Tuesday, 10 February 2015

A first shot at false positives

Every so often an antivirus detecting a legitimate file hits the headlines, this usually happens when a given vendor mistakenly marks as malicious a file belonging to a widespread software package, for example, a key operating system file.

These mistaken detections, commonly known as false positives, have all sorts of undesired effects:
  • Software developers may face strong business impact as a large portion of their users see their programs rendered unusable. 
  • Support teams for the affected programs may be suddenly overwhelmed by user emails claiming that the given software is not working correctly.
  • End-users may be unable to interact with important software and see themselves unable to finish critical tasks.
  • Antivirus vendors' reputation may be severely hindered.
It is, thus, obvious that false positives are a head ache both for the antivirus industry and software developers. Solving them can be a very challenging problem. Why? Nowadays antivirus vendors are increasingly required to become more proactive, this includes developing generic signatures and heuristic flags, which very often leads to mistaken detections in an effort to have a more secure user-base. 

Virustotal is strongly committed to helping the antivirus and security industry, this is why we also wanted to collaborate on this front. Our first shot at this is a project that we call trusted source. The goal of this first stage is to have huge software developers share the files in their software catalogue.

These files are then marked accordingly at VirusTotal and whenever an antivirus solution (mistakenly) detects them, we notify the pertinent vendor, allowing them to quickly correct the false positive. Additionally, when files get distributed to antivirus vendors, they are tagged so that potential erroneous flags can be ignored,  preventing a snowball effect with detection ratios.

We have already started marking files and you may have already noticed the new message dialog at the top of file reports, example:
https://www.virustotal.com/en/file/a70999ee28e6233ffcadb6cc3967417be4de2678b868fa2d45bdd3f826c7ed48/analysis/

As you can see, not only a trusted source dialog is displayed, mistaken detections are also dropped from the positives count and degraded to the bottom of the report. This is just a quick measure to make sure the false positives do not mislead users looking at the report, as said, these mistaken detections are also shared with the pertinent vendors in order for them to fix.

We have been working on this for just one week and with just one company, Microsoft, yet results look very promising: over 6000 false positives have been fixed. We would like to extend a big thank you to the Microsoft team for sharing metadata about its software collection and to the antivirus industry as a whole for the false positives remediation. 

So what are the next steps? We are looking to grow our collection of trusted software, if you happen to be a very large software development company you might want to contact us in order to share this data and help us mitigate the issue of false positives. Please note that this initiative is not open to potentially unwanted applications and adware developers. 

Thursday, 15 January 2015

VirusTotal += Alibaba

We welcome Alibaba entire to VirusTotal. This Chinese antivirus is focused in Android malware. In the words of the company:

"Alibaba anti-virus engine is an ultrafast and accurate anti-virus engine based on cloud computing, big data technologies and a database with massive confirmed malwares and safe files. This anti-virus engine consists of multiple subsystems such as preprocessing, static analysis, dynamic analysis, and counterfeit software detection. These subsystems collaboratively and automatically analyze an unknown software to determine whether it is a malware or not.

Specifically, our anti-virus engine focuses on detecting malwares that threatening the safety of mobile shopping or payment. We aim to protect the privacy information and assets of the clients of Alibaba, as well as maintain a secure mobile cyberspace."

Thursday, 8 January 2015

Digging deeper into JAR packages and Java bytecode

Before the Christmas break we announced the inclusion of a tool to further characterize Mac OS X executables and iPhone apps, at the same time we also silently deployed one to dig deeper into JAR packages and Java .class files.

Virustotal has always scanned and produced verdicts for these types of files, as it scans any type of binary content, however, now it will also produce static notions such as the Java packages used, the manifest of the JAR bundle, interesting strings, file type distribution, date timestamp metadata for files within the archive, etc. You may take a look at this new information in the file details tab of the following report:
https://www.virustotal.com/en/file/647e5c0a640e7b5b006a14a09b5d3099c1eaf1e9f03ffa748c615be75a94103e/analysis/


Similarly, when it comes to .class files the tool will produce new notions such as the original class name, the target platform, whether it extends some class or implements some interface, its methods, what functions does it provide and require, etc. An example can be viewed in the file details tab of the following report:
https://www.virustotal.com/en/file/d5ff153c7ff2f16906c4cd80a78a3ef2ed9f938c353d678b895a952dccca49df/analysis/


Many of today's threats are distributed through exploit kits, a wide variety of which make use of malicious JARs in order to exploit Java and end up serving the final malicious payload to the victim, hence, we hope this new information helps researchers in better discriminating these threats.

