By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    An Android that robbed your bank account -Kaspersky Daily
    8 months ago
    New CryptoLocker-like Malware for Android
    8 months ago
    Apple Watch And The Other Smartwatches
    8 months ago
    Latest News
    Triangulation: Trojan for iOS | Kaspersky official blog
    2 days ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
    2 days ago
    Safeguards against firmware signed with stolen MSI keys
    4 days ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    4 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    How To Configure Cloudflare To Maximize WordPress Speed + Security
    8 months ago
    Windows 11 build 25179 rolls out in the Dev Channel
    8 months ago
    How to set a static IP address on Windows 11
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    Dynamic data collection with Zaraz Worker Variables
    Dynamic data collection with Zaraz Worker Variables
    1 day ago
    Reduce latency and increase cache hits with Regional Tiered Cache
    Reduce latency and increase cache hits with Regional Tiered Cache
    2 days ago
    Cloudflare is deprecating Railgun
    Cloudflare is deprecating Railgun
    2 days ago
    What is two-factor authentication | Kaspersky official blog
    5 days ago
    Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
    1 week ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    New Fraud in India with porn deepfakes
    8 months ago
    Google My Business Temporarily Removes Features Due to COVID-19
    8 months ago
    Show Order Histories on User Profiles at the Backend
    8 months ago
    Latest News
    How to add CPU, GPU, RAM widgets on Windows 11
    2 days ago
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    5 days ago
    How to enable Taskbar End Task option to close apps on Windows 11
    5 days ago
    How to check USB4 devices specs from Settings on Windows 11
    5 days ago
  • Glossary
  • My Bookmarks
Reading:  Upload 4000 viruses to different cloud storages – TEST
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Threats

 Upload 4000 viruses to different cloud storages – TEST

Tom Grant
Last updated: 13 October
Tom Grant 8 months ago
Share
21 Min Read

Experts regularly announce one or the other file storage as a new base for hacker attacks. This is an actual problem, and in theory the owners of these services should deal with it. Therefore, I decided to do a little research, create accounts in well-known cloud services and check the effectiveness of anti-virus protection.

Contents
Sample preparationControl checkGoogle DriveAmazon DriveYandex DiskDropboxBoxProton DriveiCloudMail.ru cloudOneDriveMegaSummary statisticsconclusions

Attention! Spreading malware is a criminal offence.

The actions described below were not intended to distribute malware and harm anyone. During the experiments, not a single file left the private disk space allocated for test accounts. None of the files have been published in any way. Not a single malicious program was used for its intended purpose. No computer system or user was affected. All malicious files were destroyed. All the events described are the product of the imagination of the author of the text and did not take place in reality.

The object of research will be a dozen repositories, the names of which I remembered in the first place:

  1. Google Drive
  2. Amazon Drive
  3. Yandex Disk
  4. Dropbox
  5. Box
  6. Proton Drive
  7. iCloud
  8. Mail.ru cloud
  9. OneDrive
  10. Mega

I decided to use the web versions of these services to upload files and created a new account in each of them.

Sample preparation

Let’s see what the world’s virus industry has to offer, since information security specialists collect and regularly update collections of malware. To start the experiment, the APT Collection for 2021 from the vx-underground portal is quite suitable . This is a 3.5 GB archive of malware that was discovered during the investigation of various targeted attacks on the corporate sector. I sorted them by time and took the 50 most recent samples.

Very evil things got into this sample, for example:

  1. Hello Kitty/FiveHands is the latest version of the famous ransomware discovered in January 2021. It uses vulnerabilities in SonicWall products to penetrate internal company networks (sample 2021.10.28).
  2. FiveSys is a rootkit with a valid Microsoft digital signature that slips an auto-configuration script into browsers and redirects Internet traffic to an attacker’s proxy server. By the way, at the same time it blocks the download of drivers from other hacker groups (sample 2021.10.20(1)).
  3. PseudoManuscrypt is a multifunctional malware that steals VPN connection data, logs keystrokes, takes screenshots, extracts data from the clipboard and operating system logs, and so on. Before the first detection, it managed to infect more than 35,000 computers in 195 countries around the world (sample 2021.12.16).

The files themselves have long names, so for simplicity, I renamed the samples according to the names of the folders in which they were located, and made three copies:

  1. original malicious files, without additional packaging;
  2. the same files placed in zip archives with a medium compression level;
  3. the same files into zip archives with a medium compression level, closed with a nine-digit password.

It’s worth mentioning that .zip does not hide the names of zipped files, even if they are password protected. This format also reveals the CRC checksums of archived files. In theory, this data can be used to detect malware, which is why malware researchers typically use 7-Zip to transfer files. It hides more information about the contents of the archive. At the same time, the villains actively use various obfuscation methods, but this is a simple basic experiment, so I did not further complicate the work of antiviruses.

