Tuesday, May 24, 2022

Introducing Autocomplete for VirusTotal Intelligence queries

 TL;DR: We implemented an Autocomplete feature for VirusTotal Intelligence queries 

VirusTotal Intelligence is one of the most powerful, flexible and intuitive tools for security researchers around the world. It was designed with the idea of providing (almost) unlimited possibilities to VirusTotal users when searching across the VirusTotal dataset at Google speed ©. Most of the time our users simply search for some observable (hash, domain, IP address or URL) to get everything we know about it, however there are more than 50 modifiers that can be used (and combined) in any query to get what we are exactly looking for.

This is a very real need. Let’s say we search for a given string we know is related to some malware family, returning a few thousand results. How to further specify where we want this string to be found inside the sample? Should it be in the content of the malware, in its metadata, maybe in a signature? You get the idea, and this is not limited to string searches. You can check malware with a certain number of positive verdicts, seen during a particular time window, signed with a given key, triggering a specific crowdsourced YARA rule, etc. Our 2019 VirusTotal for investigators workshop (you can find the video here) dives into some interesting search modifier use cases. Here you can find a full list of Intelligence modifiers you can use in your queries, understanding and using them in your queries provides analysts with an incredibly powerful resource. 

 However, learning them by heart is not easy. At VirusTotal we spend most of our time dealing with them and still we hesitate from time to time. That’s why we implemented an Autocomplete feature that will offer you different possibilities on what modifier to use depending on what you are typing:

Even if you are already an expert, this will save you some time by tabbing your way around the query. For the modifiers that require a value, we will also provide you with all the possibilities:

The Autocomplete Intelligence suggestions are based on a static list where we include all (syntactically correct) modifiers you can use in any query. We also added some interesting popular queries you might consider using, hopefully providing some inspiration for your searches.

The new Autocomplete is part of our pack of features designed to help security researchers working with VirusTotal Intelligence. As always, we are glad to hear your suggestions and feedback to keep improving.

Happy hunting!


Wednesday, April 20, 2022

VirusTotal's MISP modules get a fresh upgrade

Tldr: We upgraded the VirusTotal MISP modules and added new cool relationships.

Historically, VirusTotal provides integration to MISP through two modules (corresponding to public and VT Enterprise subscriptions) created and maintained by the community. They are used to enrich and provide additional context to indicators in the MISP platform. Additionally, we contributed with a module to export MISP events to VTGraph and more recently with a module exporting events to VTCollections. 


The freshly upgraded modules (VirusTotal and VirusTotal Public) were migrated from the old API v2 to v3, which allowed us to improve the data returned per indicator, adding detection ratio to IPs addresses and Domains. Moreover, we have added more relationships and attributes.

The following table summarizes the attributes provided by the freshly upgraded modules to enrich MISP events per type of indicator:

MISP Module

File

URL

Domain

IP

VirusTotal

Detection ratio

md5,sha1,sha256

tlsh*

vhash*

ssdeep*

imphash*

ITW urls*

Communicating files*

Downloaded files*

Referrer files*

Detection ratio

Communicating files*

Downloaded files*

Referrer files*

Resolutions*

URLs*

Detection ratio*

Whois

Communicating files

Downloaded files

Referred files

Subdomains Siblings Resolutions

URLs*

Detection ratio*

ANS

Network

Country Resolutions

URLs

VirusTotal Public

Detection ratio

tlsh*

vhash*

ssdeep*

imphash*

Communicating files*

Downloaded files*

Referrer files*

Detection ratio

Detection ratio*

Whois

Communicating files

Referred files

Subdomains Siblings Resolutions

Detection ratio*

ANS

Network

Country Resolutions

* new attributes and relationships available.

Keep in mind that all these VirusTotal modules are not activated in MISP by default, so please ask your friendly MISP administrator to check them out! Stay tuned for more VirusTotal contributions into the Threat Intel ecosystem and as usual, please let us know how we can further help.

Happy Hunting!

Monday, April 18, 2022

, , , , , , , , ,

VirusTotal Multisandbox+= ELF DIGEST

VirusTotal welcomes ELF DIGEST, the first integrated multi-sandox fully dedicated to only processing linux files. This addition helps put the spotlight on linux malware.


