> One of the useful features of this multiscanner is that they allow searching for similar malware to get some context, and in doing so, we stumbled across a couple of files that were very different.
>We noticed that the other files were all uploaded by a similar uploader.
It appears they then automated downloading samples and scanned for content.
From what I can tell, the files were discoverable by anyone that was able to access/search this multiscanner service.
For instance, malwr.com allows the downloading of samples by authenticated users. VirusTotal also allows researchers access to download submissions via their private API[0].
If you're comfortable uploading something to a server, you should be comfortable with that server (and any of it's owners/operators) reading it.
While I also didn't know those sites let other people download the samples, that doesn't change how much I trust them, since my model has changed from "whatever randos own this website see this file" to "whatever randos own this website, plus whatever randos they appoint, can see this file". In either case, I must trust "whatever randos own this site", and so them delegating that trust shouldn't change much.
There's a bit of a grey area around uploading something to a VPS host that you control, but unless you signed an agreement explicitly saying that your stuff won't be looked at, expect it to be.
And for the sake of cliche, it's safest to just assume anything you upload to the internet is public. Don't assume otherwise unless you really really need to, and make sure there's at least some legal and/or cryptographic protection for you if you're going that route :)
Any clues as to how they are this way? S3 buckets with credentials the same for all customers or similar?