytime I see this URL for VirusCheckMate, or nodistribute[dot]com, or Scan4Me or Run4Me for me and all these different ones, and I said pull those URLs out and then we started making a collection process that will you automatically find those URLs within our data set and then it would go to those pages, and then it would collect all the appropriate metadata we could like filename, file hash, the detection names that if there are any, and just kind of the post that it came from, which allowed us to kind of relate it back to what that person was selling as well.
Dave Bittner: [00:06:40] I see, so you're doing a lot of cross referencing to figure out you know what are these things, how are these things being sold, how are they being distributed and who might be buying them?
Daniel Hatheway: [00:06:52] If they post publicly on the buying, yes, but a lot of times it's just like direct messages to them in that forum. So we can't actually see that piece.
Dave Bittner: [00:06:58] I see. Sure. That makes sense. So you're looking around on these dark web forums and finding these things. What can you tell us about what you were seeing? Run some of the numbers by us.
Daniel Hatheway: [00:07:11] Yeah, so I mean just like, you know in percentage terms you know 75% of the data set that we collected was not seen by traditional multiscanners we were talking about previously and then 25% of them were. And what was interesting about that 25%, because you know it's hard to really do research on that 75% because one, we don't have a sample, it's just the metadata about it, and there's no way for us to get that unless you find it elsewhere. But that 25% that was with, you know, on those other multiscanners, we were able to download those, right?
Daniel Hatheway: [00:07:42] So and we did that and looked at all the metadata they had about it, and when they've seen it and so forth. I think it was 14% were seen on the traditional multiscanners first, and then the others were on the no distribute first, which allowed us to kind of gauge how important it was, because like those percentages were so close together that it made it to where that if we actually were to alert on these hashes that we see, we know that about you know a little less than half the time we're going to get notified ahead of time, if that makes sense.
Dave Bittner: [00:08:14] Hmm, right. So by tracking these on these forums, the no published scanners, does that give you a head start on knowing what might be queued up, being keyed up to be sent out there?
Daniel Hatheway: [00:08:27] Yes, in some cases it does. Yes, so the interesting one is the Gold Digger miner was a cryptocurrency piece, a cryptocurrency miner and we saw the actor selling it. Or, you know, talking about making it on criminal forums and then selling it, and then with that there was a link to a no distribute site, and then shortly after we see it hit one of the multiscanners.
Dave Bittner: [00:08:49] I see.
Daniel Hatheway: [00:08:49] About 30 days leeway.
Dave Bittner: [00:08:51] And is the assumption that when it hits one of the multiscanners, it's out in the wild?
Daniel Hatheway: [00:08:56] That's correct yeah, that's the assumption here.
Dave Bittner: [00:08:59] So how can people use this information to better protect themselves?
Daniel Hatheway: [00:09:04] So this information can actually, you know, because we don't actually have a file, we just have the metadata. It should be something that's probably alerted on, within your environment. So you have this list of hashes that you would want to compare to, in like your SIEM, or at your egress point or anywhere it crosses your network. You'd probably want to be notified of these, because you know, it's not just that this file was sent to a no distribute site. It's that we collected the link from a criminal forum to a no distribute site. So you're talking kind of more about you know two kind of gray areas that you're looking into matching up.
Dave Bittner: [00:09:38] So yeah, you're sort of building a, building a case based on indirect evidence I suppose.
Daniel Hatheway: [00:09:43] Exactly.
Dave Bittner: [00:09:44] So, is this a matter of folks being able to be more proactive than reactive when it comes to preparing themselves for these sorts of things?
Daniel Hatheway: [00:09:51] That's the hopes. A lot of times in our industry we're always being reactive. And it's very, very few and far between when we actually get a chance a proactive. You know, like the Shodan RAT Controller is as a way to be proactive. There's lots of different pieces to be proactive, but they're just much harder to come by. And so this is just a hopefully another arrow in the quiver to help our customers and the community in general.
Dave Bittner: [00:10:16] Now when it comes to monitoring these these forums, how bold are the folks who are out there selling these things?