In the words of the founder Tolijan Trajanovski:

ELF DIGEST is a cloud-based Linux malware analysis service provided to security researchers, analysts, and academics. The service performs static, behavioral, and network analysis to extract IoCs and IoAs. The static analysis searches for IoCs in the strings and may also identify obfuscation in the form of string encoding and executable packing. The behavioral analysis can recognize various malicious actions, including VM detection, anti-debugging, persistence, process injection, loading of kernel modules, firewall configuration changes, and others. The network analysis can identify C2 endpoints, resolved domains, HTTP requests, and port scanning. In addition, ELF DIGEST utilizes the open-source malware labeling tool AvClass to determine the most probable malware family the analyzed sample belongs to. The currently supported CPU architectures include ARMv5, ARMv7, MIPS, x86 and x86_64. The detailed findings of the analysis are presented in an aggregated view and can be also downloaded as a JSON report.

Let's take a deeper dive on some samples:


Botnet on ARM with iptables kernel modules

This sample is part of the Mirai botnet. At the top of the report we can see the network communication, possibly the command and control server.

 

In the shell commands we can observe the iptables firewall stopped and tables flushed. This would allow the malware to communicate without the firewall obstructing it.

The linux kernel modules being loaded, which are most likely related to the iptables command line interactions.

We can explore other pivots either on the relationships tab, or within VirusTotal Graph. Here we can see more details with respect to the command and control infrastructure as well as relations to other files, URL, and IPs.



Mozi botnet with bittorrent

Within this sample we see DNS resolutions to common bittorrent trackers and traffic on common bittorrent port 6881.

In the HTTP requests section, scanning for other vulnerable devices on the internet

Using a file search modifier we can find similar samples that perform the same request. behaviour_network:"boaform/admin"




ELF DIGEST, uploads the PCAP network traffic capture. When sandboxes or users upload PCAPs to VirusTotal, we analyze them with snort and suricata, using rules from community contributors.


Other Interesting samples to have a look at:

ELF DIGEST is a great addition to VirusTotal, and will help further shine the spotlight on linux malware. Happy Hunting!

Tuesday, March 15, 2022

, , , , , , ,

VT4Browsers++ Any indicator, every detail, anywhere

TL;DR: VirusTotal’s browser extension can now automatically identify IoCs in any website and enrich them with superior context from our crowdsourced threat intelligence corpus, in a single pane of glass fashion. Install in Chrome | Install in Firefox | Read the docs. Please provide feedback.

Don’t feel like reading? Check out a demo video showcasing how VirusTotal’s browser extension is now able to contextualize alerts from your SIEM.


12 years ago I wrote the very first version of the VirusTotal browser extension, now called VT4Browsers. A lot has changed since then, among other things, much smarter colleagues (Ana Tinoco and Camilo Benito) took on the development and kept improving it, including this major release.

Up until now, the extension mostly focused on easing the task of analyzing files and URLs with VirusTotal. For instance, upon downloading a file it asks whether you would like to scan it with over 70 antivirus/nextgen/EDR solutions. Similarly, retrieving the reputation for a link that you are about to follow is as easy as right-clicking on it.

VT4Browsers is getting a major revamp (v4.0) mostly intended for security analysts, incident responders and threat researchers. It can now leverage your API key to automatically identify IoCs (hashes, domains, IPs and URLs) in websites of your choice and enrich them with threat reputation and context from VirusTotal, through a single pane of glass experience.



VirusTotal’s detection score is injected next to the corresponding IoC, as a visual triage data point. Upon clicking on the detection ratio, a side panel kicks in with the full context for the IoC, served with our VT AUGMENT widget. All this happens within the original website, as if it were native functionality in the corresponding platform.



SOC analysts and other cybersecurity responders can now easily access threat reputation and context inside their SIEM, case management system and other tools of their choice, even when they do not have a built-in integration for VirusTotal. This results in faster, more accurate and more confident incident response.

Indeed, alert triage and incident response are two major VirusTotal use cases. These days security teams are increasingly concerned about missed threats due to lack of context. This is further exacerbated by two issues:
  • Machine learning, artificial intelligence, heuristics, user entity behaviour analytics, generic signatures, anomaly detection and other fancy detection buzzwords - even when they work, they often generate more questions than answers. When they don’t work, they lead to noise and false positives.
  • Even the most advanced security programs and defensive stacks are constrained by internal-only (corporate network) visibility. Meanwhile, threat actors operate globally, targeting other organizations. Much could be learned from their footprints.

