Monday, 29 April 2013

VirusTotal += Kaspersky URL scanner

We are excited to announce that Kaspersky has just joined the club of URL scanners! As many of you know, VirusTotal does not only check files with antivirus solutions, it can also scan Internet sites making use of different malicious URL datasets and URL scanning engines. This functionality is available at: https://www.virustotal.com/#url

Kaspersky's latest security suites contain a URL scanning module known as kaspersky URL advisor, which is described by the company as:

The URL scanning module, which is called Kaspersky URL Advisor, is managed by the Web Anti-Virus component from Kaspersky Internet Security 2012. This module checks if links located on the web page belong to the list of suspicious and phishing web addresses from anti-virus databases which you get during anti-virus databases update.
Also Kaspersky URL Advisor uses reputation services from Kaspersky Security Network. Using data from the reputation services, Kaspersky Internet Security 2012 marks links in the web browser, thereby informing you about the possible dangers of this or that website even before you follow the link in question.
Part of this functionality has been very generously made available to VirusTotal in order to perform checks of URLs submitted by our users against their dataset.

This is yet one new URL scanner that joins our family hoping to make the Internet a safer place, if you have a malicious URL dataset or some technology that, given a site is capable of producing a maliciousness verdict, do not hesitate to join the battle.

Thank you, Kasperky team, for making this possible!

Monday, 22 April 2013

VirusTotal += PCAP Analyzer

VirusTotal is a greedy creature, one of its gluttonous wishes is to be able to understand and characterize all the races it encounters, it already understood the insurgent collective of Portable Executables, the greenish creatures known as Android APKs, the talkative PDF civilization, etc. as of today it also figures out PCAPs, a rare group of individuals obsessed with recording everything they see.

PCAP files contain network packet data created during a live network capture, often used for packet sniffing and analyzing data network characteristics. In the malware research field PCAPs are often used to:

  • Record malware network communication when executed in sandboxed environments.
  • Record honeyclient browser exploitation traces.
  • Log network activity seen by network appliances and IDS.
  • etc.
We have seen that many users send their PCAPs to VirusTotal, these PCAPs often contain HTTP flows whereby a trojan is downloaded, recording worm scanning sweeps, logging exploits being delivered to a honeymonkey, etc. We want to help those users submitting PCAPs to VirusTotal and improve their research, that is why we have introduced PCAP analysis, its features are:
  • Processes the files with popular intrusion detection systems (Snort and Suricata for the moment) and logs the rules that they trigger.
  • Extracts file metadata with Wireshark.
  • Lists DNS resolutions performed.
  • Lists HTTP communication.
  • Extracts files seen in the different network flows and links to the pertinent VirusTotal reports if the given file is of an interesting file type (portable executables, PDFs, flash, compressed bundles, etc.). If you are registered in VirusTotal Community and have signed in, these interesting files extracted from the network flow will be available for you to download as long as you are the first submitter of the PCAP (which when dealing with this type of files is the most common situation). 
Without futher ado, let us paste a couple of examples of this new functionality (refer to the File details tab in order to see all of the aforementioned information):




Tuesday, 16 April 2013

VirusTotal += K7GW

We welcome K7GW (K7 Antivirus Gateway) as a new engine working at VirusTotal. In the words of the antivirus company:

"K7GW is a lightweight, faster version of K7's scanner which focuses on more robust generics & heuristics, the core binaries remaining essentially unchanged".

Monday, 8 April 2013

Passive DNS API

Last week we announced the inclusion of passive DNS data in VirusTotal. Today we are excited to let you know that we have included two new API calls to automatically query this data and build tools and plugins with our dataset:

https://www.virustotal.com/documentation/public-api/#getting-ip-reports
https://www.virustotal.com/documentation/public-api/#getting-domain-reports

When we released the web interface passive DNS search feature many users already wanted to build tools around it:


Now that the API is in production it is absolutely safe to start implementing your ideas, not only do we allow you to do so but also strongly encourage you to take advantage of this API.

As you may have noticed, rather than a dedicated API to retrieve exclusively passive DNS data, they are calls to gather information regarding IP addresses and domains. It has been built this way because we intend to extend the fields present in the returned JSON. As of right now the detected_urls field might be present, this field records the latest URLs detected by at least one URL scanner as malicious and hosted at the queried host. In the near future we would like to include other notions such as:
  • What were the latest malware samples that communicated with the given host?
  • What were the latest malware samples downloaded from the given host?
  • What were the latest malware samples that contained the given host in their strings dump?
  • Have we seen a particular exploit kit hosted at the given host?
And many more exciting features that we will keep to ourselves in order to keep you reading our blog :P


Monday, 1 April 2013

VirusTotal += Passive DNS replication

Passive DNS replication is a technology which constructs zone replicas without cooperation from zone administrators, based on captured name server responses. As explained by Merike Kaeo from the Internet Systems Consortium in this presentation, the main idea behind passive DNS is as follows:
  • Inter-server DNS messages are captured by sensors and forwarded to a collection point for analysis.
  • After being processed, individual DNS records are stored in a database where they can be indexed and queried.
As such, passive DNS can help in answering the following questions:
  • Where did this domain name point to in the past? 
  • What domain names are hosted by a given nameserver? 
  • What domain names point into a given IP network? 
  • What subdomains exist below a certain domain name?
It is, thus, obvious that passive DNS may be very useful in malware investigations as it may help researchers in discovering network infrastructure operated by the same group of criminals, other domains being to used to distribute a given malware variant, algorithm-governed C&C communication points, etc.

There are plenty of amazing passive DNS services out there, for example, BFK passive DNS replication, we do not intend to compete with these services but rather offer the security community the perspective VirusTotal has regarding network infrastructure involved in malicious incidents. VirusTotal visits many URLs related to malware and executes thousands of samples per day that communicate with certain domains, as such, we have a privileged position when it comes to passive DNS focused on malware research. 

Not so long ago we started to record domain resolutions, exclusively address (A) records, and we are now offering this feature via our standard search form. If you search for an IP address you will be redirected to a site with passive DNS information for that address:


Similarly, if you use the domain:example.domain.com search modifier you will be redirected to a site with information regarding the given domain.:


We are really excited about this new feature, not only because it is going to help the security community but because it opens the door to future improvements of the IP address and domain information panes. Wouldn't you love to be able to answer the following questions?
  • What were the last malicious files downloaded from a given host?
  • What were the latest executed malware samples that communicated with the given host?
  • Has this host been seen to use some exploit kit?
  • What were the latest malicious URLs identified at the particular host?
  • What were the latest submitted malware samples that contained the particular host in its strings?
  • And a very long etcetera.
With this new feature there is also a commitment from our side to work on answering these questions so that you can make your malware investigations more productive.