Back to blog

AvTracker - Helping Malware Writers Since 2009

MALWARE

2 min read
AvTracker - Helping Malware Writers Since 2009

Rumor has it that avtracker.info is back online - alive & kicking for the second year in a row. If you’re unfamiliar with what avtracker is and what it does, here’s the short overview: it is a list of IPs associated with antimalware vendors.

The project has been opened sometime in October 2009 (external link) and was voluntarily closed in late January 2010. It appears that it is now back online with a pretty consistent list of IP addresses associated with major antivirus companies (BitDefender included, huehuehue).

The project’s disclaimer states that “We, the development team, want to be a role model for open source, new technology and want to clearly state against any censorship.” I don’t exactly follow what words such as censorship and open-source have to do with publicly listing IPs and domains of legit and respectable companies. The next sentence makes more sense, though: “You can use the open source to secure your application against unasked analysis and protect your digital business secrets,” continues the project’s presentation.

Now that’s what I wanted to outline. The project itself is comprised of a list of IP addresses that “should be blacklisted if you want to keep your digital secrets”. And no, this is not illegal. After all, you are the sole owner of your digital world and there’s noting one could do to force a webmaster allow access from a specific IP.

If you’ve been bombed with spam or shell attacks, you already know that the best countermeasure is to permanently deny the offender access to your server. But why would you do that to an antimalware vendor? We’re already entering the grey zone.

A couple of weeks ago, when I was analyzing a phishing page (if you stumbled upon this article on Malware City, you already figured it out) which, suspiciously enough, couldn’t be accessed from one of our offices. A proxy check revealed that the client’s IP was blacklisted on the server to prevent us from detecting and issuing protection for the scam. And there are a lot more harmful pages that use the same technique to evade the scrutiny of antivirus researchers.

Keeping organized lists of AV vendors’ IP addresses seems a little fishy. And that’s regardless of what pretext a list-keeper may rise. What do you think?