Monday, 1 December 2014

A closer look at Mac OS X executables and iOS apps

Virustotal has always been able to scan and provide verdicts for Mac OS X executables and iOS apps, these are just some examples:
Actually, scanning capabilities regarding certain file types is a common end-user misconception, virustotal will scan any binary content, with independence of its file type, as antivirus vendors will develop signatures for any file type and target OS with independence of the OS that hosts the engines running in virustotal.

This said, two weeks ago we silently introduced a new tool to further characterize Mac OS X executables and iOS apps, extracting interesting static properties from these types of files, similar to what the pefile python module does for Portable Executables.

The new tool will extract file header information (e.g. required architecture and sub-architecture, flags, magic string, etc.), the file segments and its inner sections, any shared libraries that the executable makes use of, load commands and signature information whenever the mach-o happens to be code signed.

In the event that the Mac OS X executable is a universal binary containing mach-o files for several target systems, a characterization of each one of the embedded files will be provided. You may refer to the file details tab of the above reports in order to see an example of this new set of information.

As to iOS apps, the new tool will not only characterize the executable providing the application's main functionality, it will also generate metadata regarding the package itself (property list configuration information and embedded mobile provision data) and iTunes details.

As you may notice, this tool follows the trend of what we recently implemented regarding ELF files, hopefully it will also help in spotting and studying threats targeting Mac OS X and iOS.

Thursday, 27 November 2014

VirusTotal += ALYac

We welcome ESTsoft ALYac engine to VirusTotal. This South Korean multi-engine antivirus includes its own engine called Tera plus the popular BitDefender engine. In the words of the company:

"""ALYac provides differentiated service with the award winning Triple-Engines.
The ESTsoft's Tera Engine, the BitDefender Engine and the Sophos Engine establish several protection layers.

With the lightweighted engine and the memory optimization, ALYac minimizes its resource usage.
Moreover, ALYac boasts excellent detection power against variant malicious files through 'Smart Scan Technology'."""

Tuesday, 18 November 2014

virustotal += Blueliv URL scanner

We are excited to announce that we have just integrated Blueliv's malicious URL tracker in virustotal, as yet one more URL scanner providing verdicts on URLs submitted by users. In their own words:
Blueliv is a leading provider of cyber threat information and analysis intelligence for large enterprises, service providers, and security vendors. The company’s deep expertise, data sources, and cloud-based platform address a comprehensive range of cyber threats to turn global threat data into real-time actionable intelligence specifically for each client in an easy-to-use dashboard. Blueliv’s clients include leading bank, insurance, telecom, utility, and retail enterprises.
At present, Blueliv's tracker is highly focused on sites used as C&C infrastructure for trojans, URLs distributing malware and sites with exploit kits, an example of their detections can be found in the following reports:

Hopefully this integration will lead to increased knowledge about threats and will help protect users world-wide.

Welcome Blueliv!

Tuesday, 11 November 2014

virustotal += Detailed ELF information

In computing, the Executable and Linkable Format (ELF, formerly called Extensible Linking Format) is a common standard file format for executables, object code, shared libraries, and core dumps. It was chosen as the standard binary file format for Unix and Unix-like systems [Wikipedia].

Even though the popularity of the Windows OS among average end-user systems has meant that attackers have mostly focused on developing malware for Windows systems, ELF badness is a growing concern. The colleagues over at Malware Must Die are making a huge effort to put some focus on ELF malware, their article entitled China ELF botnet malware infection & distribution scheme unleashed is just an example.

Today we are rolling out a tool to generate detailed structural information regarding ELFs. This information includes: file header specifics (ABI version, required architecture, etc.), sections, segments, shared libraries used, imported symbols, exported symbols, packers used, etc. You may take a look at this new information in the File Details tab of the following report:

Hopefully all this new information will bring some attention to malware targeting linux systems and will lead to better world-wide defenses against these threats.

Friday, 17 October 2014

virustotal += Baidu-International URL scanner

And we are in our sixties with respect to the number of URL scanning engines integrated in VirusTotal, welcome Baidu-International! Not so long ago we introduced their file scanner and today we are excited to populate the malicious URL dataset with their verdicts.