Control check

Most of the samples in this collection are familiar to antivirus solutions and cause multiple positives when uploaded to VirusTotal.

SamplePassword protected archive (number of hits)Archiveoriginal file
2021.12.3104960
2021.12.301 Fortinet2031
2021.12.281 Fortinet44
2021.12.17(1)022
2021.12.17(2)1 Fortinet3742
2021.12.16(1)03136
2021.12.16(2)03845
2021.12.1604553
2021.12.15(1)1 Fortinet2927
2021.12.1403134
2021.12.091 Fortinet4556
2021.12.0803528
2021.12.07000
2021.12.07(1)01721
2021.12.0603034
2021.12.0401927
2021.12.0303846
2021.12.011 Fortinet3032
2021.12.01(1)1 Fortinet3645
2021.11.3003335
2021.11.2903736
2021.11.29(1)02825
2021.11.2302329
2021.11.221 Fortinet4341
2021.11.181 Acronis (Static ML)3538
2021.11.171 Fortinet3645
2021.11.10(2)03031
2021.11.10(1)03330
2021.11.0804252
2021.11.071 Fortinet4046
2021.11.07(1)002
2021.11.031 Fortinet4452
2021.11.021 Fortinet2731
2021.10.28000
2021.10.28(1)02220
2021.10.271 Fortinet4141
2021.10.27(1)04850
2021.10.2604452
2021.10.26(1)03337
2021.10.20(1)1 Fortinet4145
2021.10.1902624
2021.10.19(1)1 Fortinet4552
2021.10.181 Fortinet4552
2021.10.1403033
2021.10.1204248
2021.10.111 Fortinet3535
2021.09.3003031
2021.09.28(1)03942
2021.09.2303844
2021.09.1604052

Samples packed in passwordless archives are slightly worse on average, but password-protected zip archives are practically not recognized. Only the anti-virus engine from Fortinet can cope, which correctly classifies individual suspicious samples despite password protection. For example, he accurately identified spyware from the Kimsuky hacker group .

Only the Hello Kitty/FiveHands ransomware (sample 2021.10.28) and one of the exploits used by FIN13, a cybercriminal who has been systematically attacking various organizations in Mexico since 2017 (sample 2021.12.07), have gone completely unnoticed. We will still observe them, but now it’s time to fill the cloud storage.

Google Drive

I could not find any information about which antivirus solution is responsible for protecting Google Drive. Be that as it may, it checks all uploaded files, the size of which does not exceed 100 MB. True, the results of his work are not immediately visible.

I started the experiment by downloading password-protected images, and none of these files aroused Google’s suspicions either 24 hours or two weeks after the download.

The second set of files – simple archives with samples – were also uploaded to the Disk without any problems. Not an hour later, not 24 hours later, the vault did not raise an alarm. An unlucky hacker in my place would be delighted, but it’s too early to rejoice. If you try to generate a link to a file, a warning flag appears. The same thing happens with simple, unarchived samples.

If you don’t touch the file, it can lie on the Disk for a long time without being flagged as a violation of the service rules. Google Drive does not display a warning about the danger immediately, but upon the first interaction with the object. Perhaps it is at this moment that the scanner is triggered. After that, the mailbox quickly fills with warnings.

Interestingly, when downloading, Google simply warns of the danger, and the flag next to the file does not appear until you try to create a link.

When trying to open an infected file in Google Docs, a warning is displayed
When trying to open an infected file in Google Docs, a warning is displayed

As a result, it turned out that password-free archives do not affect the accuracy of the local anti-virus scanner. Google Drive did not recognize only 5 samples in both batches. The exploit from FIN13 and Hello Kitty/FiveHands passed undetected just like the Flagpro malware (sample 2021.12.28).

Amazon Drive

Amazon has announced that it plans to shut down the public cloud within a year, but as long as it’s available, it looks like hackers can easily use the platform to distribute malware. The experiment lasted two weeks and Amazon Drive did not find any of the 150 samples.

Yandex Disk

According to an article from Hacker magazine , in 2010 Yandex used solutions from Doctor Web in its infrastructure. Since then, a lot of water has flowed under the bridge, but the proprietary file storage is still protected. “All files up to 1 GB in size created, uploaded or already stored on Yandex Disk are scanned by the Yandex Disk antivirus program” . Moreover, apparently, the check is performed immediately after the file is loaded. The only question is how well this protection works.

