Wednesday, 27 November 2013

VirusTotal += Ad-Aware

We welcome Ad-Aware as a new engine working at VirusTotal. In the words of Lavasoft:

"Ad-Aware 11 is Lavasoft’s next generation anti-malware product that includes behavior based heuristics, generic detection routines and virtual machine analysis for executable files that is capable of detecting zero-day and new/unknown malware. It has support for more than 100 packers and runs full multithreading and concurrent scans."

Wednesday, 13 November 2013

VirusTotal += malwares.com URL checker

Many security industry actors build solutions that lie in the perimeter of networks, inspecting traffic and discriminating potentially malicious content. One of these solutions is SIMBA from Saint Security (others include FireEye, Fidelis XPS, Damballa, etc.).

In inspecting traffic, these solutions have a privileged position to perform correlations to discover and characterize malicious patterns, this is what allows these companies to discover thousands of malicious URLs and files every day. Saint Security has made part of their discriminatory logic available at malwares.com:
As a cloud-based malicious codes database system, malwares.com is a one-stop service to collect, analyze and detect various malicious codes or malwares such as Trojans, Viruses, Worms so that customers or end-users can make proper security policies to take countermeasures against security threats.
Today we are excited to announce that malwares.com has been integrated in VirusTotal as a URL checker and as of today URL scans will be enriched with their dataset of malicious verdicts. This inclusion is very interesting as it covers much of the threat landscape seen in South Korea, a clear example of this is the following report:
https://www.virustotal.com/en/url/3625ed7252e98152ad781b3deea92038bc1d416c343f8b7bfe2a3ec8ca5b3727/analysis/

Welcome on board and thanks for joining us!

Thursday, 31 October 2013

VirusTotal += AegisLab WebGuard

Our effort to pump up our URL scanner backbone continues, today we are excited to announce the integration of AegisLab WebGuard, a concise malicious URL database to prevent malicious URLs whose characteristics are described by its developers as:
Fast update and leave less open window for attack. Less false positive than other web filter DBs. Website hijacking prevention. Concise malicious URL database. Including: Drive-by-Downloads, BlackHat SEOFake Anti-Virus, Installer and Updates, Scarewares and etc.
You can read more about the kind of threats that AegisLab WebGuard intercepts in this blog post: http://blog.aegislab.com/?p=78

Welcome on board guys, thanks for joining VirusTotal!

VirusTotal += RiskAnalytics AutoShun

What is AutoShunAutoShun is a small appliance that protects your network from attacks. Automatically updates itself within minutes to bidirectionally block new threats. One AutoShun device is able to protect an entire site. Configurable whitelist to ensure business partner communications. Ability to block traffic by geographic regions. Reporting on all blocked threats and traffic.
This is the way the RiskAnalytics team describes its AutoShun solution. As you may infer, in order to be able to bidirectionally block threats, AutoShun works (among other technologies and logistics) with a dataset of online threats. From now onward VirusTotal users will also be able to check their submitted URLs against this dataset, which appears in VirusTotal under the name of AutoShun.

Thank you RiskAnalytics!

Monday, 28 October 2013

VirusTotal += Emsisoft URL scanner

Emsisoft has been a long-time friend of VirusTotal, enhancing our file scan reports with their antivirus signatures. Its anti-malware product incorporates different protection layers, one of which they describe as follows:
SURF PROTECTION: If you unintentionally try to access a website that spreads trojans or spyware, Emsisoft Anti-Malware will prevent you from doing so. The built-in list of known dangerous and fraudulent websites is automatically updated every hour.
The guys over at Emsisoft are committed to continue making the Internet a safer place, as of today, in addition to their file scanner, VirusTotal URL scan reports will also integrate their threat intelligence regarding malicious URLs.

This is an example of a URL scan report where they produce a malicious verdict:
https://www.virustotal.com/en/url/eddc45e5147f369d37f2146388f3d96a02408ab30cbf9dc3e8f9cd0c896837e5/analysis/1382951589/

We are really grateful for the quick turnaround that the Emsisoft team has had in integrating their solution, thank you!

