Only Around 25 Percent of Uploaded Malware is Shared with VirusTotal and Other Multi-scanners

According to a report released by BleepingComputer security news editor Catalin Cimpanu, approximately 75 percent of all malware samples that get uploaded to non-distributive scanners don’t get shared with multi-scanners later on. VirusTotal, Jotti’s malware scan and other similar sites send information about scanned files back to infosec labs who then use it to perform additional research about malicious infections.

However, this sort of data sharing can raise some potential red flags regarding privacy issues. Many people, notably those with sensitive documents, would prefer not to share this information with security companies. This is especially true of those who are using the Internet for malicious purposes, as they don’t wish to divulge whatever they’ve done with their connections.

On top of this, no-distribute scanners don’t provide any sort of APIs to outsiders. As a result, security research labs don’t benefit from files uploaded to these scanners. On average it seems that they receive far less data than was originally believed.

Recorded Future, a US-based security company, states that this means quite a bit of malware remains unknown to those who write the code for scanning software. Many antivirus products will be able to eventually detect these vulnerabilities in spite of this fact, but it greatly slows down the amount of time it takes to catch new infections.

From what security experts can tell, around 45 percent of the small amount of samples that do get uploaded to major players like VirusTotal were originally seen by a no-distribute scanner. Some have even gone so far as to suggest that malware authors are learning not to upload samples of their own work on VirusTotal and other similar sites so that they don’t get found out too early.

Malicious software developers do have to run AV checks on their own code, though, to make sure that heuristics technology can’t flag it right away. They might be uploading samples to no-distribute scanners in order to avoid any bits of code getting relayed back to a lab.

Nevertheless, privacy concerns raised among legitimate users may mean that some changes will occur in the industry that might at least help to increase the amount of malware uploaded to traditional scanners while assuaging such issues.

John Rendace
John is a GNU/Linux expert with a hobbyist's background in C/C++, Web development, storage and file system technologies. In his free time, he maintains custom and vintage PC hardware. He's been compiling his own software from source since the DOS days and still prefers using the command line all these years later.