Several months ago, I tagged a few documents and filled them with fake passwords. I named them juicy names like 'mypasswords.xlsx' and uploaded them to sites like virustotal and malwr. I still get notifications that they are being viewed. The last notification was just a few days ago.
Whilst they obviously try and refute the minor details Direct Defense gets wrong, their product should be warning their end users just a little more strongly for such a devastating "feature".
This is data protection officers nightmare. If any UK company has this turned on the ICO could rake them over the coals and charge them millions in fines (if they had the teeth).
I disagree. I think Carbon Black's disclaimer is more than sufficient:
The screenshot in Carbon Black's response clearly says that VirusTotal "makes the binaries available for download to their partners".
And here's the relevant text in the disclaimer:
> You are hereby advised (i) VirusTotal makes the metadata publicly available along with scan results from dozens of anti-virus products and (ii) VirusTotal also makes the files available to VirusTotal partners. You must determine whether to elect to enable this feature at your sole discretion.
And the warning also has this text in bold:
> If you have custom business applications with confidential business information on your network, sharing binaries with VirusTotal may not be appropriate for you.
With this being optional and off by default, I think it's on the customer to read the clear warning presented and make the call that's right for them.
I believe their characterization is accurate. Not just anyone can download files from VT. You have to have access to their private API which is a premium billed (and anecdotally very expensive) service.[0]
That, to me, qualifies the term "VirusTotal and their partners" as accurate, since this is only a select group of companies who are paying VT a large sum for access to the data.
I think this response is the kind of thing that goes with the "7 million+ software licenses sold, almost 2,000 customers worldwide" text noted in the article.
This response does not hide the concrete facts of the situation, which I do think remains an unresolved problem.
- 300 searches and downloads per month ... 500 EUR per month
- 1,000 searches and downloads per month ... 1,000 EUR per month
- 5,000 searches and downloads per month ... 2,000 EUR per month
- 15,000 searches and downloads per month ... 3,000 EUR per month
- 30.000 searches and 30.000 downloads per month .... 4,700 euros per month.
- Unlimited searches and downloads per month... 8,250 euros per month
For a somewhat more recent comparison, https://developers.virustotal.com/v2.0/reference#public-vs-p... notes that the private API allows just 4 requests per minute. Sounds like that could be the default tier and that things have gotten a lot more expensive over the past 5 years. ($10k per month in 2013... maybe it's double that now? Nice spare change for Google, eh - VirusTotal is a Google company.)
But, once you sign up, you get access to a feed (https://developers.virustotal.com/v2.0/reference#file-feed) API call that will give you a JSON array of the last 24 hours' worth of uploaded files. Each item in the array includes a file download link, which you can fetch.
There's also https://developers.virustotal.com/v2.0/reference#url-feed, the feed of all URLs scanned. This is less straightforward in terms of "we got 5000 passwords and keys today, woohoo" because the chances are (hopefully...) that the URLs being scanned are setup to let VirusTotal through but not anyone else. That said, this would likely give you valuable intel into internal network structures and so forth. (And, who am I kidding, a disconcerting number of organizations are going to have the areas surrounding the upload infrastructure horribly misconfigured.)
I can totally see the standpoint of this report. This IS a pay-to-play data exfiltration system.
tldr; large companies are uploading all their files and executables to Carbon Black to get them white listed as virus-free. The OP reports these uploaded files are easily discoverable and inspectable by 3d parties and contain large numbers of AWS and Azure private keys, API tokens, and other confidential data.
The way I read it: large companies use Carbon Black to have all their files and executables to checked for maliciousness. CB then uploads these file to antivirus.com to have them checked against 50 AV engines. VT 'hides' the uploader behind a dedicated API key, in the case of CB: 32d05c66
directdefense then download some of these files from virustotal and found (among a shitload of nothing) sensitive stuff, wrote a blog and blamed CB.
With a little more digging they would have found many, many more services and applications that do the exact same thing.
> One of the useful features of this multiscanner is that they allow searching for similar malware to get some context, and in doing so, we stumbled across a couple of files that were very different.
>We noticed that the other files were all uploaded by a similar uploader.
It appears they then automated downloading samples and scanned for content.
From what I can tell, the files were discoverable by anyone that was able to access/search this multiscanner service.
For instance, malwr.com allows the downloading of samples by authenticated users. VirusTotal also allows researchers access to download submissions via their private API[0].
If you're comfortable uploading something to a server, you should be comfortable with that server (and any of it's owners/operators) reading it.
While I also didn't know those sites let other people download the samples, that doesn't change how much I trust them, since my model has changed from "whatever randos own this website see this file" to "whatever randos own this website, plus whatever randos they appoint, can see this file". In either case, I must trust "whatever randos own this site", and so them delegating that trust shouldn't change much.
There's a bit of a grey area around uploading something to a VPS host that you control, but unless you signed an agreement explicitly saying that your stuff won't be looked at, expect it to be.
And for the sake of cliche, it's safest to just assume anything you upload to the internet is public. Don't assume otherwise unless you really really need to, and make sure there's at least some legal and/or cryptographic protection for you if you're going that route :)
This article is really misleading. You have to explicitly turn on the feature to upload files, and the product warns you explicitly of the implications when you try to enable it.
I was getting progressively more and more annoyed that they weren't addressing this as I read the article.
The setting in question is the "Analyze Unknown Binaries" options, right? Which I believe are disabled by default in the default group settings. They should probably have a big ass warning on there, but last time I set up CB Response it was glaringly obvious that you shouldn't enable it.
You've got to admit, it's an odd feature to have. No company would ever want this feature on. It goes against pretty much every data protection law going. Yet they have it, and it's a click or two away with some mild small print? Sheesh. It's like selling a walking boot with a shotgun attached pointing at the toes with a label on the trigger saying "do not pull".
Software that is designed to prevent malware from uploading sensitive information to the internet has an option to upload sensitive information to the internet. What idiot thought that was a good feature to add regardless of the warnings? It makes the software do the complete opposite of what it's supposed to do.
If someone needed that then it should have been a special version of the software, not sometthing that's a single option to enable. Way to easy for it to get turned on by accident. Even smart people sometimes make mistakes, not to mention interns, managment that likes to pretend they're techies, botched upgrades, etc.
You can't go browsing around VirusTotal and download other people's submissions. So... a VT partner allows you to? Because that's what's described here. Any idea which VT partner allows downloading of original files?
