By Dancho Danchev
Aiming to ensure that their malware doesn’t end up in the hands of vendors and researchers, cybercriminals are actively experimenting with different quality assurance processes whose objective is to increase the probability of their campaigns successfully propagating in the wild without detection.
Some of these techniques include multiple offline antivirus scanning interfaces offering the cybercriminal a guarantee that their malicious program would remain undetected, before they launch their malicious campaign in the wild.
In the wild since 2006, Kim’s Multiple Antivirus Scanner is still actively used among cybercriminals wanting to ensure that their malicious software is pre-scanned against the signature-based scanning techniques offered by multile antivirus vendors.
Let’s review Kim’s Multiple Antivirus Scanner, and discuss when it’s an important tool in the arsenal of the malicious cybercriminal spreading malware for profit.
Screenshots of the Kim’s Multiple Antivirus Scanner interface:
It currently supports the following AV Engines:
- Dr. Web
- Quick Heal
Webroot SecureAnywhere isn ‘t included in the package. Thankfully, using tools like Kim’s Multiple Antivirus Scanner doesn’t take into consideration multiple layered protection strategies introduced in popular applications such as, for instance, Webroot SecureAnywhere, namely behaviour-based blocking techniques that are signature-independent.
What’s worth pointing out that is how cybercriminals have managed to build this application around pirated versions of the included antivirus scanners. Kim’s Multiple Antivirus scanner can easily change the sensitivity of the heuristic engines build within the antivirus software, whereas the primary goal is to pre-scan a malicious binary using the most recently updated database of all vendors, in order to ensure that it will bypass signatures based scanning.
Piracy on the other hand plays a crucial role in the dissemination of malware. Multiple reports are confirming that despite Microsoft’s efforts to minimize the AutRun infections growth rate by issuing a special patch for the purpose, millions of end and corporate users continue browsing the Web, using pirated Windows versions, preventing the installations of critical updates thanks the Windows Genuine Advantage wall.