Thursday, 24 October 2013

Sigcheck += VirusTotal

Windows Sysinternals is a part of the Microsoft TechNet website which offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.

The Sysinternals collection includes awesome tools such as Process Explorer, AutoRuns or Sigcheck, among many others. I can still remember the times where I had to investigate remote e-banking user PCs in order to identify the culprit of a fraudulent transaction (Zbot, Sinowal, Ambler, etc.), at the time, I do not know what I would have done without AutoRuns and ProcessExplorer.

What I am trying to say is that at VirusTotal we are great fans of the Sysinternals utilities. It has been a while since we integrated Sigcheck in VirusTotal, providing extremely useful information about PE signatures, data that can be used in goodware vs. malicious scoring systems, to identify the author of a legitimate piece of software or to spot compromised certificates used in signing malware, just a couple of practical use cases.

Today we are delighted to announce that the relationship has become reciprocal and Mark Russinovich has integrated VirusTotal in Sigcheck. With a simple command-line option you are now able to query the results of a given file in VirusTotal, read more about it at the official site: http://technet.microsoft.com/en-us/sysinternals/bb897441

Thank you Mark! It has been a pleasure working together!

Wednesday, 23 October 2013

Tuesday, 22 October 2013

VirusTotal += StopBadware

StopBadware is a nonprofit anti-malware organization based in Cambridge, Massachusetts. Our work makes the Web safer through the prevention, mitigation, and remediation of badware websites. We protect people and organizations from becoming victims of viruses, spyware, scareware, and other badware.
This is the way the StopBadware team describes itself, a pretty awesome initiative that has managed to bring together many partners. From now onward VirusTotal users will also be able to take advantage of their URL verdicts.

StopBadware numbers are very impressive, since their launch they have managed to:
  • inform over 700,000 website owners about how to remediate their compromised sites and prevent future attack
  • serve more than 10 million Google and Firefox users with content about how to mitigate their risk of badware infection
  • help de-blacklist over 100,000 websites flagged by our data providers for badware
  • enlist more than 50 web hosting providers from 22 countries (and counting) in the We Stop Badware™ Web Host program, which helps those providers respond more quickly and effectively to reports of badware on their networks
Without doubt, this integration will bring great value to VirusTotal, thank you StopBadware!

Monday, 21 October 2013

VirusTotal += Threathive

ThreatHive is a domain and IP reputation tracking system comprised of data collected from various sources including sandboxing , collecting data from various spampot systems and independent research. 
This is how The Malwarelab describes its ThreatHive initiative which has just been integrated in VirusTotal. With this inclusion we are well over the 40 URL scanners, over the weekend we have integrated some new engines that we will be announcing in the coming days.

Thank you The Malwarelab!

Wednesday, 18 September 2013

VirusTotal += CMC

We welcome CMC as a new engine working at VirusTotal. In the words of the antivirus company:

"CMC featured in house developed engine called Odin with static, dynamic unpackers, an x86 virtual machine to provide advanced de-obfuscation and in-memory engine to detect malware called Sonar. There is also a reputation based system named CMCRadar to accelerate response time, early warnings and global white listing."

Tuesday, 17 September 2013

VirusTotal += Bkav

We welcome Bkav as a new engine working at VirusTotal. This scanner includes both signature based and cloud technologies. This vietnamese company, established in 1995, is also a smartphone manufacturer.

