CAV takedown casts spotlight on industrial scale of the problem

I could not help notice the widely publicised takedown of the counter anti-virus (CAV) Scan4You and associated prosecution. The background and outcomes from this case are a good reminder of the arms race between the information security industry and malware authors.

Scan4You is a well-known site that is alleged to have been behind an industrial-scale process of CAV scanning.

What precisely is “counter AV”? A few definitions exist. Trend Micro, who are very active in combating threat actors in this space, define it as follows:

Counter Antivirus (Counter AV) is a tool used by cybercriminals that is designed to evade anti-malware detection. This is done by appointing crypters or programs that can disguise malicious programs from security software.

NCSC also have a definition:

Counter Anti-Virus (CAV) Services … scan malware against all of the Anti-Virus packages currently on the market to ensure it goes unnoticed when it is deployed against a victim’s device.

In this scheme, malware authors would submit samples of their malware for scanning with the site, and it would support authors in developing malware that could evade detection with leading AV products. It is almost certainly the case that, say in the case of bank fraud, the criminals will get more profit from a campaign that stays off the radar of major AV vendors. Quite simply, more stealth equates to more money for threat actors.

Industrial-scale malware development is clearly a significant issue at present, and the DOJ release on this case highlights the scale of the problem:

“For example, one Scan4you customer used the service to test malware that was subsequently used to steal approximately 40 million credit and debit card numbers, as well as approximately 70 million addresses, phone numbers and other pieces of personal identifying information, from retail store locations throughout the United States, causing one retailer approximately $292 million in expenses resulting from the intrusion.”

Trend Micro were key to the initiation of the investigations into this site, noticing a group of IP addresses in Latvia were repeatedly checking malware-related URLs against the Trend Micro web reputation system.

For reputation-based checks, there are few other options but to submit URLs direct to AV vendors to obtain reputation data. This provides enough information to tip-off AV vendors who can then take action. In the case of Scan4You, Trend Micro were able to use the information from URL checks to build up a comprehensive picture and bring in the FBI, working with them, they claim, for a long period of time.

But how does a CAV differ from legitimate content scanners, such as the likes of VirusTotal? Both support scanning of content, reporting detections, and allowing multiple submissions from users, but their intent is evidently not the same.

It turns out, using Scan4You reports and others as a template, CAV sites have a number of practices that make them very different to legitimate scanners [1-3]:

First off, CAV sites will undertake to prevent information leaking back to AV vendors about the submissions that are made to the site. Samples of files uploaded will not be shared. This makes the task of enhancing AV protection more difficult. By disrupting information about the patterns of scanning and the content, CAV sites will limit the ability of AV vendors to develop new signatures and detection schemes.

It stands to reason that a series of scanning requests from the same IP address, where all but the last scan result in a detection, could indicate a pattern of “rinse and repeat” probes typical of a malware author, and this is obviously information an AV vendor would want to know.

Second, users are allowed to submit samples anonymously. Some public content scanning sites do offer this facility, so it’s not a distinguishing characteristic. The extent of anonymity is of course the real question here. We could probably assume CAV sites would remove all identifiable information, including IP addresses, before scans are made, whereas a legitimate site would not. There is little legitimate use for this kind of data cleansing, given the sample submitter is doing so voluntarily. Sites such as VirusTotal in fact collect a great deal of information from sample submitters, and this information is routinely shared with the information security community.

Thirdly, CAVs are complicated to set up and maintain, so their creators might seek to monetise their product by charging per scan, franchising the capability, and supporting further malware industry developments. These are not services for the “greater good” and their developers could very well be involved in other comprehensive malware campaigns, as the reports on this case indicate.

In addition, they are likely to be marketed through the dark web and forums associated with malware development. There can be little doubt from the sales pitch that they are targeted at evading AV detection engines, as the report from Trend Micro suggests.

Finally, CAV sites might seek to leverage detections to market further malware development toolkits, such as encryption modules, in an effort to reduce the signature of the malware further. Clearly, a legitimate site is not going to start offering assistance in malware development.

It is not surprising, then, that CAV sites are in circulation, but the picture from Trend Micro shows their economics are far from lucrative compared to other cyber fraud. It therefore follows that not that much effort would be needed to fully disrupt the CAV industry and make malware development much more difficult. Trend Micro also highlight that there has not been a corresponding uptick in the use of other CAV services following the close-down of Scan4You, further underlining the importance of disrupting CAV sites moving forward.

This is a very interesting case, and good to read about for general awareness. I’d recommend the report by Trend Micro that is well written and provides an interesting context (Ref. 1), also Wired have a good article (Ref. 2), in addition to Sophos’ Naked Security overview (Ref. 3).