Wednesday, 27 June 2012

VirusTotal += Cyscon SIRT URL Scanner


We have just introduced Cyscon SIRT (C-SIRT) malicious URL dataset in VirusTotal's URL scanning engine.

This is an example of the Cyscon (C-SIRT) output, do not forget to refer to the additional information section in order to see the threat information provided:

https://www.virustotal.com/url/252ee025a4a6b57f0b302a97f44ea305863a4cb9419e6f141161cd72b47addb0/analysis/1340792226/

The Cyscon team describe their service as follows:
cyscon & it’s partners/friends provide a “Security Incident Reporting Service” (SIRT) to any network owner, who is interested in receiving automated alerts regarding malware, phishing & other security related issues within his network.
You may read more about it on their web site.

We would like to give the Cyscon team a really warm welcome and thank them for allowing us to keep improving VirusTotal!

Friday, 15 June 2012

VirusTotal += Sophos URL scanner

Lately we had been introducing many domain characterization datasets/tools in our URL scanning engine, today we are excited to announce that Sophos' fully-fledged URL filtering solution has become part of VirusTotal and will be characterizing both full URLs and domains.

This is an example of the Sophos output with their malicious test domain, do not forget to refer to the additional information section to see the threat information provided:

https://www.virustotal.com/url/d77e1526bbb2941575cd25edfe23bac54caa38969c4d63c9a85f5e09d4d2d01b/analysis/1339745884/

The Sophos team describe their solution as follows:
You can connect your computers to our constantly updated list of millions of infected websites, so your users can’t get to them — even when they're outside your gateway protection. And we keep it updated, adding around 40,000 new sites every day. Sophos Live URL Filtering is included in all of our Endpoint products and suites.  
You may read more about it on their web site.

We would like to give Sophos URL scanner a really warm welcome and thank them for allowing us to keep improving VirusTotal!

Monday, 11 June 2012

VirusTotal for Android

Years ago there was much fuzz about mobile malware, yet the devices themselves were so limited that the claims made were considered no more than hypes developed exclusively with marketing purposes so as to sell more mobile phone antivirus solutions.

The rise of smartphones has made what once were deceitful claims a real threat. Attackers are well aware that users are moving to mobile devices and performing most of their online activity on them (ebanking, social networking, etc.), and thus have started to target these platforms. Examples of these threats are the Zeus Mitmo banking trojan, fake Angry Birds or Opfake.

VirusTotal is strongly committed to making the Internet a safer place by helping end-users in securing their systems, be it desktop PCs or mobile phones. This is why we have developed and released VirusTotal for Android, an Android application that lets you check all the applications on your phone/mobile device against VirusTotal.



You can download the application directly from the Google Play store:

https://play.google.com/store/apps/details?id=com.virustotal

The application will perform hash lookups for all the applications installed in your mobile device. If the application was scanned by VirusTotal in the past and detected by one or more antivirus vendors its results icon will be a red droid, green if it was not detected. A blue question mark will appear next to applications that are unknown to VirusTotal.

You can upload to VirusTotal any application that was not seen in the past, in order to do this you will have to provide your VirusTotal Community credentials, the application will then use your API key to perform the uploads. The file will enter a low priority scanning queue and the application will trigger an Android notification whenever the scan ends.

The application has some other features such as rescanning, filtering or detailed results, read more about  them at its documentation site. The application was initially coded as part of a University project supervised by Urko Zurutuza from the University of Mondragon, it was later polished and recoded by Anthony Desnos, the most recent member of our team and our resident Android expert. We hope you find it useful!

Please note that VirusTotal for Android does not prive real-time protection and, so, is no substitute for any antivirus product, just a second opinion regarding your apps.

VirusTotal += Palevo Tracker

It seems that lately it is all about domain scanners/datasets, today we have included Palevo Tracker. Palevo is a worm that spreads using instant messaging, P2P networks and removable drives (like USB sticks), Palevo Tracker records the C&C hosts being used by the worm variants.

Since it is a malicious domain dataset it appears in the additional information section of URL reports, characterizing the hosts of the submitted URLs, you may refer to the additional information tab of this scan in order to see its output:

https://www.virustotal.com/url/7c22fa416c960e715d8b1e9ff6cdd160d676c081136f520d9dca2404706fb007/analysis/1339404171/

It is already the 3rd dataset belonging to abuse.ch that we integrate (the previous ones where Zeus Tracker and SpyEye Tracker), we are really grateful to them and would like to congratulate them for the great work they are doing.

Thursday, 7 June 2012

VirusTotal += hpHosts

This morning we announced that we had integrated Malware Domain Blocklist in VirusTotal's URL scanning engine. Continuing the trend of including domain scanners and datasets, we have just added hpHosts and we would like to give them a really warm welcome.

hpHosts maintains an online list of domains involved in some sort of malicious activity. The good thing about hpHosts is that it provides a very rich set of classifications for domains:
  • Domains being used for advert or tracking purposes.
  • Domains engaged in the distribution of malware (e.g. adware, spyware, trojans and viruses etc).
  • Sites engaged in or alleged to be engaged in the exploitation of browser and OS vulnerabilities as well as the exploitation of gray-matter.
  • Sites engaged in the selling or distribution of bogus or fraudulent applications.
  • Sites engaged in astroturfing otherwise known as grass roots marketing.
  • Persons caught spamming the hpHosts forums.
  • Sites engaged in browser hijacking or other forms of hijacking (OS services, bandwidth, DNS, etc.).
  • Sites engaged in the use of misleading marketing tactics.
  • Sites engaged in Phishing.
  • Sites engaged in the selling, distribution or provision of warez (including but not limited to keygens, serials etc), where such provisions do not contain malware.
This enhances the information rendered in the additional information section of VirusTotal reports, it is precisely there where this tool appears because it characterizes domains rather than URLs:


This is an example of a report with such information:


We started processing the hpHosts dataset today, hence, all new domains they classify from now onwards should be visible to VirusTotal.

As it happened with the Malware Domain Blocklist information, the data returned by hpHosts can be used for building customized scoring systems for full URLs.

hpHosts, once again, thanks for your collaboration!

VirusTotal += Malware Domain Blocklist

We are happy to announce that Malware Domain Blocklist has been integrated in VirusTotal's URL scanning engine. Malware Domain Blocklist is a dataset of malicious domains rather than a full URL scanner. As such, its results appear in the additional information field of VirusTotal reports:


The network location of any URL you submit will be parsed and compared against this dataset and, in the event that the domain was seen to exhibit some sort of malicious behaviour at some point in time, it will be flagged accordingly. This is an example of a URL report with the new information:

https://www.virustotal.com/url/69c9e6afa0ad42f53df62d517c7afc4d14ef4640d8265b108a2aa7230aa9ded2/analysis/1339060844/

It is an interesting addition since it enriches our set of tools that characterize domains. The information might seem redundant or of little use for users intending to scan full URLs rather than domains, however, it is a very useful piece of information if you want to build scoring systems for URLs. Even if the main URL scanners in VirusTotal do not detect the specific full path URL, you might want to produce your own intelligent system that receives several inputs, among them the results of domain datasets, and decides on the maliciousness of the URL.

We are really grateful to www.malwaredomains.com, keep up the good work!