VirusTotal and USCyberCom Join Forces To Identify Malware

For fourteen years, since June 2004, VirusTotal has served the public’s interest of combating malware, by its online scanning system that aggregates many antivirus engines from the big majority of the antivirus vendors. The system is effective in thoroughly checking a suspicious file for virus infection, as VirusTotal with its aggregate scanner strongly confirms or denies a suspected infection of the file submitted to them.

The VirusTotal service will be receiving a huge boost of precision in detecting malware, as the United States Cyber Command has publicly announced their interest of sharing malware specimen to the former, to further help it in its research. A special subunit named Cyber National Mission Force is in the driver’s seat of making the project happen, enabling VirusTotal to be made aware of unknown malware samples for through virus analysis with the help of the US government.

“This is a great initiative and we believe that if more governments would do the same, the world would be safer. We salute their initiative and are of course paying close attention to what they upload,” said Costin Raiu, Kaspersky Lab’s Global Research Director, in reaction to the news.

Chronicle, a division at Alphabet Inc. (the mother company of Google) tasked with cybersecurity issues their official statement through its co-founder, Mike Wiacek: “We believe that having more files in VirusTotal increases the value to the entire community. In fact, the first submission, for LoJack malware, included files that weren’t previously in VirusTotal.”

The first submissions to VirusTotal from the USCyberCom are sample copies of rpcnetp.dll and prcnetp.exe, trojan horse files containing LoJack virus. Also, known as LoJax, security experts saw its resurgence after becoming fairly inactive for years, to only reemerge as malware with significant infection rates this year.

“It remains to be seen exactly how this new initiative will unfold. But what is striking about this initiative is it lacks many of the contextual elements of the name and shame strategy. Whereas that strategy involves a tremendous amount of context which has to be scrutinized throughout the government, this initiative could be less encumbered by those considerations. There will undoubtedly still be a strategy behind these disclosures, since disclosures always have consequences for intelligence operations, but their simplicity may allow for simpler, faster action, something the government has historically struggled with,” explained John Hultquist, FireEye’s Intelligence Analysis Director.

Other antimalware vendors have expressed their opinion with the latest announcement, as this is the first publicly known joint venture of a US government agency to help an antivirus aggregate scanner vendor. “As far as exposing hacking toolsets, it does not necessarily automatically render the tools totally useless, but it is likely to at least cause the attacker to adapt. For example, ESET has been exposing [APT28]’s toolset evolution for years, and yet the group is still using a lot of the same tools, albeit with additional improvements added over time. would say exposing full [tactics, techniques, and procedures] on top of actual samples would be more harmful to attackers, as they would need to change their entire attack workflow. It does not look like USCYBERCOM is providing such context together with the samples they are sharing, so that might limit the upside of their initiative,” emphasized Alexis Dorais-Joncas, ESET’s Lead for Security Intelligence.