Monday, 1 December 2014

A closer look at Mac OS X executables and iOS apps

Virustotal has always been able to scan and provide verdicts for Mac OS X executables and iOS apps, these are just some examples:
https://www.virustotal.com/en/file/b9fb26c553e793ac4c598a67447f67c85eb9e561a9b7722667f7f45e34e2f71c/analysis/
https://www.virustotal.com/en/file/c5030830203c3bf67ef49af6908cbeb6aa234fe0346d8d9ebf85d4dd5d7482be/analysis/
https://www.virustotal.com/en/file/63149fe9e2efd94d666402d637d921a6ca4dd73dcda318a7fcc82c274175d19a/analysis/
Actually, scanning capabilities regarding certain file types is a common end-user misconception, virustotal will scan any binary content, with independence of its file type, as antivirus vendors will develop signatures for any file type and target OS with independence of the OS that hosts the engines running in virustotal.

This said, two weeks ago we silently introduced a new tool to further characterize Mac OS X executables and iOS apps, extracting interesting static properties from these types of files, similar to what the pefile python module does for Portable Executables.

The new tool will extract file header information (e.g. required architecture and sub-architecture, flags, magic string, etc.), the file segments and its inner sections, any shared libraries that the executable makes use of, load commands and signature information whenever the mach-o happens to be code signed.


In the event that the Mac OS X executable is a universal binary containing mach-o files for several target systems, a characterization of each one of the embedded files will be provided. You may refer to the file details tab of the above reports in order to see an example of this new set of information.

As to iOS apps, the new tool will not only characterize the executable providing the application's main functionality, it will also generate metadata regarding the package itself (property list configuration information and embedded mobile provision data) and iTunes details.


As you may notice, this tool follows the trend of what we recently implemented regarding ELF files, hopefully it will also help in spotting and studying threats targeting Mac OS X and iOS.

Thursday, 27 November 2014

VirusTotal += ALYac

We welcome ESTsoft ALYac engine to VirusTotal. This South Korean multi-engine antivirus includes its own engine called Tera plus the popular BitDefender engine. In the words of the company:

"""ALYac provides differentiated service with the award winning Triple-Engines.
The ESTsoft's Tera Engine, the BitDefender Engine and the Sophos Engine establish several protection layers.

With the lightweighted engine and the memory optimization, ALYac minimizes its resource usage.
Moreover, ALYac boasts excellent detection power against variant malicious files through 'Smart Scan Technology'."""

Tuesday, 18 November 2014

virustotal += Blueliv URL scanner

We are excited to announce that we have just integrated Blueliv's malicious URL tracker in virustotal, as yet one more URL scanner providing verdicts on URLs submitted by users. In their own words:
Blueliv is a leading provider of cyber threat information and analysis intelligence for large enterprises, service providers, and security vendors. The company’s deep expertise, data sources, and cloud-based platform address a comprehensive range of cyber threats to turn global threat data into real-time actionable intelligence specifically for each client in an easy-to-use dashboard. Blueliv’s clients include leading bank, insurance, telecom, utility, and retail enterprises.
At present, Blueliv's tracker is highly focused on sites used as C&C infrastructure for trojans, URLs distributing malware and sites with exploit kits, an example of their detections can be found in the following reports:
https://www.virustotal.com/en/url/78b30edc4de035348586cd408626009bbc42be366873e65a8bcc4f35f780f783/analysis/1415884660/
https://www.virustotal.com/en/url/885b6e1dc91e1f01413c0316117f294203d643a1ef3ec79c17556956ff08d086/analysis/1415890213/

Hopefully this integration will lead to increased knowledge about threats and will help protect users world-wide.

Welcome Blueliv!

Tuesday, 11 November 2014

virustotal += Detailed ELF information

In computing, the Executable and Linkable Format (ELF, formerly called Extensible Linking Format) is a common standard file format for executables, object code, shared libraries, and core dumps. It was chosen as the standard binary file format for Unix and Unix-like systems [Wikipedia].

Even though the popularity of the Windows OS among average end-user systems has meant that attackers have mostly focused on developing malware for Windows systems, ELF badness is a growing concern. The colleagues over at Malware Must Die are making a huge effort to put some focus on ELF malware, their article entitled China ELF botnet malware infection & distribution scheme unleashed is just an example.

Today we are rolling out a tool to generate detailed structural information regarding ELFs. This information includes: file header specifics (ABI version, required architecture, etc.), sections, segments, shared libraries used, imported symbols, exported symbols, packers used, etc. You may take a look at this new information in the File Details tab of the following report:
https://www.virustotal.com/en/file/cc5833d039943bcf06cb185500b21a19d4e1f73a3362943d27697fc93f7b9602/analysis/



Hopefully all this new information will bring some attention to malware targeting linux systems and will lead to better world-wide defenses against these threats.

Friday, 17 October 2014

virustotal += Baidu-International URL scanner

And we are in our sixties with respect to the number of URL scanning engines integrated in VirusTotal, welcome Baidu-International! Not so long ago we introduced their file scanner and today we are excited to populate the malicious URL dataset with their verdicts.

In their own words:
Baidu Antivirus is a permanently free and easy-to-use antivirus software which offers proactive defense, file protection, USB protection, download protection, browser protection, and other professional security features. 
As part of the browser protection component they offer they come across and have to research many malicious URLs per day, these URLs will now trigger alerts on VirusTotal. An example of their engine in action can be found below:
https://www.virustotal.com/en/url/000feb4703a2f1b3a84ad435c46da9f523ea9daec84747b12bf8345ef2908de8/analysis/1413373146/

Welcome Baidu-International!

Wednesday, 24 September 2014

virustotal += PhishLabs URL scanner

Yet another malicious URL dataset is joining virustotal today. Welcome PhishLabs.

In their own words:
PhishLabs provides cybercrime protection and intelligence services that fight back against online threats and reduce the risk posed by phishing, malware, and other cyber-attacks. They fight back against online threats by detecting, analyzing, and proactively dismantling the systems and illicit services cybercriminals depend on to attack businesses and their customers.

As part of the investigations that they conduct and the Intelligence that they gather, PhishLabs comes across many malicious URLs every day, from now on virustotal checks will also run against their blacklist, enhancing users' ability to detect recent threats.

An example of a report containing an PhishLabs report can be found below:
https://www.virustotal.com/en/url/0ec471bc92bb025a95945ba57004d23cc5854bb8ce686a02f92375cdccffa341/analysis/

Welcome PhishLabs!

Tuesday, 29 July 2014

virustotal += OpenPhish URL scanner

We keep increasing the number of engines integrated in virustotal's URL scanning backbone. Today is the turn of OpenPhish. OpenPhish is a service developed by FraudSense, whose engine was integrated a couple of weeks ago, that serves as a free repository of phishing sites detected with FraudSense's Phishing Detection Technology.

In their own words:
OpenPhish is a free service that provides a continuously updated feed of global phishing URLs that were detected by FraudSense's Phishing Detection Technology. The feed includes phishing sites from the past 7 days and is updated in real time with newly detected ones.
The feed is publicly available at:
http://www.openphish.com/

It is also served as plain text at the following URL:
http://www.openphish.com/feed.txt

An example of a report containing an OpenPhish report can be found below:
https://www.virustotal.com/en/url/7f50f5c8baf4671d4f0d54bc6b7d765292bfa9f922b6f382d1723a8d5d3fcb38/analysis/1406625327/

Hopefully this new addition will beef up virustotal's detection capabilities when it comes to phishing sites, which even though is an old scam, it is still very extended and a common threat for the average Internet user.

Welcome OpenPhish!