Thursday, 13 December 2012

Public API request rate limits and tool development

Our goal is simple: to help keep you safe on the web. For this to happen, among many other technical fireworks, we need to receive as many (hopefully malicious) files as possible that we can eventually share with the antivirus and security industry in order to allow them to improve their products and technologies.

One of the ways we envisioned increased submissions to VirusTotal was through the release of our public API. Many tools and security deployments (honeypots, honeyclients, sandboxes, etc.) are making use of it and we are delighted that they do so. However, very often I see that integration with VirusTotal's API could be simpler.

Many users ignore the fact that public API request rate limits are enforced on (IP address, API key) tuples. What does this mean? Users sharing a same API key with different IP addresses will be subjected to independent request rate counters. Putting it simpler, if you are a tool developer, you might want to create a public API key for your tool and embed it in your application, that way, by default, you would not have to ask the user to create an API key and the whole integration with VirusTotal would be transparent. 

Having said this, it is always wise to have a settings file or tab that allows users to change this default key:
  • Some users might be behind some sort of proxy, corporate network aggregator, NATting device, or similar setup that makes them share the same IP address with other users of your tool, these users should be given the option to create their own API key and modify the setting in your tool.
  • Some users might just want to use an independent key in order to track their own submissions in their VirusTotal Community profile.
  • Some users might simply find the public API request rate limit too low, they might want to speak with VirusTotal about the possibility of getting a private API key, they should be able to embed that independent private API key in your setup.

So, imagine this hypothetical situation: I want to build a tool that whenever a USB storage device is plugged into a given PC it inspects its files, looks for any autorun.inf file and submits to VirusTotal any referenced executables in it. I would create an VirusTotal Community account for my tool and retrieve the corresponding API key, I would hardcode that into my application and make the tool use it by default. This said, I would also have a settings tab in my application that would allow users to change this key for any other key they might register. Of course, I would plan to render the corresponding messages informing a user about the fact they can modify the default key whenever request rate limitations are met because of IP sharing.

Hope this is useful and I would love to see more VirusTotal plugins out there with a more transparent integration such as the one described above. As usual, before doing any kind of integration please look at our Terms of Service and Best practices, tools competing with the antivirus industry or jeopardizing such industry will be immediately banned from the service. VirusTotal is a tool to help antivirus vendors in improving their products, not a means to discredit, harm them in any way or steal their intellectual property, we take this matter very seriously.

Friday, 30 November 2012

VirusTotal += ADMINUSLabs

Continuing the trend of engine inclusions we have just added ADMINUSLabs as a new URL scanner. In words of ADMINUSLabs itself:
ADMINUSLABS has built an incredibly robust and comprehensive binaries and malware collection and analysis set of tools, enabling organizations of all sizes to leverage the data analyzed and threats monitored to build better defense system. With clients and partners in every continent, ADMINUSLABS solutions offer industry leading technology, flexibility, cost effectiveness, and service levels.
ADMINUSLabs has shared its malicious URL dataset with VirusTotal, from now on, whenever a user submits a URL to VirusTotal for scanning it will also get checked against ADMINUSLabs' dataset and flagged as malicious if present in it. This is an example of a report with one such detection:

https://www.virustotal.com/url/0048c271f6c90bc6959c0eb91ed139692a1ec0f0f4b3328a9ad09baad010c7c2/analysis/1354276484/

ADMINUSLabs' dataset is very large and gets updated several times per day with thousands of new URLs, this is an excellent addition, many thanks and welcome on board!

VirusTotal += Malwarebytes

We welcome Malwarebytes (aka MBAM) as a new engine working at VirusTotal. Malwarebytes was first released in 2008.

VirusTotal += NANO

We welcome NANO as a new engine working at VirusTotal. NANO is a russian antivirus company that has been in the market since year 2009.

Wednesday, 28 November 2012

VirusTotal += Malekal

We are back with new inclusions in VirusTotal's URL scanning engine. This time we are excited to add Malekal's malicious URL dataset to our aggregate scanner.