Wednesday, 4 September 2013

VirusTotal += Zemana AntiLogger metadata

Zemana is a security solutions provider that produces, among other software, a popular antilogger, in their own words:
In a nutshell, the AntiLogger is a lightweight app that keeps track of who is doing what on your computer. Instead of identifying malware based on its signature fingerprint, like all malware products with scan functionality, the AntiLogger catches malware at the moment it attacks your computer. It will then prompt you if an illegal program is trying to record your keystrokes, capture your screen, gain access to your clipboard, microphone and webcam, or inject itself into your computer’s sensitive areas.The AntiLogger features our unique SSL Intrusion Protection technology that guards you against advanced forms of Financial Malware. The AntiLogger is one of the very few products on the market today able to detect these dangerous and complex threats. Zemana AntiLogger is not designed to replace your installed antivirus software -- it's made to detect serious threats that are outside of their scope. It adds an extra layer of essential protection to whatever anti-malware or anti-virus software you're currently using.
As part of the work that Zemana carries out with respect to these forms of malware, they come across many malicious files and are able to characterize their behaviour according to the information theft activities they carry out. Zemana has been kind enough to share some of its behavioural notions with VirusTotal and now for many of the files in our dataset you will see Zemana behavioural tags such as:


  • keylogger
  • screen-capture
  • webcam-capture
  • microphone-access
  • clipboard-monitor
  • dll-injection
  • driver-installation
  • startup-registration
  • bho-installation
  • ssl-hook-installation


Please refer to the additional information tab of the following report in order to see how this data is rendered publicly:
https://www.virustotal.com/en/file/7a8a5298f0a5e8222f3746b429a18dbdaeb8bbc7a4070ef4490824ffda0b2c66/analysis/

This information is particularly interesting as it characterizes behaviour in end-user physical machines, i.e. real-world scenarios, so it can overcome common problems with behavioural sandboxes such as virtual machine detection. But the metadata shared does not limit to this, as they are also providing interesting data such as the in the wild file names for certain malware, which can sometimes be a hint regarding the dissemination and propagation strategies used by attackers.

Additionally, since Zemana is not designed to replace installed antivirus software but rather as a complementary security layer, they are very often able to detect zero-day malware with low detection rates, samples that they are actively sharing with VirusTotal in order to improve detection rates world-wide and help make the Internet a safer place.

Thank you Zemana team! Keep up the good work!

Tuesday, 3 September 2013

VirusTotal += Baidu-International

We welcome Baidu International as a new engine working at VirusTotal. In the words of the antivirus company:

“Baidu international antivirus engine innovated original ultrafast cloud security technology. We established a huge Black-White sample list system. By aligning the client software on the user's computer with servers in Baidu cloud security data center, Baidu Antivirus utilizes cloud computing technology and its massive file database to quickly and accurately eradicate the latest trojans, unknown trojans, and other malicious programs. This solves the problems faced by traditional antivirus software such as the lag behind the latest trojans and viruses and the huge consumption of computer resources.”

Monday, 3 June 2013

Social engineering attacks using DRM protected ASF files

Some of you may have already noticed that we have started to show new information for ASF files in the File details tab, example:

https://www.virustotal.com/en/file/b44378bc5f32700edd97d3f66479d9665194cfef95a2252c70a4237263bdfafd/analysis/

This information includes the content encryption object, the extended content encryption object and script command objects, if any at all.

The Advanced Systems Format (ASF) is Microsoft’s proprietary audio/video container format, this specification defines the structure of the audio/video stream and provides a framework for digital rights management (DRM) of the contained streams. Files using such a format are commonly seen with wmv, wma or mp3 extensions.

The Windows Media Rights Manager allows protection of the media content in such a way that once the user tries to play a file for which there is no valid license, Windows Media Player will display a URL defined by the content provider.

This scheme allows attackers to create evil media files forcing visits to malicious URLs when the crafted file is opened. In the following screenshot we can observe how a wmv file (https://www.virustotal.com/en/file/9c3d364fb2f6e43a8c1d149bfb929bc5fc1ec2a9ae6ca424d87295e65b61e3c4/analysis/) forces the user to visit xvidprox.com, this site deceives the visitor making him think he has to download and install a “required” plugin in order to watch the video, a common social engineering trick.



