Friday, 7 February 2014

VirusTotal += CRDF France URL scanner

Many of you may already know CRDF because of their contributions in VirusTotal Community, in their own words:
We observe malicious behavior to develop, understand, inform and fight against scourges. The laboratory actively fights against malware, spam and security risks.
Among other projects, CRDF has built its own threat center and they are very active VirusTotal uploaders. Today we are excited to announce that they have taken this collaboration one step further and started sharing their malicious domains dataset with VirusTotal in order to make it work as a URL scanner.

Here is an example of a URL being detected by CRDF:

Welcome on board CRDF!

Tuesday, 4 February 2014

VirusTotal += AegisLab

We start february welcoming AegisLab as a new file scanning engine working at VirusTotal. AegisLab was already collaborating with us with WebGuard in the URL scanning system. A description from the company about the engine:

"AegisLab’s intelligent virus DNA algorithm extracts the special one-to-many mapping virus signatures. It achieved the much higher detection rate for latest Windows PE and Android APK variant virus. Their scan engine also uses the DNA fast match algorithm and is very suitable for limited resources environment. In native streaming mode, the engine is able to catch the most virus very efficiently from network packets."

Monday, 3 February 2014

VirusTotal += imphash

Recently Mandiant blogged about a feature they call imphash, in Mandiant's own words:
One unique way that Mandiant tracks specific threat groups' backdoors is to track portable executable (PE) imports. Imports are the functions that a piece of software (in this case, the backdoor) calls from other files (typically various DLLs that provide functionality to the Windows operating system). To track these imports, Mandiant creates a hash based on library/API names and their specific order within the executable. We refer to this convention as an "imphash" (for "import hash"). Because of the way a PE's import table is generated (and therefore how its imphash is calculated), we can use the imphash value to identify related malware samples. We can also use it to search for new, similar samples that the same threat group may have created and used.
We are excited to announce that VirusTotal reports for Portable Executables now show this hash in the additional information tab:

When considering an individual report, this property might not be very useful on its own, however, if you happen to have an API key with additional information privileges you will also find the hash embedded in the JSON response. This means you can massively feed your own local database setup with the imphash and implement your own similarity search feature for your malware collection.

VirusTotal Intelligence users can already perform searches through our dataset according to this new property.

Tuesday, 21 January 2014

VirusTotal += Qihoo-360

We welcome Qihoo-360 as a new engine working at VirusTotal. In the words of the company:

"QVM is Qihoo 360’s proprietary technology that detects malware through an artificial-intelligence algorithm capable of machine learning to recognize new forms of malware. QVM technology offers a robust model for recognizing malware characteristics using the massive amount of data that we have compiled on confirmed malware in our blacklist and verified safe programs files in our whitelist. This model is used as a basis for a detection algorithm which is automatically enhanced and updated with new malware samples submitted by our users to our servers.

Program files that do not appear in our blacklist and whitelist are scanned using QVM, and any ''hits'' returned by this technology are presumed to be malicious and removed or quarantined. As malware is constantly being created or morphing, QVM has the advantage of being able to detect threats that have not been previously identified. According to PC Security Labs, an independent security product test organization, QVM has a detection rate of 74.9% for unknown new malware, which surpasses most heuristic detection technologies."

Wednesday, 27 November 2013

VirusTotal += Ad-Aware

We welcome Ad-Aware as a new engine working at VirusTotal. In the words of Lavasoft:

"Ad-Aware 11 is Lavasoft’s next generation anti-malware product that includes behavior based heuristics, generic detection routines and virtual machine analysis for executable files that is capable of detecting zero-day and new/unknown malware. It has support for more than 100 packers and runs full multithreading and concurrent scans."

Wednesday, 13 November 2013

VirusTotal += URL checker

Many security industry actors build solutions that lie in the perimeter of networks, inspecting traffic and discriminating potentially malicious content. One of these solutions is SIMBA from Saint Security (others include FireEye, Fidelis XPS, Damballa, etc.).

In inspecting traffic, these solutions have a privileged position to perform correlations to discover and characterize malicious patterns, this is what allows these companies to discover thousands of malicious URLs and files every day. Saint Security has made part of their discriminatory logic available at
As a cloud-based malicious codes database system, is a one-stop service to collect, analyze and detect various malicious codes or malwares such as Trojans, Viruses, Worms so that customers or end-users can make proper security policies to take countermeasures against security threats.
Today we are excited to announce that has been integrated in VirusTotal as a URL checker and as of today URL scans will be enriched with their dataset of malicious verdicts. This inclusion is very interesting as it covers much of the threat landscape seen in South Korea, a clear example of this is the following report:

Welcome on board and thanks for joining us!

Thursday, 31 October 2013

VirusTotal += AegisLab WebGuard

Our effort to pump up our URL scanner backbone continues, today we are excited to announce the integration of AegisLab WebGuard, a concise malicious URL database to prevent malicious URLs whose characteristics are described by its developers as:
Fast update and leave less open window for attack. Less false positive than other web filter DBs. Website hijacking prevention. Concise malicious URL database. Including: Drive-by-Downloads, BlackHat SEOFake Anti-Virus, Installer and Updates, Scarewares and etc.
You can read more about the kind of threats that AegisLab WebGuard intercepts in this blog post:

Welcome on board guys, thanks for joining VirusTotal!