Password-protected archives loaded without problems and even after 14 days remained unnoticed, but this was expected. Much more interesting is the situation with regular archives and unpacked samples. Immediately after downloading the archived samples, Yandex Disk recognized and highlighted 16 malware with red icons. The rest of the files, including PseudoManuscrypt and Hello Kitty/FiveHands, successfully passed the check and did not arouse any suspicions until the end of the experiment. Anyone could easily download them from public links.

Yandex prohibits sharing suspicious files in any way, but allows the account owner to download them back to their computer
Yandex prohibits sharing suspicious files in any way, but allows the account owner to download them back to their computer

The same set of unpackaged malware caused only 15 detections. For some reason, the script from the WinPEAS set (sample 11/21/17) looked more suspicious in the archive than without it. However, he is not alone. In further experiments, there were other similar examples. It looks like a feature of the Yandex Disk anti-virus engine.

Dropbox

Until a few years ago, Dropbox did not have built-in antivirus protection, although users suggested that it be implemented . At first, it seemed to me that the situation had not changed.

The password-protected archives downloaded without hindrance and after 24 hours were still in place. The same thing happened with the other two batches of samples, but the most interesting thing happened after creating a link to one of the files. Dropbox generated the URL, but at some point withdrew the link and about an hour later sent this notification:

After clicking on the button, access to the function was returned, but an attempt to create a link to another one of the samples led to a second ban. This time it was not so easy to remove the restriction.

Dropbox offered to contact support, but contacting them from a free account is at least difficult. The chatbot does not understand what they want from it and refuses to invite live people to the chat. Perhaps they could help on the forum, but I did not understand. All the same, I would not have seen the reaction of the administrator, who looked at the contents of my disk.

Normal human tech support at Dropbox is reserved for paid users
Normal human tech support at Dropbox is reserved for paid users

With all this, problematic files in Dropbox are not marked in any way, so I could not calculate how many samples were recognized by the built-in protection. Perhaps this can be called a flaw. It is easy to imagine a situation in which a user accidentally uploads a malicious file to the cloud and tries to share it. Then he encounters restrictions, does not understand anything, tries to share again and finally loses the ability to share files.

Box

The creators of Box promote a paid virus scanner , but public free accounts don’t protect anything in my experience. For two weeks, none of the 150 samples in the archives and without, was found. A basic defense wouldn’t hurt. By not checking free storage, Box puts its enterprise customers at risk first.

Proton Drive

Yep, it's completely safe...
Yep, it’s completely safe…

The new cloud storage from the creators of encrypted email made me download samples in three passes (it was too little space inside). Its creators rely on privacy and do not seem to check uploaded files in any way either. For 7 days, not a single sample was marked as malicious. However, you can come up with excuses for Proton. The vault is still in beta testing, and scanning user files doesn’t go well with betting on privacy and encryption.

iCloud

There are no viruses on Macs! Probably, this idea calms the Cupertino people so much that they did not connect the antivirus to iCloud. None of the samples were found during the experiment. Malicious files were freely downloaded from the generated links.

Mail.ru cloud

Mail (or is it VK?) writes that the files in the Cloud are protected by a solution from Kaspersky Lab. They even talked about how this antivirus scanner works on Habré .

Most likely, a lot has changed since then, but they still use the scanner developed in the Lab, and this solution proved to be worthy. Samples in password-protected archives were not detected, but in the case of other malware, the situation is better than, for example, in Yandex Disk.

Cloud Mail.ru checks files after downloading and immediately flags suspicious ones. Cloud Anti-Virus immediately recognized 40 archived samples, and a few minutes later added another one to the list. Among ordinary files, 41 immediately received the status of suspicious. Only 9 samples remained unrecognized, including the already mentioned Flagpro , the FIN13 exploit, Hello Kitty/FiveHands, and the MonPass CA client application with a built-in backdoor (sample 2021.12.15(1)). Google Drive marked it as malicious.

As a result, the Cloud prohibits the sharing of dangerous files and blocks their sending by e-mail through the built-in quick send dialog, but there are no restrictions on working with other files in the storage.

OneDrive

And now the highlight of our program is OneDrive. Not least because of this service, Microsoft’s servers have been considered ” the world’s best malware host ” for many years .

For two weeks, 150 viruses were stored in the cloud and the service showed no signs of concern. It seemed that the company was not taking any measures to protect against the spread of malware. It was possible to create a link to any of these files, moreover, a download dialog was available via the link. However, I noticed that the “download” button didn’t always respond to clicks: no warnings or explanations, it just didn’t work. I realized that this was not a bug only after I tried to upload an entire folder at once.

Instead of some samples, it contained txt files with virus warnings. At the same time, there was not a single hint in the web interface that OneDrive detected malicious files, although it would be logical to warn the user about this.

