Monday, 8 April 2013

Passive DNS API

Last week we announced the inclusion of passive DNS data in VirusTotal. Today we are excited to let you know that we have included two new API calls to automatically query this data and build tools and plugins with our dataset:

https://www.virustotal.com/documentation/public-api/#getting-ip-reports
https://www.virustotal.com/documentation/public-api/#getting-domain-reports

When we released the web interface passive DNS search feature many users already wanted to build tools around it:


Now that the API is in production it is absolutely safe to start implementing your ideas, not only do we allow you to do so but also strongly encourage you to take advantage of this API.

As you may have noticed, rather than a dedicated API to retrieve exclusively passive DNS data, they are calls to gather information regarding IP addresses and domains. It has been built this way because we intend to extend the fields present in the returned JSON. As of right now the detected_urls field might be present, this field records the latest URLs detected by at least one URL scanner as malicious and hosted at the queried host. In the near future we would like to include other notions such as:
  • What were the latest malware samples that communicated with the given host?
  • What were the latest malware samples downloaded from the given host?
  • What were the latest malware samples that contained the given host in their strings dump?
  • Have we seen a particular exploit kit hosted at the given host?
And many more exciting features that we will keep to ourselves in order to keep you reading our blog :P


1 comment:

  1. So, while I think this is great, and hats off to everyone for making this system available, given that VT is now owned by Google, can we trust that they won't get bored of this in six months time and bin the whole thing, rendering the time we spent building things around it wasted? There is clear precedent for that type of shenanigans.

    ReplyDelete