Parsing the file content encryption headers we find:

Content Encryption Header:
Secret Data: '\xcf\xb8\xba\xf2F2\xd3\xf7Sb\xd9D\xbd5\x936\x8c\xd2Tk\x97\xdb\tT'
Protection Type: DRM
Key ID: gAtyRGxTp0uyKC9AAbf3Gg==
License URL: http://www.microsoft.com/isapi/redir.dll?prd=wmdrm&pver=2&os=win&sbp=newclient

Extended Content Encryption Header:
<WRMHEADER version="2.0.0.0">
<DATA>
 <RID>1</RID>
 <CID>500</CID>
 <LAINFO>http://xvidprox.com/index.html?id=&amp;dlgx=1000&amp;dlgy=600&amp;adv=0</LAINFO>
 <KID>gAtyRGxTp0uyKC9AAbf3Gg==</KID>
 <CHECKSUM>ErLnEFXO!A==</CHECKSUM>
</DATA>
<SIGNATURE>
 <HASHALGORITHM type="SHA"></HASHALGORITHM>
 <SIGNALGORITHM type="MSDRM"></SIGNALGORITHM>
 <VALUE>Trh0AiQYQRBmw3qKi1i4Ox1Lv2FTC!4VFKZoCAJdGwnkPNC8z*bfDA==</VALUE>
</SIGNATURE>
</WRMHEADER>



Needless to say, you will not be able to reproduce the video file (commonly they are small encrypted videos no bigger than 300k and padded with useless data to look like the latest 800MB movie release).

Downloaded file analysis:
https://www.virustotal.com/en/file/5e0b93dfa2aca2463aa022141f079b9bb455d5823f0ab2c9fca8254834bcd47b/analysis/

Let us look at another example of a malicious video sample:
https://www.virustotal.com/en/file/2b75d7be851514dbaf1fa1649f5eee29efc9669ca774bae98944b72356fef4d3/analysis/


Again the ASF headers contain:

Content Encryption Header:
Secret Data: '\xfe\xf0\xfc\x0f\x8c\xf6^\xb9\x8eav\x9f\xfb\x92)\x9d'
Protection Type: DRM
Key ID: ldkokwerodkkkkkk
License URL: http://free-media-player.info/play.cgi?DlgX=800&DlgY=600

Extended Content Encryption Header:
<WRMHEADER version="2.0.0.0">
<DATA>
 <CHECKSUM>KeBODgJtVQ==</CHECKSUM>
 <KID>ldkokwerodkkkkkk</KID>
 <LAINFO>http://free-media-player.info/play.cgi?DlgX=800&DlgY=600</LAINFO>
</DATA>
<SIGNATURE>
 <HASHALGORITHM type="SHA"></HASHALGORITHM>
 <SIGNALGORITHM type="MSDRM"></SIGNALGORITHM>
 <VALUE>2tV2YzlYaZH1LFpq3CEUF+XrNT6+gh++dF3hNEWPONoVWUClPHXGKg==</VALUE>
</SIGNATURE>
</WRMHEADER>

The downloaded file is, once again, clearly malicious:
https://www.virustotal.com/en/file/38eb4c07d967862bbee40010671d111ca76d5e14c3ad23962bc0755ffeaf6fec/analysis/

We successfully tried these videos on Windows Media Player 11 and 12, no user iteration was needed to show the malicious websites, this leads to even more interesting automated exploitation through browser vulnerabilities.

We can find a deeper analysis of this matter in a 2010 post at http://habrahabr.ru/post/89676/ (Russian).

We believe displaying these new file details will further help malware researchers in their fight against the bad guys. Additionally, this attack trend leaves room for new interesting features to be implemented in VirusTotal with regards to the relationships between files. Was this file downloaded from a given site? And if so, was this site used in a media content DRM social engineering attack? Which video file was the initial trigger for the whole infection process? Interesting questions that we will soon be addressing.