Malekal is a site maintained by one of our most active VirusTotal Community users, @Malekal_morte. The site mostly deals with malware and antivirus but has support forums that help users in many other ICT fields. As a result of the support he gives and the research he conducts, Malekal comes across many malware samples an malicious URLs as we can see in his public listing (21211 documented files since March 2010 at the time of this article).

Malekal's malicious URL dataset is now being used to check whether any URL submitted by a user to VirusTotal is present in it and if so it is flagged accordingly. You should now be able to see these detections in the URL reports, just as an example:

https://www.virustotal.com/url/04d67bdebd8a74eaaac37212e35848203f55823c157aab958ad4415d1b7ba344/analysis/1354089612/

We are extremely grateful to Malekal, welcome on board!

Thursday, 11 October 2012

Pimping up VTchromizer

Among the goodies offered by VirusTotal to the community we can find VTchromizer. VTchromizer is a Google Chrome browser extension that simplifies the process of scanning Internet resources with VirusTotal. It allows you to scan links (including links to files) directly with VirusTotal's web application. It will scan the submitted URLs with URL scanners and the content downloaded from the scanned site with VirusTotal's antvirus solutions.

Some days ago Kyle Creyts from Lastline sent us an email asking us for permission to publish a small Chrome extension that made use of VirusTotal:

This extension makes a new "Get VT analysis" context menu entry when you select text and right click on it.
It's quite simple to use. You select the text of a hash in your browser, right click on it, and select "Get VT analysis for %s" from the context menu (where %s is the hash). I have it set up to use the selection length to validate that the input is a valid {md5,sha1,sha256} hash. I could easily add the ability to validate the character range (hex).

We love when the community builds tools with VirusTotal, we are absolutely in favour  of promoting third-party altruist efforts that will improve the overall end-user security. Hence, we strongly encourage Kyle to publish his extension, it is a really good idea.

It is such a good idea that we did not hesitate to include that functionality in our own official extension:

https://chrome.google.com/webstore/detail/vtchromizer/efbjojhplkelaegfbieplglfidafgoka

As of version 1.2, whenever you select a text and right-click on it a context menu will appear that allows you to check the selected text with VirusTotal:

  • If the selection is an md5, sha1 or sha256 hash the extension will display the VirusTotal report for the file with that hash.
  • If the selection is any other text the extension will look for any comments in VirusTotal Community tagged with the given term.

This is in addition to the traditional feature that allows you to right-click on any link and submit it for scanning.


Thanks for the idea Kyle! As usual, if you have any suggestions or feature requests please do not hesitate to contact us, we will be more than happy to consider and implement them.

Wednesday, 10 October 2012

VirusTotal += Netcraft

Netcraft Toolbar is one of the most known antiphishing/antimalware browser toolbars out there. The Netcraft team describes its software as follows:
The Toolbar community is effectively a giant neighbourhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing attacks. Once the first recipients of a phishing mail have reported the target URL, it is blocked for community members as they subsequently access the URL. Widely disseminated attacks (people construct phishing attacks send literally millions of emails in the expectation that some will reach customers of the bank) simply mean that the phishing attack will be reported and blocked sooner.
The Netcraft Toolbar also:

  • Traps suspicious URLs containing characters which have no common purpose other than to deceive.
  • Enforces display of browser navigational controls (toolbar & address bar) in all windows, to defend against pop up windows which attempt to hide the navigational controls.
  • Clearly displays sites' hosting location, including country, helping you to evaluate fraudulent urls (e.g. the real citibank.com or barclays.co.uk sites are unlikely to be hosted in the former Soviet Union).
Taking all of this into account we are really excited to announce that Netcraft has been integrated in VirusTotal, you will now see it as another URL scanner in VirusTotal's URL scanning service.

With this addition we have already over 30 URL scanners and are looking forward to be in the forties as soon as possible, so if you have an interesting malicious URL dataset or URL scanner please do not hesitate to contact us, we will be more than happy to include you!