In their own words:
Baidu Antivirus is a permanently free and easy-to-use antivirus software which offers proactive defense, file protection, USB protection, download protection, browser protection, and other professional security features. 
As part of the browser protection component they offer they come across and have to research many malicious URLs per day, these URLs will now trigger alerts on VirusTotal. An example of their engine in action can be found below:

Welcome Baidu-International!

Wednesday, 24 September 2014

virustotal += PhishLabs URL scanner

Yet another malicious URL dataset is joining virustotal today. Welcome PhishLabs.

In their own words:
PhishLabs provides cybercrime protection and intelligence services that fight back against online threats and reduce the risk posed by phishing, malware, and other cyber-attacks. They fight back against online threats by detecting, analyzing, and proactively dismantling the systems and illicit services cybercriminals depend on to attack businesses and their customers.

As part of the investigations that they conduct and the Intelligence that they gather, PhishLabs comes across many malicious URLs every day, from now on virustotal checks will also run against their blacklist, enhancing users' ability to detect recent threats.

An example of a report containing an PhishLabs report can be found below:

Welcome PhishLabs!

Tuesday, 29 July 2014

virustotal += OpenPhish URL scanner

We keep increasing the number of engines integrated in virustotal's URL scanning backbone. Today is the turn of OpenPhish. OpenPhish is a service developed by FraudSense, whose engine was integrated a couple of weeks ago, that serves as a free repository of phishing sites detected with FraudSense's Phishing Detection Technology.

In their own words:
OpenPhish is a free service that provides a continuously updated feed of global phishing URLs that were detected by FraudSense's Phishing Detection Technology. The feed includes phishing sites from the past 7 days and is updated in real time with newly detected ones.
The feed is publicly available at:

It is also served as plain text at the following URL:

An example of a report containing an OpenPhish report can be found below:

Hopefully this new addition will beef up virustotal's detection capabilities when it comes to phishing sites, which even though is an old scam, it is still very extended and a common threat for the average Internet user.

Welcome OpenPhish!

VirusTotal += AVware

We welcome BluePex AVware as a new antivirus product at VirusTotal. In the words of the company, it offers special focus on threats from that zone:

“The antivirus AVware is developed in Brazil with focus on regional threats.

Apart from the concern with global malicious artifacts, we have a great effort to capture the artifacts that are taking place in Latin America, for this we have partnerships with financial institutions and governments for sending these samples, our engine also uses signatures and heuristics to detect new threats.”

Friday, 11 July 2014

Mac OS X Uploader update to version 1.2

The VirusTotal Mac OS X uploader has been updated to version 1.2. This corresponds to the source code being open sourced for it yesterday. You can download the update on our OS X desktop application page. The changes in the version from the 1.1 version are:
  • Fixes and bug reports by users
  • Checks for updates and will notify you if we release other versions
  • You can drag and drop a file on the OS X menu bar on the application icon for scanning

Thursday, 10 July 2014

VirusTotal open sources uploader for Mac OSX and Linux

Recently we released the VirusTotal uploader for OS X. It now supports Linux, and we are releasing it as open-source under the Apache License 2.0 terms so 3rd parties can package it for different linux distributions. You can git the source at:

Systems administrators, engineers and security analysts often use GNU/Linux, Mac OS, or BSD. The VirusTotal uploader can be compiled and distributed on these systems. This will give users the 2nd opinion that that VirusTotal can offer and should make queueing scans on VirusTotal easier.

The requirements to compile on linux are:
  • C++ compiler (gcc tested)
  • QT Version 5 or newer development packages. Most linux distributions have this already.
  • C Interface to VirusTotal API which we recently open-sourced.
To compile on Mac OS X, you will need xcode development tools.

The Features of the program are the same:
  • Drag and drop a file to the VirusTotal Uploader in order to scan it with over 50 antivirus solutions.
  • Drag and drop a folder to the VirusTotal Uploader and schedule the analysis of its content
  • Allow you to "Open With" in a file browser to scan a file.
If anyone wishes to send patches, please do a pull request to us on github. Comments and suggestions are welcome. 