Friday, 3 May 2013

VirusTotal += CyberCrime botnet panels tracker

Xylitol has been extremely kind in letting us enrich VirusTotal's URL scanner with his CyberCrime tracker. CyberCrime is a C&C panel tracker, in other words, it lists the administration interfaces of certain in-the-wild botnets. As such, its URL database is inherently smaller than other datasets integrated in VirusTotal.

Nonetheless, one should not neglect the usefulness of this tracker, very often other malware-related infrastructure will be located in the same host as the botnet administration panel, hence, it can prove itself very useful in finding evil.

https://www.virustotal.com/en/url/ba1cee3c6a157232ac8a61b17ff07694acc970e1bae9ced5c9ef2bfc56ae6ea1/analysis/1367596300/

Thank you Xylitol! Keep up the good work!

VirusTotal += Virus Tracker

Just after Kaspersky joining VirusTotal's aggregate URL scanner, we are excited to announce that Virus Tracker is also becoming part of our family:

https://www.virustotal.com/en/url/82ddbb7eea25e7ce2ca13aed44cac009d9ff6c463e763d22b8b2043f20bd8a52/analysis/1367576071/

Virus Tracker is a service whose mission:
is to provide detailed infection statistics, C&C information and an automatically updated domain blocklist of various botnets to the security community.
The site is non-profit and focuses on banking trojans and financial malware, some of the botnets they track are: multibanker, sinowal, tinybanker, urlzone, zeus, ramnit, etc. This is fantastic news for the average end-user, since they will have a better view of the most perilous threats directly targeting their money.

Yet another URL scanner, one more and we will be in the forties, thank you Virus Tracker team!

Monday, 29 April 2013

VirusTotal += Kaspersky URL scanner

We are excited to announce that Kaspersky has just joined the club of URL scanners! As many of you know, VirusTotal does not only check files with antivirus solutions, it can also scan Internet sites making use of different malicious URL datasets and URL scanning engines. This functionality is available at: https://www.virustotal.com/#url

Kaspersky's latest security suites contain a URL scanning module known as kaspersky URL advisor, which is described by the company as:

The URL scanning module, which is called Kaspersky URL Advisor, is managed by the Web Anti-Virus component from Kaspersky Internet Security 2012. This module checks if links located on the web page belong to the list of suspicious and phishing web addresses from anti-virus databases which you get during anti-virus databases update.
Also Kaspersky URL Advisor uses reputation services from Kaspersky Security Network. Using data from the reputation services, Kaspersky Internet Security 2012 marks links in the web browser, thereby informing you about the possible dangers of this or that website even before you follow the link in question.
Part of this functionality has been very generously made available to VirusTotal in order to perform checks of URLs submitted by our users against their dataset.

This is yet one new URL scanner that joins our family hoping to make the Internet a safer place, if you have a malicious URL dataset or some technology that, given a site is capable of producing a maliciousness verdict, do not hesitate to join the battle.

Thank you, Kasperky team, for making this possible!

Monday, 22 April 2013

VirusTotal += PCAP Analyzer

VirusTotal is a greedy creature, one of its gluttonous wishes is to be able to understand and characterize all the races it encounters, it already understood the insurgent collective of Portable Executables, the greenish creatures known as Android APKs, the talkative PDF civilization, etc. as of today it also figures out PCAPs, a rare group of individuals obsessed with recording everything they see.

PCAP files contain network packet data created during a live network capture, often used for packet sniffing and analyzing data network characteristics. In the malware research field PCAPs are often used to:

