Virustotal

[Markverhyden]

We all use it to scan files we may have some suspicions about. Nothing new there. But I never really knew if the companies providing the engines did much with the data. Now it looks like they do. At least one, ESET.

My almost daily email from The Hacker News had this article - https://thehackernews.com/2018/07/windows-adobe-zero-exploit.html

Someone had uploaded an unarmed file, meaning it had code but was not set to activate/run. It contained 2 unknown zero day exploits, one for Adobe and one for M$ OS's.

It makes sense that black hats might use the service for checking their exploits. And it makes even more sense that the engine providers are actually looking at files that come up clean.

 

[JoeTech]

Not a smart blackhat or just made a mistake. Most bad guys avoid virustotal for this reason & use sites like nodistribute that doesn’t share results.

 

[Markverhyden]

Not a smart blackhat or just made a mistake. Most bad guys avoid virustotal for this reason & use sites like nodistribute that doesn’t share results.

Yeah, but we really don't know, do we, if the results really are secure. After all it would be a great type of honey pot for some alphabet soup agency in some country.

 

[ComputerRepairTech]

Perhaps it was someone that recently purchased a 0 day and wanted to confirm it wasn't picked up. It seems unlikely that ESET really picked up on that sample and reported it in a super speedy fashion so perhaps the exploit already served its purpose before it was patched.