No Distribute Scanners:

hello everyone and welcome to no distribute scanners a perfect testing ground for malware developers so in this presentation we're going to introduce ourselves why we chose this topic uh we're going to have an overview of the nursing scanners how they are used by cyber criminals and looking to end this presentation by taking a look at an example of an investigation so my name is matthew gerschler i am a subject matter expert at montego and i have a background in malware analysis hi my name is florian muersetz i'm also a subject matter expert at my table and i have a background in digital forensics and incident response so what are new attribute scanners so first of all

nds's notification scanner are also called counter antivirus services by some other organization like europol for example so they are a scanner meaning that they will match a file against several antivirus services but the main difference between this website and for example virustotal is advisor will be sharing samples with their partner this is why it's not very interesting to use virustotal for a threat actor because you do not want your sample to be studied you do not want your sample to be shared even before you uh release them in the wild at the time of writing there was about 24 mds that we know of and six of them were active uh this concept of noisy scanner has

been around for a little bit more than a decade now and so far as we've seen it has only been marketed to cyber criminal so we've broken down the use of nds in three different parts submitting your file how the nds is going to analyze it and then how the nds is going to report on it so we're going to break these different steps in the next slide so the first one is submitting a sample to an nds so you can do so by using an api uh like here we have an example the din check api it's a script running a client side to upload a file to deanchex backend and on the left you

have a screenshot of cyberseal a crypto developed by the same productor behind data protector encryptor is a type of software that can encrypt malware to make it harder to detect by security programs this strategy decided to create their own nds and integrate it into cyberseal meaning that every time a threat actor was using descriptor they would have the result of this encryption checked on the nds against several antiviruses um so that's how apis are used in an nds but the most common way to submit a file to an nds is by using their website every nds has a website they usually contain information about the pricing what kind of scans are available and some publicity sometimes so

on the left and on the right you have two screenshots of a submission panel for an nds two different nds the one the left is pretty simple you can upload the file and that's it whereas the one on the right is more complex you have several options to tweak the analysis and have it closer to the condition that your malware would encounter in the real world you can also choose against which antivirus your malware is going to be matched against to replicate uh better the condition that your malware is going to encounter but the main difference between these two nds is not actually the complexity of their submission panel it is the type of scan they offer the

one on the left is offering static scans whereas the one on the right is offering dynamic scans so what is the difference between these two types of analysis well static analysis or static scans are basically anything you can do on the file without running it so this can be for example a string analysis like a error rule simply or checking the export of a portable executable or checking the entropy of a file to see if it is packed or not it would be pretty easy to run such an analysis you just need to have some av installed and then you would use the command line to run an analysis on a file and you pipe the output of this to the

nds website and that's it you would have your analysis up and running that would be also very easy to update your antiviruses you could all have them on the same machine whereas dynamic analysis you actually need to run the file and that includes that gives a sort of problems if one wants to run a dynamic scanner because that would entail to have one machine per antivirus because if you run the same 30 antiviruses on one machine they're going to parasite each other and parasite dna is this result so you don't want that you if you want to run a sample against 30 different av you need 30 different vms so it's a lot of processing power you need a way

to revert this analysis to revert these virtual machines back to the way they were before the analysis so one is this does not parasite the next one and you also need to find a way to update daily these um antiviruses so it's a lot of processing power a certain logistic that is a lot of things that you need to do compared to aesthetic scanners and this is why there are fewer websites offering dynamic scans compared to static scans so we saw how to submit a file to an nds we saw how it was going to be analyzed let's take a look at the reporting so on your screen you have three different kinds of reporting on the left you have the

simple web page in the middle you have an image that you can share a dot png and on the right you have several textual representations that you could use to embed these scanned results in a web page or in a forum post it's also possible to use the api to get the analysis results let's note that while some nds offer all these ways of reporting the main way and what is always available on every nds to report an analysis is the web page every time someone uses an nds they are going to be given a link to the analysis result that they will be able to share afterwards and everyone with access to the link can access the

analysis results so what are the business models used by ndse basically you have three types of plan so the three scanners that offer static scans only they seem to make money on ads then you have the paper scan scanners that offer both type of scan dynamic and static although there is a big price difference between stack scans and dynamic scans static scans are going to be around 10 cents while dynamic scans are going to be around three dollars so this huge price difference is explained by different difficulty to run a dynamic scanner and then you have a subscription based one for which you pay for a day or four months and you have access to

a certain number of scans so you have a lot of different subscription they range from 15 for a day or 300 for a month then to pay for actually these services to actually use the ideas you can use different uh crypto currencies but also uh some of them actually use some online payment systems like paypal bitpay or web money thanks mathieu and now as we know how ndss are working we talk about their usage the first is marketing for cyber criminals here they make use of nds reports by showing that their malware is invading antivirus detection it is most likely used for um madwes or service promotion and advertisement because it is a selling point to

convince customers that they don't buy burn malware or fake services this also generates the trust between the provider of the microwave services and the customer another common use case we assume is development of malware with the capabilities of using apis to test malicious software for detection it will speed up a successful development process for malware another aspect is to use their api capabilities in malware tools like the the cyber c encrypter which material was talking about which enables user um to to test their directly generated or packed or encrypted malicious code in the same tool lastly others we assume in this use case group individuals which are testing their software and tools it could be that red teamers and

penetration testers test their tools before an engagement and most likely will burn them after usage then we have crackers which proves that their software is not detected by the antivirus software on the next slide we have features that support the previous main use cases the first one is the av block list checker which will detect infrastructure exposure and report the bad guys at their domain which maybe is used for c2 communication as burned or published also the periodic scans where bad guys can make use of during campaigns to check if their sample is burned by virus total or different other antivirus software detections then now back to material and he will tell us something about the user

base thank you florian so uh what we did is that we wanted to explore if these ndss had a specific community and were used by specific language users so we took basically a domain of these ndss had them in maltego and searched flashpoint data for posts mentioning them then we tied this post to forums which gave us breakdown of which forums were used the most to talk about which nds so that is the graph on the right and on the left are isolated part of that graph the top three nds that are on our top three on top right and the forms that talk about them the most this gives us a language breakdown for

each nds by observing the language of the top three forums in which these mds are cited so for example for gene check on the top left you the top three forum talking about it are russian speaking english speaking and russian speaking on top right various checkmates you have english speaking russian and brazilian portuguese forums and on the bottom for noisyboot.com you have arabic english and brazilian portuguese so from there you can see that each nds is more used by a certain linguistic community thanks matthew i will dive into a short investigation on the data which we currently have in this example on the next slide we found a post of the tool x tool 3 version 3 which is a hacking tool

and the features are of it it's generating usernames out of leaks and also the passwords it's also can scrape proxies from different sources and it also can try to uh crack their accounts so in this case uh we found a post on the nult.t.o forum where a stranger posted this tool with also the antiscan.me report to prove that this is not detected by an antivirus software on the next slide you can see that we also found this example of x203 with a different name with w extract.exe and then a little bit space and then dot mue on virustotal the filename itself it's pointing to the wxtract.exe which is integrated into uh microsoft system features for extracting

archive files also we found that this tool makes some communication to different domains unfortunately during our investigation the domains were not available but we can see in the history that this domain has also served some other malware samples um which are tracked by virus total on the right side you can see the cracker alias which is um as a string in the code and you can see that is that the stranger or the alias is kamada and he has distributed this code on cracked dot to we found this this example also on the null dot to forum which is referred by the recorded future document on the right that's it for the first um part of our

investigations we're trying to generate more data and working on this currently and if you have any questions give us a shout and just send us a message on twitter or directly on linkedin or now