Total: OneDrive recognized the danger in 31 samples from the first and second sets, but did not find anything suspicious in the password-protected archives.

Mega

In the case of Mega, the result is a little predictable – this file hosting has long been chosen by malware distributors, and this is not surprising. The absence of anti-virus checks and the interface for batch creation of public links make it very convenient for all sorts of dubious personalities.

Summary statistics

When I started researching, I expected to collect rich statistics on the number of detected malware and make comparisons. In reality, Mega, Amazon Drive, iCloud, Proton Drive, Box immediately dropped out of the competition. 5 repositories out of 10 did not detect a single dangerous file during the 14 days of the experiment. To get a slightly clearer picture, I decided to increase the number of samples loaded. To do this, I took, packed and poured another 50 fresh samples from the Bazaar collection from July 2022. These are simpler malware that freely circulates on the network. Also, some anti-virus engines can unpack archives to scan the contents if they find a password nearby. So I added a fourth sample package, where in each zip folder there is a txt file called “password” and the corresponding contents.

Here’s what happened:


Google Drive
Mail.ru cloudOneDriveYandex DiskDropboxMega, Amazon Drive, iCloud, Proton Drive, Box
APT Collection – just files45413115?0
APT Collection – Archives45413116?0
APT Collection – encrypted archives0000?0
APT Collection – encrypted archives + password0000?0
Bazaar Collection – just files49433929?0
Bazaar Collection – Archives49433931?0
Bazaar Collection – encrypted archives0000?0
APT Collection – encrypted archives + password0000?0

Built-in protection only works in Google Drive, Yandex Disk, Mail.ru Cloud, OneDrive and Dropbox. However, Dropbox doesn’t flag infected files, so it’s unclear how good its antivirus engine is.

It can be said that the anti-virus scanner built into Google Drive turned out to be the most accurate, but no cloud storage can accurately recognize the danger. It is also worth noting that Yandex Disk does a worse job of finding utilities that are used for targeted attacks, and generally shows itself weaker than its competitors.

conclusions

As you can see, not all clouds are equally well protected from viruses. More precisely, half of them are completely unprotected. However, I cannot say that the absence of such protection is an unequivocal evil. Not all users want their files to be studied under a magnifying glass by the algorithms of corporations. This is not only a technical problem, but also, in part, an ideological one, and this only makes it more acute.

It seems that a scanner that checks only published files could be a good compromise, and for the rest it turns on on demand, but in this form, anti-virus checks are not implemented in any of the listed services. So for now, you have to choose between protection and privacy. You also have to feed downloaded files to VirusTotal and be especially suspicious of password-protected archives. So it goes.

Translate this article

TAGGED: Encryption, Malware, Microsoft, Proxy server, RC4, Rootkit, RTF, Security, SQL injection, Targeted Attack, Threats, Trojan, Vulnerabilities
SOURCES: haabr.com
Tom Grant October 13, 2022 October 8, 2022
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Dynamic data collection with Zaraz Worker Variables
Dynamic data collection with Zaraz Worker Variables
Apps 1 day ago
How to add CPU, GPU, RAM widgets on Windows 11
News 2 days ago
Reduce latency and increase cache hits with Regional Tiered Cache
Reduce latency and increase cache hits with Regional Tiered Cache
Apps 2 days ago
Cloudflare is deprecating Railgun
Cloudflare is deprecating Railgun
Apps 2 days ago
Triangulation: Trojan for iOS | Kaspersky official blog
Threats 2 days ago

Recent Posts

  • Dynamic data collection with Zaraz Worker Variables
  • How to add CPU, GPU, RAM widgets on Windows 11
  • Reduce latency and increase cache hits with Regional Tiered Cache
  • Cloudflare is deprecating Railgun
  • Triangulation: Trojan for iOS | Kaspersky official blog

You Might Also Like

Dynamic data collection with Zaraz Worker Variables
Apps

Dynamic data collection with Zaraz Worker Variables

1 day ago
Cloudflare is deprecating Railgun
Apps

Cloudflare is deprecating Railgun

2 days ago
Threats

Triangulation: Trojan for iOS | Kaspersky official blog

2 days ago
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Wordpress Threats

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)

2 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
How to enable Taskbar End Task option to close apps on Windows 11
How to check USB4 devices specs from Settings on Windows 11
Previous Next
Hot News
Dynamic data collection with Zaraz Worker Variables
How to add CPU, GPU, RAM widgets on Windows 11
Reduce latency and increase cache hits with Regional Tiered Cache
Cloudflare is deprecating Railgun
Triangulation: Trojan for iOS | Kaspersky official blog
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?