Monday, 23 June 2014

VirusTotal += FraudSense

We are excited to announce the inclusion of FraudSense as a new URL scanning engine in VirusTotal. FraudSense offers services to automate and enable real-time detection of phishing sites and their targeted brands. They have developed their own in-house phishing detection technology, which they describe as:
Based on cognitive concepts, artificial intelligence and active learning, our innovative technology automates what has traditionally been a labor-intensive process and enables real-time detection of phishing sites and their targeted brands.
Key features include:
0-Day Phishing Detection: Early discovery of new, unreported phishing sites.Brand Recognition: Accurate identification of the targeted brand.Language-Independent: Detection of both English and non-English phishing sites.Self-Sufficient: Independent of community-sponsored blacklists.
FraudSense is exposing its phishing feed to VirusTotal, so that users can check whether a given URL is already in their blacklist and hopefully get yet one more second opinion that will help them in keeping their environments safe.

An example of a URL detected by FraudSense:
https://www.virustotal.com/en/url/59c8caddf3295bfb72361d76ccb77f7405c6b4478ed4391eee7a9e80929734a8/analysis/

Welcome FraudSense!

Wednesday, 11 June 2014

VirusTotal API implementation in C programming language

Many users interact programmatically with VirusTotal via its public API, it is an easy HTTP+JSON interface that allows you to easily submit and check files in order to help improve security world-wide. Moreover, many VirusTotal Community volunteers have very kindly implemented the API in a wide variety of programming languages, some of these implementations are documented here, many others exist and we will progressively adding all those that we are made aware of.

This said, there was not any full implementation of the API in the C language, so that any C or C++ program that users might be building could easily interact with VirusTotal, at least we were not aware of any. We have released a VirusTotal interface written in C to our API  on github at https://github.com/VirusTotal/c-vtapi, any C or C++ program should be able to use it. Its goal is to implement all of the public API and private API features in C. The public API features will work for anyone with a free public API key, the private API features will only work for those who have licensed our services and use a private API key.

The recently announced VirusTotal Uploader for OS X internally uses the c-vtapi project. Using C it is a common building block that other programs or languages can interface to.

Suggestions, comments, patches and github pull request for improvements are welcome. Some ideas of improvements:
  • Better windows support and testing. We have tested a lot with OS X and linux, the windows scaffolding is there, but is not well tested.
  • More example programs or command line utilities that use this C API interface. For example, we know Sebastian Poeplau, being a busy guy, was looking for collaborators that would implement VirusTotal submissions in his awesome Ghost USB project, perhaps this C implementation makes it easier to perform the integration and some volunteers stand up.

VirusTotal += Zoner

We welcome Zoner antivirus as a new file scanning engine at VirusTotal. In the words of the company:

"Zoner AntiVirus is a relative newcomer to the anti-virus community, having previously created an Android protection app.
It is currently focusing on current threats and leaving some old ones for later (like old win95, bootsector viruses, etc.).
The whole engine and x86 emulator are being created in-house."

Monday, 9 June 2014

Finding evil in Flash files

Adobe Flash is present on nearly every PC, thus, malware authors have been increasingly targeting it over the last years, following the principle of return on investment, i.e. they will focus on popular technologies to exploit as that will eventually mean a larger base of compromised machines. The rich ActionScript features that are available in Flash also led to these files being commonly abused in multi-stage web-based attacks, using them as a vehicle to perform heap-spraying, JIT spraying and other badness.

Just recently FireEye discovered a new Zero-Day targeting Internet Explorer that used a well-known flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections. In trying to find SWF samples from this attack across our entire collection we realized that, while we produce very rich information for most commonly abused file types (behavioural reports, Androguard Android static information, RTF maliciousness signals, etc.), we did not have any file characterization tool specifically focusing on SWF files. Remember that VirusTotal is not only a multi-antivirus, it also runs many other tools on files.

We have built a very simple tool which we call swfknife in order to extract certain interesting properties from flash files. In addition to this, the tool also produces a feature hash that can be used in VirusTotal Intelligence in order to search for similar SWF files and cluster these together, just as you can do right now with PEs, MS Office files, RTFs and PDFs.

The new data will give you a quick overview of the flash file, pinpointing interesting features such as:
  • The use of ActionScript2/ActionScript3.
  • Whether the file fingerprints the OS executing it.
  • The use of the loadBytes function in order to load other SWF files or custom code at runtime.
  • Whether the file has been encrypted/obfuscated with common SWF packing tools.
  • Whether the file contains long strings of hex characters, very often revealing encoded malicious code that gets decoded with hexToBin and loaded at runtime.
  • Indicators revealing that the file is performing heap spraying.
  • Whether it contains code identifying the environment executing it, e.g. the flash player and version.
  • Whether it uses the ExternalInterface class to communicate with the external host of the Flash plugin, such as the web browser, commonly used in multi-stage attacks where the browser gets redirected, injected with an iframe or some other badness.
  • Whether the file contains javascript code.
  • The presence of iframe injecting code, or iframe tag references.
  • The use of the fscommand function to save or execute other files.
  • Whether the file embeds other file types such as Portable Executables, RARs or ZIPs.

It will also print out any iframe patterns and suspicious URLs the file might contain. Additionally the tool will extract other flash properties such as the number of flash tags it contains, the frame size, the compression used, etc. Hopefully all of the extracted characteristics can be used by researchers as signals in order to improve their file scoring mechanisms, will enhance Intelligence's searching capabilities for flash files and will help track campaigns pertaining to the same groups of attackers.

In coming up with this new information we found Timon Van Overveldt, Christopher Kruegel, and Giovanni Vigna's paper entitled FlashDetect: ActionScript 3 malware detection very useful and inspiring.