Tuesday, 8 July 2014

virustotal += Spam404 URL scanner

Spam404 is a blacklist of abusive domains that engage in shady activities such as scamming, spamming, phishing, etc. As described by its developers:
We are mainly blacklisting websites that are tricking users into completing offers by advertising content that is very desirable but the website doesn't actually have the content and it is just to make the end user complete an offer. From our intense research, these kind of websites are not getting enough attention in terms of blacklisting and we are the only website to offer such a blacklist for these kind of websites but we believe it is in the best interests of all internet users to have these kind of websites blacklisted.
We are also blacklisting other abusive websites including phishing and other kinds of scams.
As of today, Spam404 is producing verdicts for URLs submitted to virustotal, giving yet another notion of maliciousness to users enjoying the service. An example of a Spam404 detection can be found here:

Welcome Spam404 team!

Monday, 7 July 2014

virustotal += Rising URL scanner

Rising is a Chinese software company that produces the anti-virus software Rising Antivirus, a firewall, UTM and spam-blocking products. Rising antivirus has been running in virustotal for quite some time, today we are excited to announce the integration of their URL scanner, which will be enhancing virustotal's web checking backbone.

Hopefully this integration will lead to a greater coverage of threats targeting Chinese end-users. This is an example of a Rising detection:

Thank you Rising team!

Monday, 23 June 2014

VirusTotal += FraudSense

We are excited to announce the inclusion of FraudSense as a new URL scanning engine in VirusTotal. FraudSense offers services to automate and enable real-time detection of phishing sites and their targeted brands. They have developed their own in-house phishing detection technology, which they describe as:
Based on cognitive concepts, artificial intelligence and active learning, our innovative technology automates what has traditionally been a labor-intensive process and enables real-time detection of phishing sites and their targeted brands.
Key features include:
0-Day Phishing Detection: Early discovery of new, unreported phishing sites.Brand Recognition: Accurate identification of the targeted brand.Language-Independent: Detection of both English and non-English phishing sites.Self-Sufficient: Independent of community-sponsored blacklists.
FraudSense is exposing its phishing feed to VirusTotal, so that users can check whether a given URL is already in their blacklist and hopefully get yet one more second opinion that will help them in keeping their environments safe.

An example of a URL detected by FraudSense:

Welcome FraudSense!

Wednesday, 11 June 2014

VirusTotal API implementation in C programming language

Many users interact programmatically with VirusTotal via its public API, it is an easy HTTP+JSON interface that allows you to easily submit and check files in order to help improve security world-wide. Moreover, many VirusTotal Community volunteers have very kindly implemented the API in a wide variety of programming languages, some of these implementations are documented here, many others exist and we will progressively adding all those that we are made aware of.

This said, there was not any full implementation of the API in the C language, so that any C or C++ program that users might be building could easily interact with VirusTotal, at least we were not aware of any. We have released a VirusTotal interface written in C to our API  on github at, any C or C++ program should be able to use it. Its goal is to implement all of the public API and private API features in C. The public API features will work for anyone with a free public API key, the private API features will only work for those who have licensed our services and use a private API key.

The recently announced VirusTotal Uploader for OS X internally uses the c-vtapi project. Using C it is a common building block that other programs or languages can interface to.

Suggestions, comments, patches and github pull request for improvements are welcome. Some ideas of improvements:
  • Better windows support and testing. We have tested a lot with OS X and linux, the windows scaffolding is there, but is not well tested.
  • More example programs or command line utilities that use this C API interface. For example, we know Sebastian Poeplau, being a busy guy, was looking for collaborators that would implement VirusTotal submissions in his awesome Ghost USB project, perhaps this C implementation makes it easier to perform the integration and some volunteers stand up.

VirusTotal += Zoner

We welcome Zoner antivirus as a new file scanning engine at VirusTotal. In the words of the company:

"Zoner AntiVirus is a relative newcomer to the anti-virus community, having previously created an Android protection app.
It is currently focusing on current threats and leaving some old ones for later (like old win95, bootsector viruses, etc.).
The whole engine and x86 emulator are being created in-house."

Monday, 9 June 2014

Finding evil in Flash files

Adobe Flash is present on nearly every PC, thus, malware authors have been increasingly targeting it over the last years, following the principle of return on investment, i.e. they will focus on popular technologies to exploit as that will eventually mean a larger base of compromised machines. The rich ActionScript features that are available in Flash also led to these files being commonly abused in multi-stage web-based attacks, using them as a vehicle to perform heap-spraying, JIT spraying and other badness.

