[cognibits]

I'm an adviser for one of the companies that partnered with VirusTotal. I cannot go too much into details, but as a partner, we have access to the live submission feed which we analyze in real-time to discover new threats etc. I can assure you that we are not the only one. Furthermore, most partners sync their data not in real-time which could yield incorrect scanning results, making the hackers think they're good to go.

I can also say that the more serious groups/hackers do not use VirusTotal to check their malware. They have their own verified, anonymous services that do the same thing, just without submitting the malware to the anti-virus company.

[Dublum]

This is all true. There exist essentially blackhat versions of virustotal that don't submit the samples, and don't have a feed delay that are pretty popular among the virus writing community.

One of the ways that virustotal IS used however is by checking the hash of their malware to see if it has shown up yet. That lets them know if someone has taken an interest in it yet, and if they have, it means they need to start rolling a new version.

[josu]

>One of the ways that virustotal IS used however is by checking the hash of their malware to see if it has shown up yet. That lets them know if someone has taken an interest in it yet, and if they have, it means they need to start rolling a new version.

But once they upload the file to see if the hash already exists, they can no longer check, since their hash will already be indexed. No?

[Dublum]

you can check a hash without uploading the file in question. VT only stores a set of results if it has seen the actual file, not if a hash is checked against it. This is why, when doing incident response, a lot of people suggest not uploading suspicious files to VT, because it lets the attackers change up and start using new malware

[thefreeman]

You can search on a hash, so I imagine they would hash it themselves and just perform a search.