Monday, 1 December 2014

A closer look at Mac OS X executables and iOS apps

Virustotal has always been able to scan and provide verdicts for Mac OS X executables and iOS apps, these are just some examples:
https://www.virustotal.com/en/file/b9fb26c553e793ac4c598a67447f67c85eb9e561a9b7722667f7f45e34e2f71c/analysis/
https://www.virustotal.com/en/file/c5030830203c3bf67ef49af6908cbeb6aa234fe0346d8d9ebf85d4dd5d7482be/analysis/
https://www.virustotal.com/en/file/63149fe9e2efd94d666402d637d921a6ca4dd73dcda318a7fcc82c274175d19a/analysis/
Actually, scanning capabilities regarding certain file types is a common end-user misconception, virustotal will scan any binary content, with independence of its file type, as antivirus vendors will develop signatures for any file type and target OS with independence of the OS that hosts the engines running in virustotal.

This said, two weeks ago we silently introduced a new tool to further characterize Mac OS X executables and iOS apps, extracting interesting static properties from these types of files, similar to what the pefile python module does for Portable Executables.

The new tool will extract file header information (e.g. required architecture and sub-architecture, flags, magic string, etc.), the file segments and its inner sections, any shared libraries that the executable makes use of, load commands and signature information whenever the mach-o happens to be code signed.


In the event that the Mac OS X executable is a universal binary containing mach-o files for several target systems, a characterization of each one of the embedded files will be provided. You may refer to the file details tab of the above reports in order to see an example of this new set of information.

As to iOS apps, the new tool will not only characterize the executable providing the application's main functionality, it will also generate metadata regarding the package itself (property list configuration information and embedded mobile provision data) and iTunes details.


As you may notice, this tool follows the trend of what we recently implemented regarding ELF files, hopefully it will also help in spotting and studying threats targeting Mac OS X and iOS.

Thursday, 27 November 2014

VirusTotal += ALYac

We welcome ESTsoft ALYac engine to VirusTotal. This South Korean multi-engine antivirus includes its own engine called Tera plus the popular BitDefender engine. In the words of the company:

"""ALYac provides differentiated service with the award winning Triple-Engines.
The ESTsoft's Tera Engine, the BitDefender Engine and the Sophos Engine establish several protection layers.

With the lightweighted engine and the memory optimization, ALYac minimizes its resource usage.
Moreover, ALYac boasts excellent detection power against variant malicious files through 'Smart Scan Technology'."""

Tuesday, 18 November 2014

virustotal += Blueliv URL scanner

We are excited to announce that we have just integrated Blueliv's malicious URL tracker in virustotal, as yet one more URL scanner providing verdicts on URLs submitted by users. In their own words:
Blueliv is a leading provider of cyber threat information and analysis intelligence for large enterprises, service providers, and security vendors. The company’s deep expertise, data sources, and cloud-based platform address a comprehensive range of cyber threats to turn global threat data into real-time actionable intelligence specifically for each client in an easy-to-use dashboard. Blueliv’s clients include leading bank, insurance, telecom, utility, and retail enterprises.
At present, Blueliv's tracker is highly focused on sites used as C&C infrastructure for trojans, URLs distributing malware and sites with exploit kits, an example of their detections can be found in the following reports:
https://www.virustotal.com/en/url/78b30edc4de035348586cd408626009bbc42be366873e65a8bcc4f35f780f783/analysis/1415884660/
https://www.virustotal.com/en/url/885b6e1dc91e1f01413c0316117f294203d643a1ef3ec79c17556956ff08d086/analysis/1415890213/

Hopefully this integration will lead to increased knowledge about threats and will help protect users world-wide.

Welcome Blueliv!

Tuesday, 11 November 2014

virustotal += Detailed ELF information

In computing, the Executable and Linkable Format (ELF, formerly called Extensible Linking Format) is a common standard file format for executables, object code, shared libraries, and core dumps. It was chosen as the standard binary file format for Unix and Unix-like systems [Wikipedia].

Even though the popularity of the Windows OS among average end-user systems has meant that attackers have mostly focused on developing malware for Windows systems, ELF badness is a growing concern. The colleagues over at Malware Must Die are making a huge effort to put some focus on ELF malware, their article entitled China ELF botnet malware infection & distribution scheme unleashed is just an example.

Today we are rolling out a tool to generate detailed structural information regarding ELFs. This information includes: file header specifics (ABI version, required architecture, etc.), sections, segments, shared libraries used, imported symbols, exported symbols, packers used, etc. You may take a look at this new information in the File Details tab of the following report:
https://www.virustotal.com/en/file/cc5833d039943bcf06cb185500b21a19d4e1f73a3362943d27697fc93f7b9602/analysis/



Hopefully all this new information will bring some attention to malware targeting linux systems and will lead to better world-wide defenses against these threats.