Just recently FireEye discovered a new Zero-Day targeting Internet Explorer that used a well-known flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections. In trying to find SWF samples from this attack across our entire collection we realized that, while we produce very rich information for most commonly abused file types (behavioural reports, Androguard Android static information, RTF maliciousness signals, etc.), we did not have any file characterization tool specifically focusing on SWF files. Remember that VirusTotal is not only a multi-antivirus, it also runs many other tools on files.

We have built a very simple tool which we call swfknife in order to extract certain interesting properties from flash files. In addition to this, the tool also produces a feature hash that can be used in VirusTotal Intelligence in order to search for similar SWF files and cluster these together, just as you can do right now with PEs, MS Office files, RTFs and PDFs.

The new data will give you a quick overview of the flash file, pinpointing interesting features such as:
  • The use of ActionScript2/ActionScript3.
  • Whether the file fingerprints the OS executing it.
  • The use of the loadBytes function in order to load other SWF files or custom code at runtime.
  • Whether the file has been encrypted/obfuscated with common SWF packing tools.
  • Whether the file contains long strings of hex characters, very often revealing encoded malicious code that gets decoded with hexToBin and loaded at runtime.
  • Indicators revealing that the file is performing heap spraying.
  • Whether it contains code identifying the environment executing it, e.g. the flash player and version.
  • Whether it uses the ExternalInterface class to communicate with the external host of the Flash plugin, such as the web browser, commonly used in multi-stage attacks where the browser gets redirected, injected with an iframe or some other badness.
  • Whether the file contains javascript code.
  • The presence of iframe injecting code, or iframe tag references.
  • The use of the fscommand function to save or execute other files.
  • Whether the file embeds other file types such as Portable Executables, RARs or ZIPs.

It will also print out any iframe patterns and suspicious URLs the file might contain. Additionally the tool will extract other flash properties such as the number of flash tags it contains, the frame size, the compression used, etc. Hopefully all of the extracted characteristics can be used by researchers as signals in order to improve their file scoring mechanisms, will enhance Intelligence's searching capabilities for flash files and will help track campaigns pertaining to the same groups of attackers.

In coming up with this new information we found Timon Van Overveldt, Christopher Kruegel, and Giovanni Vigna's paper entitled FlashDetect: ActionScript 3 malware detection very useful and inspiring.

Monday, 26 May 2014

VirusTotal Uploader for OS X

VirusTotal Uploader is a popular utility in the tool-set of many malware fighters, it eases the task of submitting files to VirusTotal using Windows operating systems by just performing a right click on any file and selecting the pertinent option from the context menu.

Over the years the Windows Uploader evolved, being able to also quickly scan the image files of running processes, trigger scans of remote URL content before saving it to disk, etc. Even some community members produced similar utilities, many of which outperform our very own software, an example of this is Phrozensoft's VirusTotal uploader. That is the magic of building a community of passionate researchers, they will use your APIs in order to produce better tools that will benefit end-users world-wide.

Today we are proud to announce a new VirusTotal Uploader for OS X. It is available for download on our Desktop Applications page. Internally it uses our  public API to schedule uploads of files, with the exact same limitations that any public API user would experience.

Some of it's feature are:
  • Drag and drop a file to the VirusTotal Uploader in order to scan it with over 50 antivirus solutions.
  • Drag and drop a folder to the VirusTotal Uploader and schedule the analysis of its content.
  • Drag and drop a Mac application  to the VirusTotal Uploader.
  • Allow you to "Open With" in finder the VirusTotal Uploader to scan a file.

Hopefully this will lead to VirusTotal receiving more Mac applications, diving deeper into an increasingly targeted OS by attackers and allowing antivirus companies and researchers making use of VirusTotal's back-end to build stronger defenses against these threats.

It has been tested on OS X 10.8 and 10.9.  Any bug reports, feedback or feature requests are welcome

Wednesday, 21 May 2014

VirusTotal += Tencent URL scanner

Just recently my colleague Julio announced the introduction of Tencent as a new antivirus solution in VirusTotal's file scanner. Today we are excited to announce that Tencent has broadened its collaboration and is also sharing its malicious URL dataset in order to enhance our URL scanner.

