maxkabakov - Fotolia
New VirusTotal hash causes drop in antivirus detection rates
Questions were raised about how antivirus vendors use the VirusTotal database after a researcher highlighted a significant drop in malware detection rates following an upload of a new VirusTotal hash.
A security researcher highlighted an antivirus detection issue caused by how vendors use the VirusTotal database.
K. Reid Wightman, vulnerability analyst for Dragos Inc., based in Hanover, Md., noted on Twitter that a new VirusTotal hash for a known piece of malware was enough to cause a significant drop in the detection rate of the original by antivirus products. Wightman recompiled and submitted the Trisis malware, which has been tied to the Russian government and was used in an attack on an industrial control system in Saudi Arabia in late 2017.
The trouble appears to be connected to how antivirus vendors use the VirusTotal database. VirusTotal uses the SHA-256 hash for a piece of malware as a "unique way to identify a file, and [it's] used in the security industry to unambiguously refer to a particular threat."
This hash is what antivirus programs will check for when determining if a file is malicious or not. The detection rate score is the number of VirusTotal partners who determine a file is harmful out of the total number of partners who reviewed the file.
Someone recompiled trilog.exe (TRITON/TRISIS/HatMan EXE, literally no changes other than new compile time) and uploaded to VT. Just having a new file hash dropped the detection rate to 10/68 AV vendors initially.
— ' or 1=1; drop table tweets;-- K. Reid Wightman (@ReverseICS) November 30, 2018
Wightman said on Twitter the detection rate for the new VirusTotal hash for the Trisis malware rose to 27/68 after a few hours. In an interview, he told us this kind of issue of multiple uploads "isn't terribly common, but it does happen, especially with malware for which the source code is available."
"It usually takes 24 hours for the majority of vendors to add the new hash," Wightman said. "What happens is that, if at least one major AV [antivirus] catches the new version of the malware, the others will notice this and will add the hash of the new version into their database."
Wightman added that the reason this type of VirusTotal hash duplication error happens is "the most interesting part."
"A lot of AV vendors do the bare minimum when they add a signature for a piece of malware into their detection list," Wightman said. "Ideally, a vendor would find some way of identifying the actual malware, instead of just relying [on] the hash of the observed payload. Of course, this comes with a tradeoff: Applying a ton of these signatures requires a lot of processor overhead."
K. Reid Wightmanvulnerability analyst, Dragos Inc.
Despite the issue of a new VirusTotal hash dropping detection rates, Wightman said antivirus still has value, "but AV should never be your sole means of keeping malware off of systems."
"It should be treated as a last line of defense. Realize that an attacker can easily find ways to evade such detection," Wightman said. "Use a tiered approach for securing systems: Minimize the exposure of sensitive control systems by preventing them from accessing internet resources, monitor your network for unusual network connections between systems and have a disaster recovery plan for when the unthinkable might happen."
Brandon Levene, head of applied intelligence at Chronicle, based in Mountain View, Calif., said the issue could be explained by scanners not using the "full commercial deployments" of VirusTotal hash databases.
"In addition, some engines may update their signatures to include hash-based detections after a given period of time in order to keep the scanning process as responsive as possible. This may be the case for TRISIS/TRITON/HATMAN, where it is exceedingly unlikely VirusTotal will see the tool set deployed in its prior form," Levene said.
"However, this insight is well-known throughout the security industry. Most of the engines in VirusTotal will detect this kind of basic modification if the file is executed in a real environment," he continued. "VirusTotal has features for detecting these kinds of small changes in malware -- for example, the vhash used for clusterization to find similar samples (based on fuzzy hash) or the Yara rules used in VirusTotal Hunting and Retrohunting services. These kinds of basic modifications do not represent a handicap to VirusTotal Enterprise customers who detect this kind of modified malware without any problem."