Unclassified malware samples from U.S. Cyber Command will be shared with VirusTotal by the Cyber National Mission Force.
VirusTotal aggregates malware and malicious URL data from antivirus products and allows anyone to submit samples for inclusion in the database. The CNMF — the action arm of Cyber Command responsible for planning and directing cyberoperations — said in a short post that it will be sharing unclassified U.S. Cyber Command malware samples “that it believes will have the greatest impact on improving global cybersecurity.”
Stephen Gillett, CEO and co-founder of Chronicle, praised the move by CNMF to share Cyber Command malware.
“VirusTotal is part of Chronicle, Alphabet’s enterprise cybersecurity company. It’s one of the largest malware intelligence services in the world, and supports a global community of security researchers and responders. VirusTotal has always been focused on information sharing as a way of making the security community stronger, and today we have work with multiple groups within the U.S. federal government,” Gillet wrote via email. “We believe strongly in the value of collaboration between the private and public sectors, and were happy to see the announcement that U.S. Cyber Command will be sharing useful information with the broader security community. It will help everyone improve their defenses.”
CNMF made it clear that only unclassified Cyber Command malware samples will be shared, so it is unclear how much will be added to VirusTotal. CNMF has already submitted two Cyber Command malware samples to VirusTotal, both from Russian advanced persistent threat group Fancy Bear, aka Sofacy — the group accused of targeting the International Olympic Committee, attacking the Ukraine military and the DNC hack, among other attacks.
The first Cyber Command malware sample submitted was backdoor software targeting remote security software LoJack and the other was a UEFI rootkit named LoJax.
Jake Williams, founder and president of Rendition Infosec, based in Augusta, Ga., said the initiative to share Cyber Command malware with VirusTotal “has serious potential to disrupt adversary activities.”
“There are millions of samples added to VirusTotal every month. If CNMF flags any of them as interesting, they are likely to get immediate attention by researchers,” Williams said via Twitter direct message. “From an adversary point of view, their malware was already discovered by at least one antivirus, but perhaps nobody was really paying attention to it, classifying it as commodity malware. A bump from CNMF can change that.”
Williams noted this was how the original Duqu dropper malware was brought to the attention of researchers in 2011.
“The Duqu dropper was in Kaspersky’s data set for months before another firm highlighted that it was both malicious and likely nation-state,” Williams said. “Then Kaspersky jumped on it and performed deep dive analysis. I think CNMF can have a similar impact on malware research.”