Wednesday, 4 May 2016

Maintaining a healthy community

VirusTotal was born 12 years ago as a collaborative service to promote the exchange of information and strengthen security on the internet. The initial idea was very basic: anyone could send a suspicious file and in return receive a report with multiple antivirus scanner results. In exchange, antivirus companies received new malware samples to improve protections for their users. The gears worked thanks to the collaboration of antivirus companies and the support of an amazing community. This is an ecosystem where everyone contributes, everyone benefits, and we work together to improve internet security.

For this ecosystem to work, everyone who benefits from the community also needs to give back to the community, so we are introducing a few new policies to make sure that our community continues to work for years into the future. First, a revised default policy to prevent possible cases of abuse and increase the health of our ecosystem: all scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services. Additionally, new scanners joining the community will need to prove a certification and/or independent reviews from security testers according to best practices of Anti-Malware Testing Standards Organization (AMTSO).

Finally, all VirusTotal users are fully accountable for and need to follow our existing Terms of Services and mandatory Best Practices. Its frustrating to see abuses show up and its damaging for our community. Let's remember some basics:

  • VirusTotal should not be used in any way that could directly or indirectly hinder the antivirus/URL scanner industries.
  • VirusTotal should not be used as a substitute of an antivirus solution.
  • The data generated by VirusTotal should not be used automatically as the primary indicator to blacklist/produce signatures for files. i.e. Antivirus vendors should not copy the signatures generated by other vendors without any other scrutinizing on their side.
  • VirusTotal should not be used to generate comparative metrics between different antivirus products. Antivirus engines can be sophisticated tools that have additional detection features that may not function within the VirusTotal scanning environment. Because of this, VirusTotal scan results aren’t intended to be used for the comparison of the effectiveness of antivirus products.
  • VirusTotal should not be used as deceptive means to discredit or to validate claims for or against a legitimate participant  in the anti-malware industry.
  • VirusTotal renders information generated by third party products (antivirus vendors, URL scanning engines, file characterization tools, etc.), those product names are exclusive property of their respective brands, hence, use of these names in third party products and services will be done at your sole discretion. You should ask the corresponding brands for their permission.
  • In no event shall you use VirusTotal's logo, name or trademark on any customer list, public statement, press release, or in any other manner without our prior written consent in each instance.
There is a new specific email address ( for users and partners to report potential abuse of this new policy or our long-standing Terms of Services and mandatory Best Practices. When potential abuse is reported, we will investigate and work to adopt specific measures to combat any irregularities, if any uses can’t come into compliance we will terminate their service.

We are looking forward to working with new partners, as it will bring more value to the ecosystem. All collaborative efforts are based on the principles of benefiting the security industry as a whole and enabling the protection of end users. We also want to thank our current partners, and the entire VT community, for working with us as we pursue our mutual goal of a safer and more secure Internet for everyone.

Wednesday, 27 January 2016

Putting the spotlight on firmware malware

Firmware malware has been a hot topic ever since Snowden's leaks revealed NSA's efforts to infect BIOS firmware. However, BIOS malware is no longer something exclusive to the NSA, Lenovo's Service Engine or Hacking Team's UEFI rootkit are examples of why the security industry should put some focus on this strain of badness.

To all effects BIOS is a firmware which loads into memory at the beginning of the boot process, its code is on a flash memory chip soldered onto the mainboard. Since the BIOS boots a computer and helps load the operating system, by infecting it attackers can deploy malware that survives reboots, system wiping and reinstallations, and since antiviruses are not scanning this layer, the compromise can fly under the radar.

As of today VirusTotal is characterizing in detail firmware images, legit or malicious. These are a couple of examples of the kind of information that is now generated, please refer to the File Detail tab:  [1]  [2]
Pay attention to the Additional information tab in this other case,  you will see a new Source Details field which gives attribution information for the given file:
100% PE resource match is not required in order to provide some attribution context, e.g.

The new tool performs the following basic tasks:

  • Apple Mac BIOS detection and reporting.
  • Strings-based brand heuristic detection, to identify target systems.
  • Extraction of certificates both from the firmware image and from executable files contained in it.
  • PCI class code enumeration, allowing device class identification.
  • ACPI tables tags extraction.
  • NVAR variable names enumeration.
  • Option ROM extraction, entry point decompilation and PCI feature listing.
  • Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image.
  • SMBIOS characteristics reporting.

What's probably most interesting is the extraction of the UEFI Portable Executables that make up the image, since it is precisely executable code that could potentially be a source of badness. These executables are extracted and submitted individually to VirusTotal, such that the user can eventually see a report for each one of them and perhaps get a notion of whether there is something fishy in their BIOS image. Additionally, the tool will highlight which of these extracted PEs are Windows targeted, i.e. they will run on the Windows OS itself rather than on the UEFI pseudo-OS. Usually you would not see Windows executables in this layer, though there are some exceptions like the following case:

As you can see, the report distinguishes between any kind of PE and PEs that will run on the Windows OS itself, the first one of which happens to be detected by a noticeable amount of antivirus vendors. This executable is actually an antitheft product called Computrace, embedded in many BIOS in order to be able to track a system after theft, even if the system is wiped and reinstalled. Totally legit when used for this purpose.