Thanks to community crowdsourcing VirusTotal is in a unique position to address lack of context, let's look into it. SOCs are often confronted with cryptic alerts such as:


Beyond some internal sighting information (date, machine, user logged in) and a related IoC (IP address), nothing is known about the potential malware family/toolkit behind it, delivery vector, subsequent attack stages, additional threat campaign IoCs, attacker TTPs, threat actor, motivations, etc. 

VirusTotal’s sandbox detonation information, passive DNS dataset, whois lookup history, threat graph, campaign collections, geo+time submission metadata, crowdsourced YARA rule detections, etc. transforms the aforementioned cryptic alert into something more like:


The good news is that connecting the dots has never been easier. The new VT4Browsers version bridges the contextualization gap in your existing security solutions and it is fully stack agnostic. It can work simultaneously with your SIEM, case management system and pretty much any other security solution web interface. The extension allows you to add certain platform domains and URLs to lists for persistent enrichment, which is very handy for tools that get used regularly. One-off contextualization via the right-click menu is also possible. Moreover, if you don’t feel like clicking, you can set up keyboard shortcuts. Two contextualization modes are available:

  • Enrichment: Fully automatic - identifies IoCs within websites and automatically looks all of them up against VirusTotal, injecting context where appropriate. It consumes one API lookup per identified IoC.
  • Highlighting: Manual - identifies IoCs within websites and adds a VirusTotal lookup trigger icon next to each of them. Contextualization will only happen when you click on the trigger icon. It consumes one API lookup each time you click on a trigger icon next to an IoC.



As described, the enrichment mode automatically performs an API lookup for each IoC, as a result, it is only recommended for premium API keys. Important: upon making any changes to the lists of domains/URLs to highlight or enrich, make sure that you reload the pertinent website so that the setting kicks in.

One more thing. This new version also adds additional right-click functionality allowing you to automatically parse out IoCs found in websites to look them up in bulk in VT INTELLIGENCE and VT GRAPH.



Make sure you check the documentation to get your environment set up and please pay close attention to the privacy settings for the pre-existing scanning functionality.

Shortcuts:
Install VT4Browsers in Chrome
Install VT4Browsers in Firefox
VT4Browsers 4.0 documentation

Need a website to test the contextualization? VXVault is a nobrainer.

As usual, we want to make sure that future functionality meets user needs, share your feedback and get to see your suggestions in the next release!

 
Happy hunting threat contextualizing!

Monday, March 14, 2022

YARA "dotnet" module now available for Livehunt and Retrohunt

 Good news for all threat hunters! As announced in our latest release notes, the “dotnet” YARA module is already available both for your Livehunt and Retrohunt rules. This module allows inspecting features and characteristics of .NET executable files, like GUIDs used, .NET assemblies metadata, resources and so on.

As an example, the following YARA rule published by AlienVault uses different features provided by the “dotnet” module for detecting Shrug ransomware:

import "dotnet" 
rule ShrugRansomware {
    meta:
        author = "AlienVault Labs"

    strings:
        $bitcoin_address = "1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx"
        $s1 = "upoldhash.php"
        $s2 = "HarmedFiles"
        $s3 = "ShrugDecryptor"
        $s4 = "SHRUG2"
        $pdb1 = "\\Debug\\ShrugTwo.pdb"
        $pdb2 = "\\Debug\\Shrug.pdb"

    condition:
        uint16(0) == 0x5A4D and
        dotnet.number_of_guids > 0 and
        (
        dotnet.typelib == "a6ab6b1f-b144-4920-be42-bb90ec6fc22e"
        or $bitcoin_address
        or 2 of ($s*)
        or any of ($pdb*)
        )
}

The “dotnet” module is not exactly new: it has been growing its own fan club since YARA 3.6.0. However, it was not included in the default YARA build nor enabled in VirusTotal services… until now! You can find more information about this module in the official YARA documentation

We want to use the opportunity to thank Wesley Shields, the module’s original author, for this great contribution to YARA. 

We hope these changes will make life easier for the malware research community and, as usual, we would hear any feedback from you. 

Happy hunting!

Wednesday, March 09, 2022

Meet our new improved VirusTotal Graph

TL;DR; We are publishing a new version of VirusTotal Graph that, among other things, supports VirusTotal Collections and provides a new filter engine to speed up your investigations.

Today we are proud to announce a new release of VirusTotal Graph, the tool to visually navigate the VirusTotal dataset and to create collaborative visual investigations. We heard all the feedback from the community to make VT Graphs even better.