  • Record malware network communication when executed in sandboxed environments.
  • Record honeyclient browser exploitation traces.
  • Log network activity seen by network appliances and IDS.
  • etc.
We have seen that many users send their PCAPs to VirusTotal, these PCAPs often contain HTTP flows whereby a trojan is downloaded, recording worm scanning sweeps, logging exploits being delivered to a honeymonkey, etc. We want to help those users submitting PCAPs to VirusTotal and improve their research, that is why we have introduced PCAP analysis, its features are:
  • Processes the files with popular intrusion detection systems (Snort and Suricata for the moment) and logs the rules that they trigger.
  • Extracts file metadata with Wireshark.
  • Lists DNS resolutions performed.
  • Lists HTTP communication.
  • Extracts files seen in the different network flows and links to the pertinent VirusTotal reports if the given file is of an interesting file type (portable executables, PDFs, flash, compressed bundles, etc.). If you are registered in VirusTotal Community and have signed in, these interesting files extracted from the network flow will be available for you to download as long as you are the first submitter of the PCAP (which when dealing with this type of files is the most common situation). 
Without futher ado, let us paste a couple of examples of this new functionality (refer to the File details tab in order to see all of the aforementioned information):




Tuesday, 16 April 2013

VirusTotal += K7GW

We welcome K7GW (K7 Antivirus Gateway) as a new engine working at VirusTotal. In the words of the antivirus company:

"K7GW is a lightweight, faster version of K7's scanner which focuses on more robust generics & heuristics, the core binaries remaining essentially unchanged".

Monday, 8 April 2013

Passive DNS API

Last week we announced the inclusion of passive DNS data in VirusTotal. Today we are excited to let you know that we have included two new API calls to automatically query this data and build tools and plugins with our dataset:

https://www.virustotal.com/documentation/public-api/#getting-ip-reports
https://www.virustotal.com/documentation/public-api/#getting-domain-reports

When we released the web interface passive DNS search feature many users already wanted to build tools around it:


Now that the API is in production it is absolutely safe to start implementing your ideas, not only do we allow you to do so but also strongly encourage you to take advantage of this API.

As you may have noticed, rather than a dedicated API to retrieve exclusively passive DNS data, they are calls to gather information regarding IP addresses and domains. It has been built this way because we intend to extend the fields present in the returned JSON. As of right now the detected_urls field might be present, this field records the latest URLs detected by at least one URL scanner as malicious and hosted at the queried host. In the near future we would like to include other notions such as:
  • What were the latest malware samples that communicated with the given host?
  • What were the latest malware samples downloaded from the given host?
  • What were the latest malware samples that contained the given host in their strings dump?
  • Have we seen a particular exploit kit hosted at the given host?
And many more exciting features that we will keep to ourselves in order to keep you reading our blog :P


Monday, 1 April 2013

VirusTotal += Passive DNS replication

Passive DNS replication is a technology which constructs zone replicas without cooperation from zone administrators, based on captured name server responses. As explained by Merike Kaeo from the Internet Systems Consortium in this presentation, the main idea behind passive DNS is as follows:
  • Inter-server DNS messages are captured by sensors and forwarded to a collection point for analysis.
  • After being processed, individual DNS records are stored in a database where they can be indexed and queried.
As such, passive DNS can help in answering the following questions:
  • Where did this domain name point to in the past? 
  • What domain names are hosted by a given nameserver? 
  • What domain names point into a given IP network? 
  • What subdomains exist below a certain domain name?
It is, thus, obvious that passive DNS may be very useful in malware investigations as it may help researchers in discovering network infrastructure operated by the same group of criminals, other domains being to used to distribute a given malware variant, algorithm-governed C&C communication points, etc.

There are plenty of amazing passive DNS services out there, for example, BFK passive DNS replication, we do not intend to compete with these services but rather offer the security community the perspective VirusTotal has regarding network infrastructure involved in malicious incidents. VirusTotal visits many URLs related to malware and executes thousands of samples per day that communicate with certain domains, as such, we have a privileged position when it comes to passive DNS focused on malware research. 