This exemplifies one way in which the new characterization can help in hunting badness, for instance, if you take a closer look at the very first two examples:
You will notice that this is precisely the Lenovo rootkit case. They are two different BIOS updates for Lenovo S21e laptop systems, the second one removes what was identified as factory-installed malware, taking a closer look at both reports you will notice that the first image contains a NovoSecEngine2 Windows executable in charge of deploying further artifacts onto the target system.

Knowing that this new tool is available, the next interesting step would be to be able to dump your own BIOS in order to further study it by submitting it to VirusTotal, the following tools might come in handy:

Obviously, this has its limitations, the system could be compromised in such a manner that the dumpers are deceived, you should understand that the ultimate ground truth is physically attaching to the chip and electronically dumping the flash memory.

When performing BIOS dumps and uploading to VirusTotal make sure you remove private information, certain vendors may store secrets such as WiFi passwords in BIOS variables in order to remember certain settings across system reinstalls. If you are on a Mac, DarwinDumper will allow you to easily strip sensitive information by checking the "Make dumps private" option.

Premium users of VirusTotal Intelligence and VirusTotal Private Mass API will soon be able to read a follow-up article in Intelligence's blog in order to understand how all of this information is now indexed and searchable, allowing you to track down advanced actors making use of BIOS badness in order to persist in their targets' systems.

We would like to specially thank Teddy Reed, developer of the UEFI firmware python parser, he has been instrumental in helping us overcome our ignorance about BIOS, UEFI, and its ecosystem.

Tuesday, 17 November 2015

VirusTotal += Mac OS X execution

We previously announced sandbox execution of Windows PE files in 2012, and Android in 2013.  We are happy to announce equal treatment for Mac OS X  apps. Files scanned that are Mach-O executables, DMG files, or ZIP files containing a Mac app, will be sent to the sandbox in order to produce behavioral reports.

Users may scan these file types directly on, with our OS X Uploader app, or via the API.

As before, users with private API or "allinfo" privileges will see this information in the API responses. For VirusTotal Intelligence customers the information is also indexed and searchable.

Here are a couple of example reports, have a look at the "Behavioural information" tab...

DMG files:
Mach-O files:

ZIP files with an Mac app inside:
If you find issues, or have suggestions to improve the Mac sandbox please send an email to contact [at] virustotal [dot] com.

Friday, 9 October 2015

VirusTotal += CloudStat URL scanner

Today we are introducing a new URL scanner that will be characterizing URLs submitted by users to VirusTotal: CloudStat. In their own words:
CloudStat is a new platform set to revolutionize the way companies collect and analyze their data. It identifies compliance gaps, detects configuration problems and warns customers of cyber security threats by applying our proprietary analysis engine to millions of data points. It delivers concise actionable reports directly to mobile devices. The team behind CloudStat is dedicated to helping companies mitigate risks, increase productivity and reduce costs.
Let us look at how their verdicts show up:

Judging by the reports, it seems that this new engine nicely complements other datasets, such that aggregate threat coverage has been improved, this is good news. Hopefully this addition results in more secure users world-wide.

Welcome CloudStat!

Tuesday, 9 June 2015

VirusTotal += Arcabit

We welcome Arcabit scanner to VirusTotal. This is a multi-engine product from Poland. In the words of the company:

"Arcabit is a Polish vendor of the antivirus and protection software. Arcabit antivirus engine is the hybrid of two solutions - Bitdefender and its own, constantly developed 
engine with rapid response to the new threats. Arcabit uses advanced cloud solutions to identify trends in malware development and to ensure an early response to new threats.
The heuristic mechanisms implemented by Arcabit (identified as HEUR.*) offer the efficacy at the level of 99.9% in detecting threats spreading through popular Web channels - www, email etc."

Friday, 5 June 2015

VirusTotal -= Norman

Blue Coat has decided to retire Norman Scanner Engine as an active OEMable AV scanner engine so it will not be shown in VirusTotal reports.

Tuesday, 28 April 2015

KnockKnock += VirusTotal

In October 2013 we announced that Windows Sysinternals Sigcheck was adding integration with VirusTotal in order to help its users with malware triage. Thereafter, Mark Russinovich has continued to plug VirusTotal into other tools commonly used by malware and forensics analysts, namely Sysinternals Autoruns and Sysinternals Process Explorer.

Today we are excited to announce that Patrick Wardle has included VirusTotal information in the Mac OS X equivalent of Autoruns: KnockKnock. In his own words:
"KnockKnock... Who's There?" See what's persistently installed on your Mac!
Malware installs itself persistently, to ensure it is automatically executed each time a computer is restarted. KnockKnock (UI) uncovers persistently installed software in order to generically reveal such malware.

This tool is extremely useful when performing a quick malware hunt down in Mac OS X systems, and the integration with VirusTotal gives further momentum to all the efforts we have been conducting in helping secure Mac OS X users: tools to further characterize Mac OS X executables, VirusTotal Uploader for OS X, etc.

If you want to learn more about KnockKnock and download it, do not hesitate to visit the project's site: