Wednesday, 2 May 2018

New Firefox Quantum-compatible VirusTotal Browser Extension

In November 2017 Mozilla released a new and improved version of their browser. This version is called Firefox Quantum. Following that step forward, VirusTotal is releasing major revamp of its browser extension! You may install it at:

Historically VirusTotal had a very simple but popular firefox extension called VTZilla. It allowed users to send files to scan by adding an option in the Download window and to submit URLs via an input box. We had not updated it since 2012.



At the end of 2017 Firefox decided to discontinue support for old extensions and encourage everyone to update their extensions to the new WebExtensions APIs, a common set of APIs designed to be the new standard in browser extensions. As a result our existing VTZilla v1.0 extension no longer worked. At VirusTotal we decided to face this as an opportunity instead of an inconvenience and we started working on a new and improved version of VTZilla.

VTZilla 2.0 has been designed with various goals in mind. We wanted this new version to be easy to use, transparent to users and as customizable as possible. The first thing users will see when installing the extension is the VirusTotal icon. If you click on it you will see the different configuration options:


This will allow users to customize how files and URLs are sent to VirusTotal and what level of contribution to the security community they want.

Users can then navigate as usual. When the extension detects a download it will show a bubble where you can see the upload progress and the links to file or URL reports.


These reports will help users to determine if the file or URL in use is safe, allowing them to complement their risk assessment of the resource. This is a great improvement with respect to the former v1.0 version of VTZilla where we would only scan the pertinent URL tied to the file download. Then you would then have to jump to the file report via the URL report, and this would only be possible if VirusTotal servers had been able to download the pertinent file, leaving room for cloaking and other deception mechanisms.

VTZilla also has functionality to send any other URL or hash to VirusTotal. With a right button click users have access to other VirusTotal functionality:


This is the basis for all future functionality. Feel free to send us any feedback and suggestions. We will be working to improve and add functionality to the extension. Thanks to WebExtensions we will also be able to make this extension compatible with other browsers that support the WebExtensions standard.

Soon after this major revamp we will be announcing new VTZilla features whereby users may further help the security industry in its fight against malware. Even non-techies will be able to contribute, the same way that random individuals can contribute to search for extraterrestrial life with SETI@home or help cure diseases with BOINC, stay tuned and help give good the advantage.

Monday, 16 April 2018

Multisandbox project welcomes Cyber adAPT ApkRecon


Two weeks ago we announced the release of our new VirusTotal Droidy Android sandbox, a virtual environment that executes Android applications in an automated fashion in order to capture all the actions that the given app performs on the operating system.

Today we are excited to announce that Cyber adAPT is becoming a multisandbox project partner and will be contributing data from its ApkRecon product to the fight against malware. Like Droidy, its solution also focuses on the Android environment. In their own words:

ApkRecon is a sandbox environment developed by the research team at Cyber adAPT.  Amongst many features, the sandbox boasts a baited Android environment, a decrypted network application level capture, and an attack payload triggering system to gain insight into the true intent of each piece of analyzed malware. ApkRecon is also used to generate detection logic for Cyber adAPT’s Mobile Threat Detection product to keep users safe all around the world.

These are some example reports displaying the data contributed by Cyber adAPT:


It is worth highlighting the usefulness of this kind of data. When facing unknown files for which you have no context it can be very rich contextual information that allows analysts to have an initial judgement of the file before diving into dissecting it. For example, looking at the last example report above we notice that the file performs an HTTP POST to:

hxxp://85.206.166.7/index.php?action=command

This is a URL that we can look up in VirusTotal Graph and jump to the host referenced in the URL, i.e. 85.206.166.7. When exploring this host we notice that only the file under consideration has communicated with it, however, we do notice that expansions are available according to the referrer files relationship. This relationship pinpoints files that contain the given host within its body, even if they have not been seen communicating with it. Let’s follow this notion, something shady seems to be going on:


Badness is much easier to spot when studying the sample characterised in this other report:

In this case the APK reaches out to the URL:

hxxp://zzwx.ru/apkfff?keyword=BBM

From there we can jump to the domain entity, i.e. zzwx.ru, and expand URLs observed under such domain, as well as files communicating with it. Just two hops and we already have a preliminary idea about the initial APK that reached out to the aforementioned URL being malicious:


These examples highlight the importance of extracting as many attributes and behavioral details as possible from files, not only because they allow us to better understand a particular threat, but because they connect the dots and reveal entire campaigns. For instance, very often blocking a given network location will render ineffective all malware variants of a given campaign (inability to reach the mothership server), so even when certain variants fly under detection radars, there is still hope that network security measures will stop a given attack.

This kind of approach to block badness is something that we have shaped into a particular paper hosted in our www.virustotal.com/learn space, more specifically the paper entitled VirusTotal Intelligence for banking trojans. In this paper malicious network infrastructure is shut down by contacting the pertinent domain registrars and hosting providers, however, organizations can also blacklist these locations in their network security controls.

Thursday, 5 April 2018

Meet VirusTotal Droidy, our new Android sandbox

Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.

This setup characterises the actions that Android APKs perform when installed and opened; it has been baptised as “VirusTotal Droidy”. Droidy has been integrated in the context of the multisandbox project and extracts juicy details such as:
  • Network communications and SMS-related activity. 
  • Java reflection calls. 
  • Filesystem interactions. 
  • SQLite database usage. 
  • Services started, stopped, etc. 
  • Permissions checked. 
  • Registered receivers. 
  • Crypto-related activity. 
  • Etc. 

You may find below a couple of reports showcasing this new functionality. Just select the “VirusTotal Droidy” entry in the multisandbox report selector (whenever there are multiple reports):

Don’t forget to also check the detailed report:


This advanced view allows you to dig into the hooked calls and take a look at the screenshots generated when running the apps:


The multisandbox project is in good shape, and now many samples have reports for multiple sandboxes. For instance, the following report allows you to see the output of Tencent HABO and VirusTotal Droidy:
As you can see, they are pretty complementary, proving the value of having different sandboxing technologies studying the same files.

To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

Now, these may seem like minimal features to improve VirusTotal’s “microscope” capabilities for better understanding a particular threat. In fact, the changes go much deeper. All of our sandboxing information nurtures other services such as VirusTotal Intelligence and VirusTotal Graph. The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal. This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations. For example, let us look at the graph of one of the domains seen in the previous reports:


At a glance you can understand that something shady is going on with wonderf00l.gq and you are able to discover other malicious domains such as flashinglight.tk, checkingupd.tk, flashupdservice.cf, etc. Some of these, for instance checkolimpupd.tk, are not only used as C2 infrastructure for malware but also serve as malware distribution points.

Very often during an investigation, you might not have enough context about an individual threat, and so being able to look at the connected URLs, domains, files, IP addresses, etc. becomes crucial in understanding what is going on. My colleague Evan explains this far better than I can do in just a couple of paragraphs, so make sure you check out his video dissecting a cryptomining attack at https://www.virustotal.com/learn/watch/.

Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.  

Sunday, 1 April 2018

Meet FORTUNE COOKIE

VirusTotal is always working to improve our users' experience and our partner ecosystem. We have a robust community of security professionals who research, study, and collaborate through VirusTotal's diverse tools and capabilities.

In our labs, our top engineers are working hard to develop new ways of understanding how samples relate to each other, to campaigns, and to the users who ultimately fall victim to them.

We're thrilled to share with you the brand new VirusTotal Free Object Randomized Tester Utilizing Nil Evaluative Code with Object Oriented K-means Inference Engine, or FORTUNE COOKIE for short.

FORTUNE COOKIE is a bleeding edge system that brings about a highly accurate randomized verdict for your entertainment and enjoyment. It knows very little about malware, reverse engineering, or file analysis, but could theoretically be capable of leveraging machine learning, blockchain, and/or random numbers to bring about an entirely new class of verdicts.

An example of its detection capabilities can be found below:


We think FORTUNE COOKIE will change the way you use VirusTotal, and due to the incredibly amazing power it offers, it will only be available for a short time.

Enjoy!

Tuesday, 6 March 2018

Additional Crispiness on the MacOS box of apples sandbox

In November 2015 we first released our MacOS sandbox. We now have an incremental feature improvements live on our site to help our users get further behavioral information from samples scanned with VirusTotal

Several improvements visible to users are:


  • Sandbox updated to OSX 10.11 El Capitan in sandbox.  We have a High sierra update planned for later this year. 
  • Detailed HTML analysis report is now available. 
  • Screenshots of the software under analysis to provide more contextual information:
    • Show screenshots of what a user would see
    • Help determine if the sample is waiting for user input
  • Network traffic reports updated
    • Country Detection
  • Timestamps on file operations,  to help show the sequence of events.
  • Process tree is shown if there is more than one level of processes


To view the detailed behavior report, click on the behavior tab, then select the Box of Apples sandbox, then click on the detailed report link

Click on the detailed behavior report. 




Some Samples that might be interesting, that contain the new features:
ec7241a6009f1fff38b481d8b4fd6efede4cc2f9d8ee20d9ca2b4ff66d656171
3b196c1c1a64aca81dec5a5143b3f2faaadcc4034b343f46f23348f34a2ef205
694c23b548249056bf90b2b2c252a8c9abfae4aeb611476cbdaa8dc112f79d8f


Screenshots and File operations

DNS, IP Traffic and Behavior tags


This is part of the Multi-Sandbox project.    We’ll continue to improve our own and 3rd party sandbox providers that wish to integrate sandboxes into VirusTotal.

If you find any issues, or have feature requests, please don’t hesitate to reach out to us by emailing  contact@virustotal.com

Wednesday, 24 January 2018

VirusTotal and Chronicle

It's been more than five years since Google acquired VirusTotal. Today we have another update: VirusTotal will moving to become part of Chronicle, a new Alphabet company focused on cyber security. This update, like our move to Google a few years back, does not change the mission or focus of VirusTotal. We'll continue to operate independently, focused on our mission of helping keep you safe on the web.

For press inquiries, please contact press@chronicle.security

Monday, 8 January 2018

VirusTotal Graph

VirusTotal receives a large number of files and URLs every day, and each of them is analyzed by AVs and other tools and sandboxes to extract information about them. This information is critical for our ecosystem, as it connects the dots and makes clear the connections between entities.

It is common to pivot over many data points (files, URLs, domains and IP addresses) to get the full picture of your investigation, and this usually involves looking at multiple reports at the same time. We know this can be complicated when you have many open tabs, therefore, we’ve developed VirusTotal Graph.

It is a visualization tool built on top of VirusTotal’s data set. It understands the relationship between files, URLs, domains and IP addresses and it provides an easy interface to pivot and navigate over them.


By exploring and expanding each of the nodes in your graph, you can build the network and see the connections across the samples you are studying. By clicking on the nodes, you can see at a glance the most relevant information for each item. You can also add labels and see an in-depth report by going to VirusTotal Public or VirusTotal Intelligence report.

The tool is available in https://www.virustotal.com/graph/ or through a public report in the tool section (VirusTotal login is required):


You can save the graphs, so that you can go back to your investigation any time and share your findings with other users. By clicking in the bottom right corner we generate a permalink which loads the graph as you see it in your screen. All saved graphs are public and linked in VirusTotal public report when the file, URL, IP address or domain appear in the graph. We feel the community will benefit from this intelligence. We understand that there are scenarios where a higher degree of privacy is needed, and we are working on a solution -- expect to see some news around it soon.

The documentation is available at

These are two YouTube videos explaining the main features:
Files Tutorial 1 - https://youtu.be/QEqHXU04IkI
Domain Tutorial 2 - https://youtu.be/xe2busIlkP4

Last but not least, we are still in an early stage of the tool and we’d be delighted to receive your feedback/comments here.