> The SecureWorks team initially found the database by using the virus scanning tool VirusTotal to search for suspicious email attachments.
I feel like they left out a couple of reverse-engineering/hacking steps here. Or is it true, does VirusTotal have such capabilities and I am just ignorant?
> VirusTotal runs its own passive DNS replication service, built by storing DNS resolutions performed when visiting URLs and executing malware samples submitted by users.
It will run malware samples and store any DNS and/or direct IP connections and lookups from the compromised host. I'm guessing the researchers used a combination of searches for malware coming in from email attachments and malware that connects to external databases (whether that be mysql port 3306, or something else less direct is unclear)
This IEEE Spectrum article is bordering on blogspam. They don't link to the original article, which is IMO better in every regard (and very interesting):
I feel like they left out a couple of reverse-engineering/hacking steps here. Or is it true, does VirusTotal have such capabilities and I am just ignorant?