Hackers used Google to debug malware

    image

    Brandon Dixon, an independent information security researcher, published material on his blog in which he described the traces of hackers using the Google-owned VirusTotal resource to debug their malware.

    For several years, Dixon, using various methods (which he does not specifically specify), has been collecting data on the behavior of users of the VirusTotal resource, with which you can scan various files for their safety. According to the researcher, the service, which ordinary network users use to increase their level of security, served as a tool for attackers to debug software.

    The VirusTotal project was founded in 2004 in Spain and bought by Google in 2012 - it combines more than three dozen antivirus and security scanners manufactured by Symantec, Kaspersky Lab, F-Secure and other companies. Security researchers and ordinary users of the network can upload files to the site to check for malware.

    image

    Brandon Dixon

    Dixon studied the behavior of VirusTotal users using unique hashes that are assigned to them when uploading files to the site. Hackers uploaded files to the site until VirusTotal antiviruses reported that they had not detected anything suspicious. Dixon managed to detect the traces of several specific hackers or groups of cybercriminals. Moreover, the researcher was even able to determine the future targets of the attack by attackers.

    This was possible due to the fact that every time a file is downloaded to VirusTotal, metadata appears, including the name of the file and the time it was created and downloaded, as well as a hash created based on the IP address and the country from which the download occurred. Google uses various methods to make it harder to extract the IP address from the hash, but Dixon was able to at least determine the hashes of the IP addresses from which multiple file downloads were performed. By clicking on the picture, it will open in full size. The researcher has developed an algorithm for processing the collected data. As reported

    image



    Wired edition, as a result, he was able to identify patterns and geographical areas of loading of two groups of hackers from China and Iran. At the same time, in some cases, Dixon could even track the development of attacks - first, the hackers themselves downloaded the malicious files for the test, and then from other addresses of the victim of the attack.

    Dixon says he has collected so much information about the activity on the cybercriminals' website that it is time to share it with the public.

    Also popular now: