Shortly after publishing my review of
Tiranium Premium Security 2014,
I got a message from a researcher using the handle Malware1. He claimed
that Tiranium abused various online malware-checking websites to
bolster its detection rate. His note included links to videos showing an
older version of the software connecting to
VirusTotal,
in particular (though he admitted there is no longer a direct
connection). He also supplied what he said were a number of emails from
VirusTotal to Tiranium demanding they stop abusing the service.
I checked with VirusTotal, but my contact declined to comment for
publication. I had to determine for myself whether this was true, and
whether it constituted a problem if so.
What Is VirusTotal For those who aren't familiar
with it, VirusTotal's public face is a website where you can upload a
file to see if it's malicious. The site first generates a hash for the
file—a unique mathematical fingerprint. If the hash is already in its
database (and most are) it returns the stored results. If not, it checks
the file with about 50 major antivirus engines, reporting which flagged
the file as malicious. Google acquired VirusTotal about two years ago.
The service goes beyond simply checking files. According to its
website,
"VirusTotal's mission is to help in improving the antivirus and
security industry and make the internet a safer place through the
development of free tools and services." That same page states that
"None of the services or applications publicly offered on this site
should be used in commercial products, commercial services or for any
business purpose. In the same way, none of the services should be used
as a substitute for security products."
In other words, a product that simply used VirusTotal's results
without independently verifying that the file is malicious would be
violating the terms of service. And indeed, a
controversial test by Kaspersky Lab several years ago showed that blindly using detection from the website is a bad idea.
Digging With WireShark According to Malware1,
Tiranium first checks a suspect file using its locally installed client.
If there's no match, it checks the file's hash on VirusTotal. Only if
it gets no results from VirusTotal does it invoke its own behavioral
cloud scanner.
To start my investigation, I created brand-new modified versions of
my current malware collection, changing the filenames, altering the file
size, and tweaking some non-executable bytes. I checked the hash of
each file against VirusTotal, to be sure all were absent from the
database.
With the WireShark network traffic tracing utility running, I
launched a Tiranium scan of the folder containing these files.
Strangely, the scan ran for hours but never finished, and the count of
files scanned never changed from its initial zero. I learned later that
this was because the behavioral cloud server was down for several hours.
Indeed, perusing the WireShark log I could see that Tiranium tried
again and again to upload files to the behavioral cloud, each attempt
ending in an error. What I did
not find was any evidence of a
direct connection to VirusTotal, or to any of the other services that
had allegedly been used in the past.
Circumstantial Evidence I moved some of my test
files to another folder and submitted them to VirusTotal for checking.
In every case a majority of the antivirus engines detected them as
malicious; some got near-unanimous recognition as malware.
As soon as all the files were processed by VirusTotal, I immediately
scanned the folder with Tiranium. This time it recognized those files as
malware
right away. When I scanned the remaining files,
the ones I hadn't uploaded, the scan stuck, as before. While there was
still no direct connection from my computer to VirusTotal, it seems I
had established a clear chain of causality.
Maybe It's OK? I reached out to my connections
in the antivirus industry to see what they thought. One researcher
pointed out that antivirus companies can contract with VirusTotal to
automatically receive any sample that others detected but their product
missed. However, that didn't seem to describe the situation I observed.
More importantly, my Tiranium contact confirmed the use of
VirusTotal. "VirusTotal has specific terms of use," he said. "They're
sending samples to companies. Tiranium is one of the companies analyzing
that, like all others." He went on to note that the time to analyze new
samples can vary. "Sometimes this will take hours, sometime minutes,
sometime days," he said.
Or Maybe Not The VirusTotal
credits page
lists all vendors who have "integrated a product, tool or resource in
VirusTotal, or have contributed somehow." These vendors have signed an
agreement that includes a set of
best practices.
Tiranium is not among the companies listed. It's not receiving samples
from VirusTotal, so its use is not "like all the others."
I've determined to my own satisfaction that the emails supplied by
Malware1 telling Tiranium to stop misusing VirusTotal are real. I've
seen evidence that at one time the application itself connected directly
to VirusTotal for information, which is definitely abuse. But is its
current incarnation stealing the work of other vendors, as Malware1
contends? I can't say definitively, but my trust is definitely shaken.
Potentially Unwanted?
Apparently I'm not alone. In a
discussion
on the well-regarded Wilders Security forum, several members express
concern about the product. In fact, at the time of this discussion about
eight months ago, a number of well-known antivirus products detected
Tiranium as a "potentially unwanted application" that should be removed.
Even now,
Kaspersky detects one of Tiranium's two main files as malware, and
ESET detects them both. Fortinet identifies Tiranium's website as malicious, as does Webroot's BrightCloud service.
Shady Behaviors I pointed out this detection to
my Kaspersky contact and asked if he could explain why Tiranium was
flagged as malware. He dug into the question with significantly more
skill than I could muster, and came up with a lot. "They're using more
than five different obfuscators to obfuscate their code and there's no
digital signature," he said "It's a little crazy and looks far from
legit." There's no smoking gun here, but these and other malware-like
behaviors were sufficient to get the product flagged. He also found
traffic from the server referencing VT (VirusTotal), Anubis, and
VirScan, suggesting some kind of reliance on third-party sources.
The BrightCloud folks couldn't pinpoint the reason that Tiranium's
website got flagged as risky. However, they pointed out that Tiranium's
IP address is shared with quite a few phishing websites. Google's
safe browsing page for the olympe.in domain used by Tiranium had some alarming news: "
Of
the 1341 pages we tested on the site over the past 90 days, 13 page(s)
resulted in malicious software being downloaded and installed without
user consent."
I said in my review that Tiranium is a good first effort, but not
ready to challenge our several Editors' Choice antivirus products. I now
feel that the company needs to both improve the product and regain my
trust with professionalism and transparency. Fix the spelling and
grammar errors, ditch the obfuscation, digitally sign the executable
files, and make sure it integrates with Windows's Action Center. Refrain
from any use of third-party products that isn't fully transparent.
Separate Web hosting from servers that host malware. For now, I
recommend that you stick with our
Editors' Choice antivirus products.
