I don't see what's the problem here. Of course hackers test their malicious code against anti-virus programs, and Virustotal is just one of the most convenient checkers.
If there was no Virustotal, hackers would simply use other similar checkers or set up their own checker.
Virustotal is not at fault at all, it's the concept of virus checkers that's failing.
The headline makes it look like Google knowingly exposes us to hackers. It does not, of course.
The article's title is even stranger in context of what the article says, which is mainly that Google researchers were able to detect this kind of use, and were able to learn much more about the attackers' identities, methods, and targets as a result of this use. The article says they're now inviting other researchers to use the data for the same purposes.
So in some ways it's a lot more like "A Google Site Meant to Protect You is Helping Hackers Attack You And Thereby Expose Their Affiliations, Methods, Targets, and Schedules to Security Researchers".
I'm an adviser for one of the companies that partnered with VirusTotal. I cannot go too much into details, but as a partner, we have access to the live submission feed which we analyze in real-time to discover new threats etc. I can assure you that we are not the only one. Furthermore, most partners sync their data not in real-time which could yield incorrect scanning results, making the hackers think they're good to go.
I can also say that the more serious groups/hackers do not use VirusTotal to check their malware. They have their own verified, anonymous services that do the same thing, just without submitting the malware to the anti-virus company.
This is all true. There exist essentially blackhat versions of virustotal that don't submit the samples, and don't have a feed delay that are pretty popular among the virus writing community.
One of the ways that virustotal IS used however is by checking the hash of their malware to see if it has shown up yet. That lets them know if someone has taken an interest in it yet, and if they have, it means they need to start rolling a new version.
>One of the ways that virustotal IS used however is by checking the hash of their malware to see if it has shown up yet. That lets them know if someone has taken an interest in it yet, and if they have, it means they need to start rolling a new version.
But once they upload the file to see if the hash already exists, they can no longer check, since their hash will already be indexed. No?
you can check a hash without uploading the file in question. VT only stores a set of results if it has seen the actual file, not if a hash is checked against it. This is why, when doing incident response, a lot of people suggest not uploading suspicious files to VT, because it lets the attackers change up and start using new malware
Malware authors giving you their samples directly, before they ever unleash them into the wild? This seems like a great way to find new malware and 0-days, and a huge wasted opportunity if Google/VirusTotal isn't privately doing this same sort of analysis internally.
I have to take back my previous comment. It looks like VT has to maintain "neutrality" and avoid stepping on any commercial AV companies' toes, in order to get them to cooperate. "The most important rule governing VirusTotal's usage is that none of its publicly offered services/applications should be used in commercial products, commercial services or for any commercial purpose." https://www.virustotal.com/en/about/
It is common knowledge that VirusTotal analyzes and shares submitted files with security researchers. The only blackhats who use VT to check their own files are those who are either incapable of setting up their own multi-scanning systems or paying to use one of the many "underground" services[0][1] that offer similar functionality and do not share submitted files. The fact that allegedly state-sponsored groups from China did not use these services is yet another example of the striking difference between their apparent lack of operational technical proficiency and the amazing results they achieve.
This reminds me of the early days of SpamAssassin. It used to have a fairly simple set of regexes that would catch a great deal of spam. Then as it became popular, spammers used it themselves to pre-filter and tweak their messages until they passed the filters.
This has been done for a long time - a couple years ago when I was learning about exploits, this was one of the ways to check who would discover your exploit. Pretty nifty trick