Support for VT Collections

During the last months we have been actively introducing new mechanisms for the community to share their collective knowledge in a more contextualized through VirusTotal collections.

Today we are making collections easily actionable in VirusTotal Graph allowing to expand IOCs and find further VirusTotal collections by pivoting from observables.

As an example, we can create a new graph starting from the domain jolotras[.]ru (mentioned in a recent article) resulting in the following graph:

The resulting graph helps to quickly identify that the domain is already contained in some collections . By hovering the collection node, a snippet containing the most relevant information about this collection is displayed.

Moreover, when selecting the node it shows the main collection attributes and the possibility to pivot to their contained IOCs. This greatly helps adding both context and more elements to our current investigation without leaving the graph. The same behavior applies for referenced entities.

Additionally, we added the option to export your graph into a new collection in VirusTotal via the File menu. The collection will contain the files, URLs, domains and IP addresses present in your current graph.


Filter engine

One of the most requested features we received from the community’s feedback (send yours here) is the ability to filter out elements in VirusTotal graphs.

It is common to find yourself investigating large noisy graphs after multiple pivots and expansions. The VirusTotal dataset is very large and we want to help you find the needle in the haystack.

With that goal in mind, we are happy to introduce you to the new filters engine. You will find the filters icon at the right of the Search Bar.

When clicking a new card will appear at the right of the graph with the different filter types supported by the engine (by now, more to come!). 

For timestamps, you can find a timeline divided in buckets showing how many nodes are included in each of them. Use them to adjust your time window and filter nodes in the graph accordingly .

Additional filters available are based on an aggregation of the elements existing in your graph, like the type of node. Along with the filter you can find  the total number of entities in your graph that have the given value (like, 32 URL nodes) as well as the number of nodes having the given value AND being detected as malicious by at least one AV engine(in the image below, that applies to 22 of the URLs in the graph).

Each filter provides three options:

  • OR: When one or multiple OR conditions are selected, a node must match at least one of them to be visible.

  • AND: When one or multiple AND conditions are selected, a node must match all of them to be visible.

  • NOT: When one or multiple NOT conditions are selected, a node must not match any of them to be visible.

After a filter is applied the graph is updated automatically. Similarly, when the user clicks on “Removed filtered nodes” nodes not visible from the graph are removed and filters reset. You can start over again and re-play the filtering flow from there.

You can apply filters to all the nodes in the graph, a selection or nodes in a given relationship. To apply filters on specific nodes just select them. If the filter drawer is already open, it will be automatically refreshed.

Back to our initial investigation, we could filter IP addresses resolutions seen during the 2022 with at least one detection.

You can find full Filters engine documentation here.

We are really excited with this new version of VT Graph. We find it easier to use, and the new functionalities really help to make investigations much more agile and clean. VT Collections add nice extra context, and exporting investigations into Collections makes results more actionable and collaborative. We welcome everyone to give it a try and to keep  sharing your feedback with us.

Happy hunting!


Thursday, February 10, 2022

MISP and VT Collections

At VirusTotal we are actively working on expanding integrations with the most popular tools used by the infosec community. 

Today we are thrilled to announce tighter integration with MISP through our most recent feature to track threat campaigns and malware toolkits, VT Collections. We have created two new workflows: 

  • The ability to export VT Collections to STIX 2, a well-known threat intel exchange format.  
  • Functionality to create a collection from IoCs contained in a MISP Event. 

This will allow the exchange of IoCs bidirectionally between MISP and VirusTotal.

VT Collection to MISP

You can export all IOCs contained in a collection using the top-right corner export icon, click on it and select Download all IoCs as STIX:


This will generate a json file that can be imported into MISP using the left menu option, Import from…

Import form...

MISP Event to VT Collection

To tackle this part of the workflow we have developed a new MISP Module called VirusTotal Collections. This module uses the event exporting option to send IoCs to VirusTotal and create the collection.

To create a collection from a MISP Event you can use the Download as…  button while inspecting an Event, choose VirusTotal Collections as an export format option.


After a few seconds you will get a text file confirming the export process has finished. In the text file you can find the url of the new collection.

And that’s it. If you are a MISP user, ping your MISP instance admin to activate the export module and tell us what you think about this integration in this form (2 minutes).

Stay tuned for more MISP contributions.

Happy Hunting!