View All Cybercrime

Siberia Exploits Kit Fights Back Against AV Companies

By Daniel Chechik  •  November 30th, 2010  •   Cybercrime

Siberia Exploit Kit is an evolving crimeware that was first seen in the wild in late 2009. A few months ago the author of Siberia Exploits Kit deployed an upgraded version of the toolkit, as written in the Malware Intelligence Blog.

Login panel of Siberia Exploit’s Kit

Login panel of Siberia Exploit’s Kit

Like our last post about Phoenix Exploit’s Kit, Siberia Exploit’s Kit author also emphasizes the issue of circumventing recognition by Anti-Virus and URL filtering services, as it contains a built in Anti-Virus checker.

Anti-Virus Detection rate of each malware

Anti-Virus Detection rate of each malware

The administrator of the toolkit can perform an Anti-Virus scan of the malware and exploit pages.  Moreover, the scan results of each Anti-Virus company are viewable.

Advanced information of the malware detection among the Anti-Viruses companies

Advanced information of the malware detection among the Anti-Viruses companies

It is well known that once uploading malware to a VirusTotal service, the Anti-Virus companies can re-analyze suspicious files.  As such, it’s a good guess that the Siberia Exploit’s Kit doesn’t use the VirusTotal service.  In this particular case, the files are sent to an underground Anti-Virus checker called “scan4you.biz”

The code that accesses to scan4you.biz AV checker (Taken from Siberia Exploit’s Kit)

The code that accesses to scan4you.biz AV checker (Taken from Siberia Exploit’s Kit)

Let’s take a look at our anonymous Anti-Virus checker:

After login the user can upload files and check URL’s for Anti-Virus and URL Filtering check

After login the user can upload files and check URL’s for Anti-Virus and URL Filtering check

Of course, this service is not free.  The cost is 0.15¢ for every file checked or $25 for a one month license. The website offers several scans:

  • File scan – Regular Anti-Virus scan
  • URL scan – Anti-Virus scan of URL
  • Blacklist / Filter scan – Check detection of URL in URL filtering services
  • Exploit Pack scan – Check detection of toolkit name in URL filtering services

Eventually, in order to implement this service in Siberia Exploit’s Kit, or in any other toolkit, the underground Anti-Virus check service publishes an API for remote scanning:

Snippet code of the API service provided by scan4you.biz website.

Snippet code of the API service provided by scan4you.biz website.

Like other techniques of evasiveness we have seen lately such as “Anti Wepawet” or “Anti JSunpack” as described in our security labs report, it appears the cybercriminals keep trying to find creative techniques to avoid malware detection in multiple layers — this time by performing an Anti-Virus scan.

Tags:    |    |  

2 Responses to “Siberia Exploits Kit Fights Back Against AV Companies”

  1. [...] This post was mentioned on Twitter by Jovi Umawing, Amirreza A., Gadix, PhysicalDrive0, PhysicalDrive0 and others. PhysicalDrive0 said: RT @silvakreuz: Siberia Exploits Kit Fights Back Against AV Companies http://bit.ly/hgPwok | M86 Security Blog [...]

  2. [...] creators of the Siberia Exploits Kit have recently given it an update, enabling attackers to design more custom malware that can bypass [...]