Friday, 7 February 2014

VirusTotal += CRDF France URL scanner

Many of you may already know CRDF because of their contributions in VirusTotal Community, in their own words:
We observe malicious behavior to develop, understand, inform and fight against scourges. The laboratory actively fights against malware, spam and security risks.
Among other projects, CRDF has built its own threat center and they are very active VirusTotal uploaders. Today we are excited to announce that they have taken this collaboration one step further and started sharing their malicious domains dataset with VirusTotal in order to make it work as a URL scanner.

Here is an example of a URL being detected by CRDF:
https://www.virustotal.com/en/url/57f956398112e14e1c4bf90310d0ad5417535de1ac8d3b7ce9c504d7d65f4153/analysis/1391729258/

Welcome on board CRDF!

Tuesday, 4 February 2014

VirusTotal += AegisLab

We start february welcoming AegisLab as a new file scanning engine working at VirusTotal. AegisLab was already collaborating with us with WebGuard in the URL scanning system. A description from the company about the engine:

"AegisLab’s intelligent virus DNA algorithm extracts the special one-to-many mapping virus signatures. It achieved the much higher detection rate for latest Windows PE and Android APK variant virus. Their scan engine also uses the DNA fast match algorithm and is very suitable for limited resources environment. In native streaming mode, the engine is able to catch the most virus very efficiently from network packets."

Monday, 3 February 2014

VirusTotal += imphash

Recently Mandiant blogged about a feature they call imphash, in Mandiant's own words:
One unique way that Mandiant tracks specific threat groups' backdoors is to track portable executable (PE) imports. Imports are the functions that a piece of software (in this case, the backdoor) calls from other files (typically various DLLs that provide functionality to the Windows operating system). To track these imports, Mandiant creates a hash based on library/API names and their specific order within the executable. We refer to this convention as an "imphash" (for "import hash"). Because of the way a PE's import table is generated (and therefore how its imphash is calculated), we can use the imphash value to identify related malware samples. We can also use it to search for new, similar samples that the same threat group may have created and used.
We are excited to announce that VirusTotal reports for Portable Executables now show this hash in the additional information tab:


When considering an individual report, this property might not be very useful on its own, however, if you happen to have an API key with additional information privileges you will also find the hash embedded in the JSON response. This means you can massively feed your own local database setup with the imphash and implement your own similarity search feature for your malware collection.

VirusTotal Intelligence users can already perform searches through our dataset according to this new property.