Monday, April 22, 2013

, , , , , ,

VirusTotal += PCAP Analyzer

VirusTotal is a greedy creature, one of its gluttonous wishes is to be able to understand and characterize all the races it encounters, it already understood the insurgent collective of Portable Executables, the greenish creatures known as Android APKs, the talkative PDF civilization, etc. as of today it also figures out PCAPs, a rare group of individuals obsessed with recording everything they see.

PCAP files contain network packet data created during a live network capture, often used for packet sniffing and analyzing data network characteristics. In the malware research field PCAPs are often used to:

  • Record malware network communication when executed in sandboxed environments.
  • Record honeyclient browser exploitation traces.
  • Log network activity seen by network appliances and IDS.
  • etc.
We have seen that many users send their PCAPs to VirusTotal, these PCAPs often contain HTTP flows whereby a trojan is downloaded, recording worm scanning sweeps, logging exploits being delivered to a honeymonkey, etc. We want to help those users submitting PCAPs to VirusTotal and improve their research, that is why we have introduced PCAP analysis, its features are:
  • Processes the files with popular intrusion detection systems (Snort and Suricata for the moment) and logs the rules that they trigger.
  • Extracts file metadata with Wireshark.
  • Lists DNS resolutions performed.
  • Lists HTTP communication.
  • Extracts files seen in the different network flows and links to the pertinent VirusTotal reports if the given file is of an interesting file type (portable executables, PDFs, flash, compressed bundles, etc.). If you are registered in VirusTotal Community and have signed in, these interesting files extracted from the network flow will be available for you to download as long as you are the first submitter of the PCAP (which when dealing with this type of files is the most common situation). 
Without futher ado, let us paste a couple of examples of this new functionality (refer to the File details tab in order to see all of the aforementioned information):


  1. Hi Emiliano, great job!
    Is it possible to anonymize the network flow in order to maintain the anonymity of the network where the flow is captured?

  2. Kudos to Francisco Santos for this great feature (, @fsantos do you want to chime in with respect to the previous anonymization request?

  3. [2] Kudos to Francisco Santos // @fsantos

    in the past has ridden labs to perform exactly this type of analysis, see this at your fingertips to analyze is very tempting!

    Effectively, congratzzz!!

  4. Hi! you could use tcprewrite ( tool to modify IP address belonging to your origin net, for example:

    $ tcprewrite -C -S (YOURIPRANGE)/16: -D (YOURIPRANGE)/16: -i input.pcap -o output.pcap

    Keep in mind this will only modify IP address, any information traveling inside this packets will be unmodified and information about the original hosts could be eventually revealed depending on information from other protocols.

  5. Why Snort are running with the SourceFire rules and Suricata with the EmergintThreats plus the GPL rules? Why not just one IDS with both rulesets?

    To generate alerts from preprocessors of both IDS? For the file extraction feature that have Suricata?

    Also, it has uncommented all the rules from both rulesets? (some FPs will be generated but it's useful)

  6. Good and nice post.....

    Thanks & regards