CSAM: The Power of Virustotal to Turn Harmless Binaries Malicious

Published: 2014-10-03
Last Updated: 2014-10-03 18:47:32 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

We all know that anti virus, the necessary evil of basic computer security, isn't a stranger to false positives. So no big surprise here when John is writing that he ran into such a false positive during an incident response:

I was scanning a forensic drive image with clamav and scored a positive hit on a file.

Great. ClamAV, a free anti-virus product. Of course, we don't trust it. So John did what most of use would have done, and submitted the suspect binary to Virustotal:

Virustotal showed 14 out of other 50 AV vendors' products thought it was malware as well.

Ouch! 14 out of 50? Many actual malware samples I submit get a lower rate then that. Turns out the binary in question was a desktop management software, "lunchwrapper.exe", and the AV tools picked up on it's file download component (the famous "generic downloader" signatures).

But you think this is bad? Listen what happened next according to John:

The scary part was that after I submitted the sample, other major AV vendors decided that the submitted sample was malicious and our endpoint software starting quarantining the program after the AV dats had updated.

After all, as my fellow developer can attest?too: The reason we allow people to use our applications is so that we don't have to do any testing ourselves.

(BTW: Virustotal/Google are doing great work, and I think it is a good thing that they are distributing samples. The problem is how AV vendors use this information.)

Johannes B. Ullrich, Ph.D.

0 comment(s)
ISC StormCast for Friday, October 3rd 2014 http://isc.sans.edu/podcastdetail.html?id=4177


Diary Archives