Thank you Netcraft team!

Monday, 24 September 2012

VirusTotal += Webutation

It has been a while since we last included a domain characterization dataset, we have just added Webutation and we would like to give them a really warm welcome.


The Webutation team describes its service as follows:

Webutation is an open community about Website Reputation and
  • collects user feedback and customer experience about websites.
  • tests websites against spyware, spam and scams with smart scanning technology in realtime.
  • queries
    • Google Safebrowsing against badware and phising fraud (which is used in Firefox as well and updates every half hour).
    • Website Antivirus which scans sites against adware (popups), spyware (outgoing links) and viruses.
    • WOT which collects some reviews about websites.
    • Norton Safe Web
    • as well as many other website feedback resources.
It is clear that this will surely enhance the information rendered in the additional information section of VirusTotal reports, it is precisely there where this tool appears because it characterizes domains rather than URLs, example:

https://www.virustotal.com/url/5ab7fdaa6cc0cbc8e17965044afe3c47266819335a9fa5533004113664bbb4ef/analysis/1348486392/

As it happened with the other domain characterization engines, the data returned by Webutation can be used for building customized scoring systems for full URLs.

Webutation, once again, thanks for your collaboration!

Wednesday, 19 September 2012

VirusTotal += Kingsoft

We welcome Kingsoft as a new engine working at VirusTotal. Kingsoft Security is a chinese antivirus company that has been in the market since year 2000, and now is the fifth largest Internet software company in that country.

This specific engine we've integrated is heavily based on cloud technology.

Friday, 7 September 2012

An update from VirusTotal

Our goal is simple: to help keep you safe on the web. And we’ve worked hard to ensure that the services we offer continually improve. But as a small, resource-constrained company, that can sometimes be challenging. So we’re delighted that Google, a long-time partner, has acquired VirusTotal. This is great news for you, and bad news for malware generators, because:

  • The quality and power of our malware research tools will keep improving, most likely faster; and
  • Google’s infrastructure will ensure that our tools are always ready, right when you need them.  

VirusTotal will continue to operate independently, maintaining our partnerships with other antivirus companies and security experts. This is an exciting step forward. Google has a long track record working to keep people safe online and we look forward to fighting the good fight together with them.   

VirusTotal Team

For press inquiries, please contact press@google.com.

Thursday, 30 August 2012

VirusTotal += Sucuri SiteCheck


It has been a while since we last added some new analyzer to our URL scanning engine, today we are excited to announce that Sucuri SiteCheck has become part of our small family. This is how the Sucuri team describes their service:
Sucuri SiteCheck is highly sophisticated and designed to identify a number of different malware types: Obfuscated JavaScript injections, Cross Site Scripting (XSS), Website Defacements, Hidden & Malicious iFrames, PHP Mailers, Phishing Attempts, Malicious Redirects, Backdoors (e.g., C99, R57, Webshells), Anomalies, Drive-by-Downloads, IP Cloaking, Social Engineering Attacks. There are a number of blacklisting authorities that monitor for malware, SPAM, and phishing attempts. Sucuri SiteCheck leverages the APIs for the following authorities to alert you when you’ve been flagged: Sucuri, Google Safe Browsing, Norton, AVG, Phish Tank (Phishing Specifically), McAfee SiteAdvisor.
We are extremely grateful to Sucuri, you should now see them on our URL reports, just as an example:

https://www.virustotal.com/url/78f6ade26461d84b32b857529613abbd8c9e1306fa3a4e6b9e9c8ff11dd1d82d/analysis/

You may read more about their technology at their services site.

Welcome on board Sucuri!