This is a great addition as it will surely give us a better visibility into the threats targeting the eastern side of the globe. This is an example of showing Tencent's verdicts:

Welcome on board!

Tuesday, 13 May 2014

VirusTotal += Tencent

We welcome Tencent as a new file scanning engine at VirusTotal. In the words of the company:

"Tencent anti-virus engine is an independent R&D anti-virus engine, which contains three technology-leading methods to  detect malware.
1. TAV uses clustering to extract the micro-signature efficiently and make sure the detection of malware efficiency. TAV also has the powerful ability of processing infective virus.
2. QQsm is a new anti-virus engine which using machine learning methods to detect malware. There are massive confirmed malwares and safe file in out database and we use those to make the Mathematical model which has a great detection rate for new form malware. 
3. TCloud is a cloud-based anti-engine, which has efficient response capability."

VirusTotal += Zillya

We welcome Zillya as a new file scanning engine at VirusTotal.

Friday, 7 February 2014

VirusTotal += CRDF France URL scanner

Many of you may already know CRDF because of their contributions in VirusTotal Community, in their own words:
We observe malicious behavior to develop, understand, inform and fight against scourges. The laboratory actively fights against malware, spam and security risks.
Among other projects, CRDF has built its own threat center and they are very active VirusTotal uploaders. Today we are excited to announce that they have taken this collaboration one step further and started sharing their malicious domains dataset with VirusTotal in order to make it work as a URL scanner.

Here is an example of a URL being detected by CRDF:

Welcome on board CRDF!

Tuesday, 4 February 2014

VirusTotal += AegisLab

We start february welcoming AegisLab as a new file scanning engine working at VirusTotal. AegisLab was already collaborating with us with WebGuard in the URL scanning system. A description from the company about the engine:

"AegisLab’s intelligent virus DNA algorithm extracts the special one-to-many mapping virus signatures. It achieved the much higher detection rate for latest Windows PE and Android APK variant virus. Their scan engine also uses the DNA fast match algorithm and is very suitable for limited resources environment. In native streaming mode, the engine is able to catch the most virus very efficiently from network packets."

Monday, 3 February 2014

VirusTotal += imphash

Recently Mandiant blogged about a feature they call imphash, in Mandiant's own words:
One unique way that Mandiant tracks specific threat groups' backdoors is to track portable executable (PE) imports. Imports are the functions that a piece of software (in this case, the backdoor) calls from other files (typically various DLLs that provide functionality to the Windows operating system). To track these imports, Mandiant creates a hash based on library/API names and their specific order within the executable. We refer to this convention as an "imphash" (for "import hash"). Because of the way a PE's import table is generated (and therefore how its imphash is calculated), we can use the imphash value to identify related malware samples. We can also use it to search for new, similar samples that the same threat group may have created and used.
We are excited to announce that VirusTotal reports for Portable Executables now show this hash in the additional information tab:

When considering an individual report, this property might not be very useful on its own, however, if you happen to have an API key with additional information privileges you will also find the hash embedded in the JSON response. This means you can massively feed your own local database setup with the imphash and implement your own similarity search feature for your malware collection.

VirusTotal Intelligence users can already perform searches through our dataset according to this new property.

Tuesday, 21 January 2014

VirusTotal += Qihoo-360

We welcome Qihoo-360 as a new engine working at VirusTotal. In the words of the company:

"QVM is Qihoo 360’s proprietary technology that detects malware through an artificial-intelligence algorithm capable of machine learning to recognize new forms of malware. QVM technology offers a robust model for recognizing malware characteristics using the massive amount of data that we have compiled on confirmed malware in our blacklist and verified safe programs files in our whitelist. This model is used as a basis for a detection algorithm which is automatically enhanced and updated with new malware samples submitted by our users to our servers.

Program files that do not appear in our blacklist and whitelist are scanned using QVM, and any ''hits'' returned by this technology are presumed to be malicious and removed or quarantined. As malware is constantly being created or morphing, QVM has the advantage of being able to detect threats that have not been previously identified. According to PC Security Labs, an independent security product test organization, QVM has a detection rate of 74.9% for unknown new malware, which surpasses most heuristic detection technologies."