Siberia Exploit Kit is an evolving crimeware that was first seen in the wild in late 2009. A few months ago the author of Siberia Exploits Kit deployed an upgraded version of the toolkit, as written in the Malware Intelligence Blog.
Like our last post about Phoenix Exploit’s Kit, Siberia Exploit’s Kit author also emphasizes the issue of circumventing recognition by Anti-Virus and URL filtering services, as it contains a built in Anti-Virus checker.
The administrator of the toolkit can perform an Anti-Virus scan of the malware and exploit pages. Moreover, the scan results of each Anti-Virus company are viewable.
It is well known that once uploading malware to a VirusTotal service, the Anti-Virus companies can re-analyze suspicious files. As such, it’s a good guess that the Siberia Exploit’s Kit doesn’t use the VirusTotal service. In this particular case, the files are sent to an underground Anti-Virus checker called “scan4you.biz”
Let’s take a look at our anonymous Anti-Virus checker:
Of course, this service is not free. The cost is 0.15¢ for every file checked or $25 for a one month license. The website offers several scans:
- File scan – Regular Anti-Virus scan
- URL scan – Anti-Virus scan of URL
- Blacklist / Filter scan – Check detection of URL in URL filtering services
- Exploit Pack scan – Check detection of toolkit name in URL filtering services
Eventually, in order to implement this service in Siberia Exploit’s Kit, or in any other toolkit, the underground Anti-Virus check service publishes an API for remote scanning:
Like other techniques of evasiveness we have seen lately such as “Anti Wepawet” or “Anti JSunpack” as described in our security labs report, it appears the cybercriminals keep trying to find creative techniques to avoid malware detection in multiple layers — this time by performing an Anti-Virus scan.