Monday, 1 April 2013

VirusTotal += Passive DNS replication

Passive DNS replication is a technology which constructs zone replicas without cooperation from zone administrators, based on captured name server responses. As explained by Merike Kaeo from the Internet Systems Consortium in this presentation, the main idea behind passive DNS is as follows:
  • Inter-server DNS messages are captured by sensors and forwarded to a collection point for analysis.
  • After being processed, individual DNS records are stored in a database where they can be indexed and queried.
As such, passive DNS can help in answering the following questions:
  • Where did this domain name point to in the past? 
  • What domain names are hosted by a given nameserver? 
  • What domain names point into a given IP network? 
  • What subdomains exist below a certain domain name?
It is, thus, obvious that passive DNS may be very useful in malware investigations as it may help researchers in discovering network infrastructure operated by the same group of criminals, other domains being to used to distribute a given malware variant, algorithm-governed C&C communication points, etc.

There are plenty of amazing passive DNS services out there, for example, BFK passive DNS replication, we do not intend to compete with these services but rather offer the security community the perspective VirusTotal has regarding network infrastructure involved in malicious incidents. VirusTotal visits many URLs related to malware and executes thousands of samples per day that communicate with certain domains, as such, we have a privileged position when it comes to passive DNS focused on malware research. 

Not so long ago we started to record domain resolutions, exclusively address (A) records, and we are now offering this feature via our standard search form. If you search for an IP address you will be redirected to a site with passive DNS information for that address:

Similarly, if you use the search modifier you will be redirected to a site with information regarding the given domain.:

We are really excited about this new feature, not only because it is going to help the security community but because it opens the door to future improvements of the IP address and domain information panes. Wouldn't you love to be able to answer the following questions?
  • What were the last malicious files downloaded from a given host?
  • What were the latest executed malware samples that communicated with the given host?
  • Has this host been seen to use some exploit kit?
  • What were the latest malicious URLs identified at the particular host?
  • What were the latest submitted malware samples that contained the particular host in its strings?
  • And a very long etcetera.
With this new feature there is also a commitment from our side to work on answering these questions so that you can make your malware investigations more productive.


  1. Are there any plans to make this information available via the Public and/or Private API?

    1. Hello Matt, yes, we will be releasing the passive DNS API next week, available both in the public and private APIs, however, the public API will still be limited to 4 requests of any nature per minute.

      Suggestions and feature requests are more than welcome.

    2. Just saw the new blog post, thanks and keep up the great work!