Daniel Hatheway: [00:10:25] That that kind of varies depending on the actor. We've seen some be extremely bold, and we've also seen some take some very precautious steps. You know only selling to people that have a certain reputation in the forums, only interacting with people that have x number of posts. But we also see it to where they will just you know reach right out to you on Telegram, or any other type of service that they choose.
Dave Bittner: [00:10:47] And do you suppose that this will will lead to a reaction on their part, if they know that this is being kept an eye on? Do you suppose they may shift to something else?
Daniel Hatheway: [00:10:58] You know, it's quite possible. Adversaries are always adapting to anything that we in the security community do. So you know that might be something, but I think what we're gonna end up seeing is more and more of these services because from what I can tell people are having a hard time trusting these even even within their own community because they don't know how legit they really are.
Dave Bittner: [00:11:20] When you say trusting these, what do you mean?
Daniel Hatheway: [00:11:22] Well, so I mean you're kind of taking them at their word that they're not distributing the sample, or that they're not sharing them with the security community as a whole. You know who knows really who you're submitting these samples to, right?
Dave Bittner: [00:11:34] I see. So there's a reputational issue with the no distribute services themselves?
Daniel Hatheway: [00:11:39] Yeah, it seems that way because you know a lot of times I see, this is just my assumption. A lot of times I see when people are selling a sample, they will submit it to maybe three of the no distribute sites, and they put all three links on their post when selling something. And I don't know if that's maybe they're trying to get better coverage to show that their sample is not being affected, or if they just have preferences of one or the other.
Dave Bittner: [00:12:02] And is there nothing that can be done from the virus checker manufacturer's point of view? I guess if their services are out there, it's hard for them to keep an eye on this. It's hard for them to know that their services are being aggregated for something like this.
Daniel Hatheway: [00:12:17] Well there's actually a really interesting article I read kind of similar to that. And basically what it was doing is, is these no distribute sites will try to block communication back to the antivirus company. That way you know a lot of these well you know we don't have a reputation on this file but send it to the cloud and they will do some sort of analysis on it and give it back. So they turn that functionality off. And the reason is is because they don't want that hash to go up to the antivirus company.
Dave Bittner: [00:12:42] I see.
Daniel Hatheway: [00:12:43] But there was a post about it, where one particular antivirus company was monitoring that because the people running the no distribute site forgot to block their site. So they are getting all the data back and they were working with law enforcement to share that data.
Dave Bittner: [00:12:56] Yeah, so that sort of cat and mouse game that we often talk about continues.
Daniel Hatheway: [00:13:01] Exactly. I just think it's really important to notice that there are about four or five other services that are available that we have not built collections for yet, but we see the links being shared.
Dave Bittner: [00:13:13] Hmm.
Daniel Hatheway: [00:13:14] So we're going to have some more data sets on these as well. But even just as we release the article I think there were two other ones that just popped up. So they are coming up and down as fast and you can keep up with them.
Dave Bittner: [00:13:25] Yeah the game of Whack a Mole we often talk about, right?
Daniel Hatheway: [00:13:27] Yup, that is correct.
Dave Bittner: [00:13:32] Our thanks to Daniel Hathaway from Recorded Future for joining us. You can check out their research: "Uncover Unseen Malware Samples With No Distribute Scanners." That's on the Recorded future website.
Dave Bittner: [00:13:44] Thanks to the Hewlett Foundation Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber. And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at Enveil.com.
Dave Bittner: [00:14:00] The CyberWire research Saturday is proudly produced in Maryland out of the startup studios of data tribe, where they're co-building the next generation of cyber security teams and technology. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
The Hewlett Foundation makes grants to proactively define, research and manage the burgeoning intersections between people and digital technologies. The Cyber Initiative seeks to cultivate a field that develops thoughtful, multidisciplinary solutions to complex cyber challenges and catalyzes better policy outcomes for the benefit of society. Learn more at hewlett.org/cyber.
Enveil is revolutionizing data security by addressing a Data in Use vulnerability that people have been chasing for more than 20 years. Founded by U.S. Intelligence Community alumni, Enveil’s ZeroReveal™ solutions ensure data remains encrypted throughout the processing lifecycle. Learn more at www.enveil.com.