Wednesday, 29 August 2012

AV Comparative Analyses, Marketing, and VirusTotal: A Bad Combination


[originally written in 2007 (deprecated & offline blog), I have recovered it because remains a topical issue]

I have read today this piece of news:
"An experiment conducted at the end of March by independent security-industry benchmark website VirusTotal.com attempted to simulate a malicious attack using a long-known source of malicious code on computers. Competing with 32 rivals, only Finjan's Vital Security Web Appliance detected and blocked the malicious code in VirusTotal's tests. The computers running other products were all comprised [sic] - resulting in potential data loss and theft."
This paragraph may lead to confusion, whether that was the result intended or not, and that is why we feel compelled to declare the following at VirusTotal:

  • VirusTotal has not conducted any experiment or test related to AV comparative analyses.
  • VirusTotal has no notice whatsoever of the malicious code they refer to in this piece of news.
  • VirusTotal has never tested nor tried Finjan's security solutions.

Generally speaking, even though it may seem obvious, we must state that all anti-malware products have detection problems due to the tremendous proliferation and diversification of malware nowadays. Likewise, any product may detect a new sample on its own, either because of its heuristics or because they are the first ones to generate a specific signature. This is why it seems totally inadequate and opportunistic to claim the superiority of a product based on the result of a sole malware sample.

We are rather tired of repeating that VirusTotal was not designed as a tool to perform AV comparative analyses, but as a tool that checks suspicious samples with several AV programs and helps AV labs by forwarding them the malware they failed to detect. Those who use VirusTotal to perform AV comparative analyses should know that they are making many implicit errors in the methodology, the most obvious being:

  • VirusTotal AV engines are commandline versions, so depending on the product, they will not behave quite like the desktop versions: for instance, in such cases when desktop solutions use techniques based on behavioral analysis and count on personal firewalls that may decrease entry points and mitigate propagation, etc.
  • In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.

In general, it is not an easy task to perform a responsible and reliable AV comparative analysis; it requires having a malware collection that is both representative (nowadays it should be larger than the In-The-Wild collection) and authentic (ZOO collections are riddled with false viruses and corrupt executables). Besides, given the implementation of new AV technologies, in the case of desktop AV products, it would be necessary to execute those samples one by one in real environments with each of the resident products to see their detection capabilities and their prevention. As of today, there is no AV comparative analysis in the world that meets these basic requirements.

Monday, 23 July 2012

VirusTotal += Behavioural Information

There has already been some Twitter buzz around this even though we have not announced it publicly yet, indeed, some of you have already noticed it:


We have introduced behavioural information in our reports. The idea behind this is that the samples submitted to VirusTotal get executed automatically in a controlled (sandboxed) environment and the actions performed are recorded in order to give the analyst a high level overview of what the sample is doing.

Please note that there are already fantastic sandboxes out there, most noticeably:
We do not intend to compete against any of them, our aim is just to produce complementary reports to the ones generated by these awesome online sandboxes that will further help the security community.

Currently we are just processing new samples (never seen before by VirusTotal) that are Portable Executables (PEs) and are below 8MB in size. The execution is still a best effort operation and it is completely asynchronous, hence, do not expect the VirusTotal reports to have any fancy Ajax informing about the progress of the behavioural data extraction. Once you submit a file, the information will appear at a later moment in time and there are no guarantees about it being generated.

These are just a couple of examples of the reports generated (make sure you scroll down to the tabs below the antivirus verdicts table):
https://www.virustotal.com/file/2f2a645b873a5dfe7985a2c9cbfeff3424e68d9181791c908081c023c2a817b0/analysis/
https://www.virustotal.com/file/bf7ab9dcc69d8e0a1777fcb72e568708450fe32fae4d9cd67a68c27d2a2209cd/analysis/
https://www.virustotal.com/file/e5fbeab009326a5ae129942bd824868ddbdec3efc4cb48404581c290aac1b4c9/analysis/

Malekal has done a far better job than us at explaining the different fields present in the report, you may want to refer to his "VirusTotal: Behavioural information" post to learn more. Please note that the reports just show the fields that are applicable to the binary under consideration, for example, you wont see the Windows Services section if the executable is not interacting with any Windows Services.