Not so long ago we started to record domain resolutions, exclusively address (A) records, and we are now offering this feature via our standard search form. If you search for an IP address you will be redirected to a site with passive DNS information for that address:


Similarly, if you use the domain:example.domain.com search modifier you will be redirected to a site with information regarding the given domain.:


We are really excited about this new feature, not only because it is going to help the security community but because it opens the door to future improvements of the IP address and domain information panes. Wouldn't you love to be able to answer the following questions?
  • What were the last malicious files downloaded from a given host?
  • What were the latest executed malware samples that communicated with the given host?
  • Has this host been seen to use some exploit kit?
  • What were the latest malicious URLs identified at the particular host?
  • What were the latest submitted malware samples that contained the particular host in its strings?
  • And a very long etcetera.
With this new feature there is also a commitment from our side to work on answering these questions so that you can make your malware investigations more productive.

Wednesday, 6 March 2013

VirusTotal += Android execution reports

Last year we included sandbox execution reports for Portable Executable files thanks to the amazing tool developed by Claudio “nex” Guarnieri and his team, Cuckoo. We are excited to announce that as of today we are also displaying behavioural reports for Android applications (APKs).

Indeed, when informing you about Anthony's return from the Android jungle we promised there would be some further new and exciting features to come. While traversing a cascade of APK, ODEX, DEX, AXML and ARSC species he discovered that sometimes Androguard was not enough to distinguish the good from the evil, he needed something more, he needed to record how these species behaved in order to have a clearer picture in mind of their malicious or harmless intentions.

Attending to these needs he developed an in-house Android Sandbox where these fancy creatures could play around, spit their SMS, excreate their files, sing melodic HTTP conversations and perform animal matters.

These are some examples of the reports produced (Behaviour information tab):

https://www.virustotal.com/en/file/b707d23bfc22908ae8ee2f6e2d0bc9c74135af18c5eea2b3bcca7471d08985c2/analysis/

https://www.virustotal.com/en/file/6775a8711283ce4f6f1f000f3bd6d65bb1666c37175efd6b3edc2091842eeeb7/analysis/

https://www.virustotal.com/en/file/1230d64ccba3f7f5b32972308295ce90ffa7a95cb8f713c7c39ead88e4faff6d/analysis/

Please note that these reports will appear in an asynchronous fashion, they may not be generated until a couple of minutes after your file scan ends.

Those users with private API or allinfo privileges will see this information in the API responses. As to VirusTotal Intelligence, we will soon be indexing this data and the new Androguard outputs in order to enhance our search functionality, stay tuned, pay attention to the pertinent documentation.

VirusTotal += Fortinet URL Scanner


FortiGuard Labs analyzes events in real time throughout cyberspace, including both the domain (URL) and IP level. If a website or server hosts malware, attack code, or has been used in spam emails these events will be analyzed by the lab. A history of these events, along with additional intelligence data is available through our URL and IP Lookup tool.
This is how Fortinet describes its web filtering solution which has just been integrated in VirusTotal. With this inclusion we reach 38 URL scanners, we want to surpass 40, hence, if you have any interesting malicious URL dataset or URL scanner please do not hesitate to contact us, we will be more than happy to include you!

This is a permalink to a report showing Fortinet's detection of a phishing site:
https://www.virustotal.com/en/url/3b7819d0ced38ed3d754fcf34378a07c6fc6559116353534ac028d6395020197/analysis/1362562630/

Thank you Fortinet team!

Wednesday, 27 February 2013

Pimping up the characterization of Android files

Our resident Android expert, Anthony Desnos, is back from the Android jungle once again. In this new trip he has encountered and documented many new wild specimens, fought a couple of battles against nasty creatures such as Smsilence and worked hard to polish his main weapon when confronting and recognizing the evil: Androguard.

VirusTotal's private Androguard version has been noticeably improved and the information it dumps is far more extensive than it used to be, including a risk summary, permissions, permission-related api calls, activities, services, receivers, application certificate information and a very long etcetera. This new information appears under a new tab named file details, just as you can observe in the following screenshot.


