VirusTotal Gains Powerful New Ally in Fight Against Nation State Attackers
In a move universally cheered by security researchers, the US Cyber National Mission Force (CNMF), part of US Cyber Command, joined the malware crowdsourcing service VirusTotal and began uploading unclassified malware samples gathered from investigations into foreign nation state attackers earlier this month. This heralds a new chapter in the fight against nation state attackers who have traditionally held the advantage in the ongoing cyberwar. Even companies as large as Sony Pictures and Lockheed Martin with equally large cyberdefense budgets were no match against determined attackers backed by the Democratic People’s Republic of Korea (North Korea) and the People’s Republic of China.
What exactly is VirusTotal? VirusTotal is an online security platform used by developers and security researchers to upload code, URLs, or files they wish to be analyzed. The data is uploaded to VirusTotal for analysis and run through over 70 different anti-virus engines and blacklisting services from most of the major security vendors. It is a completely free service and legitimate users would normally upload a file to check if it is malicious or to find out if code they are writing would be incorrectly flagged (false positive) as malicious by any AV engines or blacklisting services. The results of the analysis are freely shared publicly and with the participating security vendors in order to improve their catch rate (win-win-win).
When malware authors upload their work to VirusTotal, it acts as a double-edged sword. The authors can easily determine if their code has been discovered or blocked by most major security vendors, but they also run the risk and increase the chances of being discovered. Files and URLs submitted to VirusTotal are permanently stored and become available to anyone who wishes to examine or analyze them.
In this case, CNMF is making the malware samples freely available so organizations that subscribe to VirusTotal’s feeds can proactively block files known from previous attack campaigns by nation state attackers. Not only can users now check to see which anti-virus solutions will detect and block the malicious files, they are also available for deeper forensic analysis to expose tactics, techniques, and procedures used by nation state-backed attackers. While it is likely nation states, whose malware has been caught and uploaded to VirusTotal by CNMF, will adapt and develop new tactics, techniques, and procedures, it forces those attackers to spend time and resources innovating instead of attacking in the arms race with security researchers. Services such as ZULU, which analyze websites on several criteria to determine if it is benign or malicious, will take VirusTotal scores into account before rendering its verdict. Other web security services such as forward web proxies will take in security feeds from threat intelligence organizations like VirusTotal to add to its own threat intelligence database to block known malicious files and URLs.
The first malware samples CNMF uploaded to VirusTotal was attack code developed by Russia-linked APT28 (FancyBear) to leverage an exploit in the LoJack (by Absolute Software) UEFI BIOS code. When originally discovered, this marked the first UEFI-based rootkit with several persistence methods to keep reinfecting cleaned and reimaged machines. With a product like "LoJack for Laptops", which allows organizations to track lost and stolen computers and other assets, an organization would, by definition, want persistence as to not allow a thief to simply wipe the tracking software off the computer rendering the LoJack software ineffective in finding the lost or stolen device. APT28 took advantage of this and found a vulnerability in Absolute’s code to hijack this persistence mechanism to keep computers perpetually infected. Many in the security research community do not believe the first CNMF uploads were linked to APT28 by coincidence, as recently the US Department of Homeland Security (US DHS) Initiated a “Name and Shame” campaign against treat actors who could not be brought to justice through normal judicial means.
Making the malware samples available to the public is a huge win for security researchers. However, this is not the first time APT malware has been uploaded to VirusTotal for analysis. In preparation for the ICS cyberattack against Iran’s uranium enrichment site in Natanz, one or more agencies working on the Stuxnet worm uploaded a code sample to VirusTotal, to ensure no AV vendor would flag it as malicious. An unknown author uploaded a PDF file containing two zero day attacks to VirusTotal indicating the author was very sloppy or extremely sophisticated and likely nation-backed.
Of note, any malware samples authored by the United States will be absent from VirusTotal submissions. For obvious reasons, US CYBERCOM would not wish to compromise operation security (OpSec) for its own country’s cyber offenses, but is more than willing to do so against countries who attack her and her allies. However, having more files and samples in the VirusTotal database benefits the entire security research community as well as targets of APT activity. Forcing attackers to invest resources innovating new attack methods to evade detection will hinder the ATP crews’ progress in attacking new targets.
Follow CNMF on Twitter and VirusTotal to get notified when new submissions are uploaded to VirusTotal: