'Plague Scanner' controls multiple AV engines, for $0.00
Open-sourcery tries to take down commercial AV frameworks
Security researcher Robert Simmons has released a tool that offers a new level of stealth to the malware cat-and-mouse skirmish by shrouding binary analysis.
"Plague Scanner" is a free on-premise anti-virus framework - a class of tool that drives multiple anti-virus scanners at once - and is the only free alternative to commercial frameworks or online systems.
It can help businesses to analyse malware containing potentially sensitive corporate information, or black hats to test their wares without exposing either to traditional public web services like VirusTotal.
Simmons (@MalwareUtkonos) says the only commercial on-premise multiple antivirus scanners worth their salt are hugely expensive and out of the range of small to medium businesses, independent researchers, and probably black hats.
“You have an unknown binary from when one employee at your company was phished; [that] bait could be related to your company and you don't want it to get out into the world,” Simmons says
“But you want that binary to have as many AV scans as possible – this is the problem Plague Scanner tries to solve.”
“I asked [threat researchers] 'why isn't there an open source AV scanner framework?' 'Why is it that there are only the major ones online and this super-expensive close-sourced one?'
“My goal is to have all of the AV scanners. All the AV scanners. All of them.”
Plague Scanner works with any antivirus engine including those running on open source, Linux, Windows, and even “horrible” GUI-based systems.
The system could be even more as much of a gift to black hats as white hats since it would help them to quietly check their malware against anti-virus systems without risking exposure through online Virus Total checks.
Malware probers regularly find new malware through the likes of virus total as VXers test their obfuscation techniques.
Plague Scanner is built on Python Three and binds proprietary anti-virus platforms together, Simmons says. It sports a Yapsy plugin system, QEMU or VirtualBox virtualisation, and report output via JSON and ElasticSearch. ®