Surprisingly, while opportunistic cybercriminals have long embraced the
malware as a service model, and are offering managed lower detection rate services for a customer's malware, or DIY ones where the customer can take advantage of
popular tools ported to the Web, others are still trying to innovate at a faddish market niche -
multiple offline AV scanners tools aiming to ensure that their malware doesn't end up in the hands of vendors/researchers.
Multiple offline AV scanning tools like this very latest release, naturally using pirated copies of popular antivirus software, are faddish, due to the fact that during the last two years, the underground has been busy working on several paid web based services, that not only make sure vendors and researchers never get the chance to obtain the samples, but also, are already offering scheduled scanning of malware and automatic ICQ/Jabber notifications for QA of the campaign, next to the rest of unique features disintermediating legitimate multiple AV scanning services.
Certain features within such services clearly speak for the intentions of the people behind the service. For instance, among one of these features is the ability to fetch a binary from a set of given dropper URLs like malwaredomain.com/binary.exe, the result of the scan can then alert the malware campaigner about the current state of detection.
What's on these proprietary multiple AV scanning service's to-do list? Let's say anything that a legitimate multiple AV scanning service would never offer, like the following according to one of the services in question :
- DIY heuristic scanning level settings for each of the software in place
- upcoming sets of anti spyware and personal firewalls with detailed statistics of the sandboxing
- behavior-based detection results
The possibilities for integrating such proprietary multi AV scanning services within the QA process of a malware campaign are countless, and both, the customers and the sellers seem to have realized the potential of this ecosystem.