This is just the very beginning of a series of new features that will hopefully improve your understanding of Android-related files, not only APKs but also DEX, ODEX and AXML formats, stay tuned! Meanwhile, you can take a look at a couple of reports with the new details:

https://www.virustotal.com/en/file/18c0da675416bd9ba06f30ad9f5a608e1ab011e71d79ee60b22d55f98f189356/analysis/

https://www.virustotal.com/en/file/d6f789450613fc8073c67d6c4374963fbf1ca675d8b3fc6221213af4a93de94c/analysis/

https://www.virustotal.com/en/file/b867e8afc9d1a25014496371bdfba2ab4ab133ff83cc1fbfcec83c11817f4d73/analysis/

As usual, suggestions and feature requests are more than welcome!

Tuesday, 12 February 2013

Join us!

VirusTotal is under heavy attack by a myriad of worms that have been given the following names by the AV industry: Win32/Bureaucracy.Worm.B, Worm:Win32/Paperwork.A, Worm.Win32.Processdriven.Gen, W32/SalesOps.Gen!B... In order to harden our infrastructure and repel this severely epidemic intrusion we are seeking a highly motivated administrative-oriented malware buster, with experience in dealing with the aforementioned malicious code but also with enthusiasm to try out new weapons and hunt down other evil categories... join the battle...

We are looking for:
  • BA or BS degree (in a technical field preferred).
  • At least 1 year of full-time relevant work experience.
  • Ability to quickly learn new tools, technologies and concepts; Interests in the Internet/ICT security field, more specifically malware and antivirus.
  • Ability to effectively communicate and collaborate with a diverse range of people and job functions.
  • Excellent communication and presentation skills, both written and verbal in English (Spanish and other languages will be a plus).
  • Preferable: technical background in order to code (python language) new product features with the engineering team when idle on support and sales operations.
  • Preferable: ICT security, Reverse engineering and malware research knowledge or passion to learn about these fields.
  • Preferable: cooking skills (big kitchen here), D&D, video-games and sports.
  • Essential: friendly, passion for sun, beach and fried fish (you will be in Malaga!)

Your work will be:
  • First level support to VirusTotal users. Troubleshoot and solve user issues (mainly via email, very occasionally on the phone).
  • Relationship management (VT Community, users, researchers, discussion lists, security groups, forums, conferences).
  • Understand complex user requirements.
  • Collect customer and user feedback, classify it, prioritize it and make it available to the engineering team. Define user needs to improve services.
  • Develop and provide custom presentations about VirusTotal services.
  • Demonstrate service usage and basic technical use cases (API integration, Intelligence investigations, etc.).
  • Manage a varied portfolio of customers at scale.
  • Manage the entire sales cycle (finance and legal tools) and customer billing working closely with the Finance, Legal and VirusTotal team.
  • Formulate legal language and agreements for new services being developed by the engineering team.
  • Come up with design ideas and improvements for existing services.

If you are interested, please send us an email to contact at virustotal.com (subject: "tech-vendor-support job offer") and don't forget to attach your CV.

Wednesday, 23 January 2013

VirusTotal.url_scanners.extend(Quttera, ESET)

We are pleased to announce that we are including two new URL scanners in VirusTotal: Quttera and ESET. At the same time, we are also updating Trend Micro's and Antiy-AVL's web checkers, the changes should improve their detection rates, enhancing the overall aggregate detection capability of VirusTotal's URL scanning engine.

Quttera describes its technology as follows:
WIS is a BETA version of a cloud based application that utilizes Quttera exploit detection technology. This online URL scanner investigates URLs in order to detect suspicious scripts, malicious media and any other web security threats hidden into legitimate content and located on web sites. 
As to ESET, its URL scanner is usually embedded in their antivirus software, providing a holistic solution:
At ESET, we are dedicated to developing high-performing security solutions for home users and corporate customers, detecting and disabling all known and emerging forms of malware.
We are really excited to announce these changes since we have just reached 37 URL scanners, even though not all of them always show up due to timeout issues. We will soon catch up with the number of file scanners. If your company/team develops a link checker or maintains a malicious URL dataset do not hesitate to contact us, we will be more than happy to integrate your solution/dataset.