We also saw on Twitter that Claudio Guarnieri was wondering what technology were we using to produce these reports, yes, it is your brilliant Cuckoo indeed (or nearly, some tweaks were made), so thank you very much for it, you have done an amazing job, congratulations.

Over the coming weeks we would like to work on the VirusTotal UI in order to make the behavioural information and the rest of the data on the reports (additional information and antivirus reports) more eye-catching, thus easing navigation. We are a team of hardcore engineers and as you may have noticed our taste for design is not all that great, hence, we would really appreciate some suggestions from the community regarding how could we structure our layout in order to make the reports more useful to all of you.

Once this is done we may start thinking about giving feedback to the user regarding the behavioural report generation process so that analysts can take full advantage of this new feature.

Monday, 2 July 2012

VirusTotal += SecureBrain URL scanner

Some weeks ago I came across gred, the truth is I had never heard of gred before, however, I did know SecureBrain, the company behind gred. I contacted them to see whether they would be interested in introducing their malicious URL dataset in VirusTotal and they made it possible with utmost diligence.

We are extremely grateful to SecureBrain and very excited to announce that they now appear in our URL reports, just as an example:

https://www.virustotal.com/url/e8750c0b772976de6563aa81162fd319256064c76a00e0d46ab5cc5d7ebe1933/analysis/1341229461/

The SecureBrain team describe their service as follows:

Gred Security Service - Web Check
Web Check is an award winning SaaS service to help ensure you web site content is free from malware often injected by Hackers. By keeping your web content free from un-authorized malicious changes, it will help protect your customer when visiting your web site. 

You may read more about their technology at their product description site.

Welcome on board SecureBrain!

Wednesday, 27 June 2012

VirusTotal += Cyscon SIRT URL Scanner


We have just introduced Cyscon SIRT (C-SIRT) malicious URL dataset in VirusTotal's URL scanning engine.

This is an example of the Cyscon (C-SIRT) output, do not forget to refer to the additional information section in order to see the threat information provided:

https://www.virustotal.com/url/252ee025a4a6b57f0b302a97f44ea305863a4cb9419e6f141161cd72b47addb0/analysis/1340792226/

The Cyscon team describe their service as follows:
cyscon & it’s partners/friends provide a “Security Incident Reporting Service” (SIRT) to any network owner, who is interested in receiving automated alerts regarding malware, phishing & other security related issues within his network.
You may read more about it on their web site.

We would like to give the Cyscon team a really warm welcome and thank them for allowing us to keep improving VirusTotal!

Friday, 15 June 2012

VirusTotal += Sophos URL scanner

Lately we had been introducing many domain characterization datasets/tools in our URL scanning engine, today we are excited to announce that Sophos' fully-fledged URL filtering solution has become part of VirusTotal and will be characterizing both full URLs and domains.

This is an example of the Sophos output with their malicious test domain, do not forget to refer to the additional information section to see the threat information provided:

https://www.virustotal.com/url/d77e1526bbb2941575cd25edfe23bac54caa38969c4d63c9a85f5e09d4d2d01b/analysis/1339745884/

The Sophos team describe their solution as follows:
You can connect your computers to our constantly updated list of millions of infected websites, so your users can’t get to them — even when they're outside your gateway protection. And we keep it updated, adding around 40,000 new sites every day. Sophos Live URL Filtering is included in all of our Endpoint products and suites.  
You may read more about it on their web site.

We would like to give Sophos URL scanner a really warm welcome and thank them for allowing us to keep improving VirusTotal!

Monday, 11 June 2012

VirusTotal for Android

Years ago there was much fuzz about mobile malware, yet the devices themselves were so limited that the claims made were considered no more than hypes developed exclusively with marketing purposes so as to sell more mobile phone antivirus solutions.

The rise of smartphones has made what once were deceitful claims a real threat. Attackers are well aware that users are moving to mobile devices and performing most of their online activity on them (ebanking, social networking, etc.), and thus have started to target these platforms. Examples of these threats are the Zeus Mitmo banking trojan, fake Angry Birds or Opfake.

