Monday, June 25, 2012

Optimizing malware sample detection


Submitting a sample to Virustotal (usually) means that it will trickle
down to the various AV vendors for detection

Depending on your organizations needs, you might have to struggle with
not only internal clients but also the dreaded external clients. 

External clients are tricky as in most cases you are not able to control them at all or you most likely don’t know which kind of AV protection they have (if they have any that is)

Enters Virustotal, which enables you to spread knowledge and hopefully detection to “all” AV vendors at least that is the idea.

I was told that samples sent to VT would not propagate to the vendors if less then two vendors detected the sample, this was a couple of years ago mind you.

So armed with the knowledge that you need some kind of "basic detection" to be able to get the attention of the AV vendors (I will leave out Flame which everyone jumped on ;)).

The solutions for this, has been to utilize the in-house AV vendors to “kick start” the detection.

Most companies big and small have at least one subscription/contract with an AV vendor, many have several different vendors (client/server, mail, proxy etc). These are companies that are present (most likely) on Virustotal. But VT is not the place to start if you need detection fast!

If you need detection in a timely fashion, you should use the SLA you pay for from your AV vendor(s).

This is how I usually do:

You begin with having “your” AV vendor(s) create detection for your sample and then you push it to Virustotal for the rest to pick up.

I also usually make direct submits to different AV vendors, using the different methods they offer on their websites as they seems to have different priorities for the different channels the receive samples from and VT seems not always to be prioritized..

So to be successful in you detection campaign, start off with the
services you pay for then continue with the free to get better coverage.

I double checked my VT fact just a couple of days ago and the current
situation is that you need at least one vendor to detect the sample for it to “spread”, but there are differences between vendors and vendors. 

Lesser know ones would not trigger the bigger players to react (this is my own interpretation of what I was told) and even then it's finally up to the
receiving AV company to decide if they would like to react on the sample or not.

If you have another recipe for success, please let me know. I’m always interested in how others are doing their “AV submit optimizing”

/Micke