Dusseldorf Virus Total’s homepage looks like a Wikipedia for malware. Anyone can freely use the malware database. But that also includes the cybercriminals, whose attacks most users want to protect themselves from.
Virus Total is a free online platform operated by the company Google. It is the largest and most comprehensive database of malware on the web. Users can upload individual files there, which are then checked online with over 70 different antivirus programs and malware scanners.
Virus Total is conceptually a good thing for the cybersecurity industry, says Stefan Pechardscheck, global head of technology at consulting firm Bearing Point. “There is a greater chance that one of the programs will detect a virus than if you only use virus detection software.”
But there is also potential for abuse. Because when you upload data to Virus Total, you give up the confidentiality of the uploaded data. You agree to the data transfer to third parties with the terms of use. The platform offers paying customers access to all files uploaded to Virus Total.
Top jobs of the day
Find the best jobs now and
be notified by email.
The Federal Office for Information Security (BSI), the highest German authority for the protection of IT infrastructures, warns companies in a letter: In addition to customers such as companies, secret services, researchers and journalists, all of the more than 70 antivirus manufacturers could also get a copy of the files received. Many of these companies are based outside the EU, such as the Russian anti-virus software manufacturer Kaspersky.
Google does not rule out Kaspersky
It can be assumed that “institutions worldwide will evaluate the files uploaded to Virus Total as part of (economic) espionage,” writes the BSI. The authority recently advised against further use of Kaspersky antivirus software due to the possibility that Russia could involve IT providers in a cyber attack against Germany.
However, Kaspersky is still active on Virus Total, as can be seen in the platform’s directory. When asked whether Google wanted to exclude Russian providers as a result of the Ukraine war, the group replied: “We continue to examine the effects of sanctions on our products and services and comply with them where necessary.”
The Russian company has integrated its software with Virus Total. However, this also means that uploaded sensitive data can flow into the country.
(Photo: imago/Schöning)
In general, all Virus-Total customers would go through a verification process, reports Google Germany. “You are signing our Terms of Service, which prohibits sharing any files or content outside of Virus Total. Once a file is shared with the Virus Total community, it is only available for download for premium users.” Files and their content would never be shared with non-customers.
Andreas Rohr, CTO of the German Cyber Security Organization (DCSO), points out: “The terms of use exclude criminal organizations or states, and they will certainly not get an account there, but they could create a fake account like with shell companies.”
German companies upload sensitive content
IT expert Pechardscheck says that non-critical documents can be uploaded to providers such as Virus Total or the alternative Jotti’s Malware Scan. One should avoid research data from the industry, company secrets or internal security reports.
But German companies even upload this sensitive content to the platform. Even critical infrastructures are affected, which should actually pay attention to increased cyber security.
The BSI determined that some companies uploaded e-mail attachments to Virus Total in a partially automated manner. Cyber security warnings and status reports from the authority also ended up on the online platform and must be “considered as expired”.
Cyber expert Rohr states that companies are somewhat naïve with the service. Some companies upload their documents from their own company network to Virus Total. “The service logs from which country and by whom a file was uploaded (e.g. via the IP address). In the past, this has linked companies to certain attack campaigns, which was previously not publicly known.”
Instead of uploading an original file, you should create a hash value of it and use it to check whether it is a damaged file. “SHA256, a well-established method of creating a hash value, is comparable to a unique fingerprint.”
If you want to delete uploaded files afterwards, you can do that. But the BSI also writes: In some cases, Virus Total refuses deletion requests for files that have been uploaded by mistake. “Even if a document was deleted afterwards, the content was probably leaked to a majority of third parties immediately after it was uploaded,” says the BSI. It is not possible to determine which Virus Total customers have access to an uploaded document.
Google Germany states that they only refuse to delete files “if the uploaded file is proven to be malicious”. This is to prevent attackers from removing their malware. Deletion will also be denied if the applicant is not the owner of the file.
Cyber criminals try their malware
A criticism of Virus Total that has existed for years: The manufacturers of malware also use the program by testing their viruses there. “The criminals upload infected files and check whether the software detects the malware. If it is detected, the hackers can continue to tweak it,” says Bearing Point expert Pechardscheck.
What’s more, anyone, including potential cybercriminals, can subscribe to an information service on Virus Total when new files are uploaded. Virus Total Intelligence allows users to set filters for any type of keyword, such as “internal” or “classified information”. If new documents with these terms appear, the subscribers are informed in real time about the upload. In this way, premium customers can access potentially confidential documents.
The platform can also serve as an early warning system for cyber attackers to expose themselves. IT specialist Rohr explains: “If I, as an attacker, for example a nation state, write certain malware, I watch Virus Total to see whether it is uploaded and thus notice when my attack was detected.”
More: Deepfakes: In war we can no longer believe our eyes