VirusTotal is strongly committed to making the Internet a safer place by helping end-users in securing their systems, be it desktop PCs or mobile phones. This is why we have developed and released VirusTotal for Android, an Android application that lets you check all the applications on your phone/mobile device against VirusTotal.



You can download the application directly from the Google Play store:

https://play.google.com/store/apps/details?id=com.virustotal

The application will perform hash lookups for all the applications installed in your mobile device. If the application was scanned by VirusTotal in the past and detected by one or more antivirus vendors its results icon will be a red droid, green if it was not detected. A blue question mark will appear next to applications that are unknown to VirusTotal.

You can upload to VirusTotal any application that was not seen in the past, in order to do this you will have to provide your VirusTotal Community credentials, the application will then use your API key to perform the uploads. The file will enter a low priority scanning queue and the application will trigger an Android notification whenever the scan ends.

The application has some other features such as rescanning, filtering or detailed results, read more about  them at its documentation site. The application was initially coded as part of a University project supervised by Urko Zurutuza from the University of Mondragon, it was later polished and recoded by Anthony Desnos, the most recent member of our team and our resident Android expert. We hope you find it useful!

Please note that VirusTotal for Android does not prive real-time protection and, so, is no substitute for any antivirus product, just a second opinion regarding your apps.

VirusTotal += Palevo Tracker

It seems that lately it is all about domain scanners/datasets, today we have included Palevo Tracker. Palevo is a worm that spreads using instant messaging, P2P networks and removable drives (like USB sticks), Palevo Tracker records the C&C hosts being used by the worm variants.

Since it is a malicious domain dataset it appears in the additional information section of URL reports, characterizing the hosts of the submitted URLs, you may refer to the additional information tab of this scan in order to see its output:

https://www.virustotal.com/url/7c22fa416c960e715d8b1e9ff6cdd160d676c081136f520d9dca2404706fb007/analysis/1339404171/

It is already the 3rd dataset belonging to abuse.ch that we integrate (the previous ones where Zeus Tracker and SpyEye Tracker), we are really grateful to them and would like to congratulate them for the great work they are doing.

Thursday, 7 June 2012

VirusTotal += hpHosts

This morning we announced that we had integrated Malware Domain Blocklist in VirusTotal's URL scanning engine. Continuing the trend of including domain scanners and datasets, we have just added hpHosts and we would like to give them a really warm welcome.

hpHosts maintains an online list of domains involved in some sort of malicious activity. The good thing about hpHosts is that it provides a very rich set of classifications for domains:
  • Domains being used for advert or tracking purposes.
  • Domains engaged in the distribution of malware (e.g. adware, spyware, trojans and viruses etc).
  • Sites engaged in or alleged to be engaged in the exploitation of browser and OS vulnerabilities as well as the exploitation of gray-matter.
  • Sites engaged in the selling or distribution of bogus or fraudulent applications.
  • Sites engaged in astroturfing otherwise known as grass roots marketing.
  • Persons caught spamming the hpHosts forums.
  • Sites engaged in browser hijacking or other forms of hijacking (OS services, bandwidth, DNS, etc.).
  • Sites engaged in the use of misleading marketing tactics.
  • Sites engaged in Phishing.
  • Sites engaged in the selling, distribution or provision of warez (including but not limited to keygens, serials etc), where such provisions do not contain malware.
This enhances the information rendered in the additional information section of VirusTotal reports, it is precisely there where this tool appears because it characterizes domains rather than URLs:


This is an example of a report with such information:


We started processing the hpHosts dataset today, hence, all new domains they classify from now onwards should be visible to VirusTotal.

As it happened with the Malware Domain Blocklist information, the data returned by hpHosts can be used for building customized scoring systems for full URLs.

hpHosts, once again, thanks for your collaboration!

VirusTotal += Malware Domain Blocklist

We are happy to announce that Malware Domain Blocklist has been integrated in VirusTotal's URL scanning engine. Malware Domain Blocklist is a dataset of malicious domains rather than a full URL scanner. As such, its results appear in the additional information field of VirusTotal reports:


The network location of any URL you submit will be parsed and compared against this dataset and, in the event that the domain was seen to exhibit some sort of malicious behaviour at some point in time, it will be flagged accordingly. This is an example of a URL report with the new information:

https://www.virustotal.com/url/69c9e6afa0ad42f53df62d517c7afc4d14ef4640d8265b108a2aa7230aa9ded2/analysis/1339060844/

It is an interesting addition since it enriches our set of tools that characterize domains. The information might seem redundant or of little use for users intending to scan full URLs rather than domains, however, it is a very useful piece of information if you want to build scoring systems for URLs. Even if the main URL scanners in VirusTotal do not detect the specific full path URL, you might want to produce your own intelligent system that receives several inputs, among them the results of domain datasets, and decides on the maliciousness of the URL.

We are really grateful to www.malwaredomains.com, keep up the good work!

Tuesday, 29 May 2012

VirusTotal URL scanner += AlienVault

Yesterday we added Comodo Site Inspector to VirusTotal's URL scanning engine, today we are really happy to announce that AlienVault has also become part of our small family. The list of URL scanners has now grown to 27 and a couple of other domain/URL characterization tools/datasets.

AlienVault develops and maintains several security solutions, one of the most famous ones is its OSSIM. In building these tools, the AlienVault team comes across many threats, just as they describe it in their website:
Our people constantly monitor, analyse, reverse engineer and report on sophisticated zero-day threats including malware, botnets, phishing campaigns are more. Through this team of dedicated and renowned security experts, AlienVault contributes code, documentation, analysis and research results in various forms to the security community, to educate it and to make the world a more secure place for all of us.
The AlienVault team has very kindly put one of their malicious URL datasets at our disposal so that VirusTotal's URL scanner can query it, they also publish some statistics about what they are seeing in the wild in their Open Source IP Reputation Portal.

Once again, we would like to thank AlienVault in helping us improve VirusTotal and we look forward to other malicious URL/domain datasets/characterization tools contacting us to be included in VirusTotal.

Monday, 28 May 2012

VirusTotal URL scanner += Comodo Site Inspector

Today we are integrating Comodo Site Inspector in VirusTotal's URL scanning engine. We have reached 26 URL scanners/datasets and a bunch of domain classifiers/datasets. We intend to keep increasing this figure, thus, if you are the owner of a URL blacklisting service or dataset please do not hesitate to contact us.

As to Comodo Site Inspector, you can find more about it in its home page:

http://siteinspector.comodo.com/

Including the online scanning service itself and a list of recent detections. The Comodo team describes the service as follows:
SiteInspector uses browser instance in sandboxed environment ( a virtual machine) and browses the page at the URL that you submitted. If the browser performs a malicious activity, crashes, downloads a suspicious file, changes registry entries or exhibits behavior consistent with malware activity then its flagged as malicious. This allows regular Internet users to test the safety of a particular website and allows website operators to test the safety of their website from their customers point of view. 
SiteInspector acts as a vulnerable customer by visiting the page and testing whether it launches an attack. If it does, then the scan results will warn you that the website contains malicious content. Each scan takes only a few seconds.  
This description and other details can also be found in their FAQ.

We would like to give Comodo Site Inspector a really warm welcome and thank them for allowing us to keep improving VirusTotal!

Wednesday, 11 April 2012

Increasing the family

Today we have released a new VirusTotal version, as usual, we would like to share with you the modifications and enhancements:

  • New URL scanning engines and malicious URL/domain datasets have been integrated in our URL scanner: Antiy-AVLK7AntiVirusMalware Patrol, Minotaur, WoT and zvelo. We want to give a warm welcome to all of them!
  • Whenever a scanned URL is a redirector, the redirected URL is also queued for scanning. The additional information section of the redirector URL will link to the report of the redirected URL. For example, that's exactly what happens when you scan http://www.virustotal.com, since it redirects to https://www.virustotal.com (SSL), you will see the redirected URL report link in the additional information section:
  • The National Software Reference Library information is back on VirusTotal and appears in the additional information section of the file scan reports whenever the analysed file is found in the NSRL database:
  • Many users missed the old interface's VirusTotal Community summary in file and URL reports. The summary box used to detail the number of users that voted a resource as malicious/benign and the aggregated reputation points of these users. In coherence with the requests received, we have added a Votes tab and the end of reports that shows who voted on a given resource and the number of file/URL reputation credits that the vote added to the file/URL's karma. Please note that the file/URL karma is computed via a formula that takes into account user votes, user reputation credits and other heuristics based on the different tools integrated in VirusTotal.
  • Certain tools were acting on the files but were not being displayed in the new interface (yet the old interface did show them), they now are displayed as usual in the additional information section: Clam AV potentially unwanted application file tagging, Symantec suspicious-insight file tagging, F-Secure Deepguard file tagging, Androguard android file analyser, Antiy-AVL unpacker, F-Prot unpacker, PE compilation timestamp, PE entry point, PE target architecture (machine type), PEiD packer identifier. 
  • VirusTotal Community members can now modify their password through their user settings.
  • You may also notice minor styling changes, such as the fact that malicious/benign voting icons have changed for angel/devil emoticons. The idea behind these modifications is to make the interface more intuitive.
In the meanwhile we are cooking very exciting enhancements that we really hope will please the Community, stay tuned. As always, we would love to hear from you.

Tuesday, 3 April 2012

100 million files

VirusTotal has reached a remarkable milestone today: 100 million files in it's database. That's more than most countries' population. Really amazing. But even more amazing is that more than 60 millions of those files have been submitted during last year, so we have grown in one year more than ever since VirusTotal's launch in 2004.

As our site grows the challenge is bigger, but we keep our commitment to give a useful service to all of you. And this is just the beginning, a lot more is coming!

Wednesday, 28 March 2012

VirusTotal -= PrevX

PrevX engine used at VirusTotal has been removed as that specific product has been EOLd.

Tuesday, 14 February 2012

VTchromizer version 1.1

VTchromizer is a Google Chrome browser extension for interacting with VirusTotal. We describe its full functionality in its official documentation and you can install it directly from the Chrome Web Store. The extension embeds a new context menu dialog option whenever you right-click on links, this option allows you to scan the target URL with VirusTotal prior to visiting the given site.

The main purpose of VTchromizer is to help the community in securing their systems. Having said this, if we can also collect interesting data to analyse and study, even better. We are interested in malware, obviously, so if you come across any malicious file download link do not hesitate to scan it with VTchromizer. Additionally, have been encouraging users to send us phishing and any other fraud/ecrime related sites. Why? Hopefully these sites will end up being processed by the URL analysis tools integrated in VirusTotal and will improve their efficiency, and thus end-user protection.

A while ago one of VTchromizer's users made a comment on our Chrome Web Store site:
Nice extension! VirusTotal is extremely useful tool to keep you safe on the Internet. One small bug though. When I right-click on the link, I see a simple line in the menu: "Scan with VirusTotal", which works fine. However, after I click on the toolbar VirusTotal icon, the right-click menu changes. I see now the reference to VTchromizer, which points to 2, 3, 4 or more repetitions of the line "Scan with VirusTotal". The number of repetitions of this same line corresponds with the number of times I click on the toolbar icon - it can be 10, 15 and higher. It should be fixed. I use latest Chrome 12.0.742.112.
It was a really stupid bug whereby the toolbar popup kept loading a JavaScript file that added the "Scan with VirusTotal" option to the context menu each time it was loaded. We have corrected this bug and made available a new version of the extension, VTchromizer v1.1. Those of you already using the extension should have transparently received the update.

As usual, we really appreciate your feedback and are really keen to keep improving the functionality of our tools, thus, all your comments regarding VTchromizer are welcome at our contact site.