Tuesday, December 18, 2018

VirusTotal += Acronis

We welcome Acronis scanner to VirusTotal. In the words of the company:

“Acronis PE analyzer is Machine Learning based engine to be a part of upcoming cyber protection suite that company will release in 2019. It is a further evolution of Acronis AI capabilities that were introduced in 2018 to combat ransomware. PE analyzer is able to detect any kind of windows PE malware due to optimized innovative machine learning models. Acronis has plans to continuously improve the engine before and after the release of above mentioned cyber protection suite to bring value to all VirusTotal users.”

Acronis has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-TEST, an AMTSO-member tester.

Thursday, November 22, 2018

VirusTotal += Trapmine

We welcome Trapmine scanner to VirusTotal. In the words of the company:

“Trapmine ThreatScore is a machine learning-powered malware detection engine developed to identify known and never-before-seen malware. This engine is a part of TRAPMINE Endpoint Detection & Protection Platform. Trapmine combines machine learning, behavior monitoring and endpoint deception techniques to provide fool-proof defense against malware, exploit attempts, file-less malware, ransomware and other forms of targeted attacks. Windows PE files submitted to VirusTotal will be analyzed by Trapmine ML engine and the verdicts will be displayed to VirusTotal users.”

Trapmine has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by MRG Effitas, an AMTSO-member tester.

Tuesday, June 05, 2018

, , , , , ,

Multisandbox project welcomes Dr.Web vxCube


The multisandbox project keeps growing, short after the integration of Tencent Habo, VirusTotal Droidy and Cyber adAPT ApkRecon we are now welcoming Dr.Web vxCube. What is most exciting about this integration is that not only does it run executables, but also opens documents with potentially vulnerable software in order to spot exploits and characterize dropped malicious payloads.


In their own words:
Dr.Web vxCube was born inside Doctor Web Anti-Virus Laboratory. It is a hypervisor-based sandbox that uses agentless technology to analyze malware inside the operating system. It works incredibly fast and invisibly to the analyzed sample. Dr.Web vxCube offers comprehensive but intuitive reports containing information about sample's behavior, created files and dumps, process graph, API log and network activity map. We are happy to bring our expertise to the VirusTotal community.


The following report examples highlight how useful this new integration is:


The following ones are particularly interesting as they exemplify how Dr.Web vxCube is able to spot exploitations triggered when opening a document, most specifically exploitation of CVE-2017-11882:


Make sure you also open the detailed report:

This will open up a far more insightful HTML capturing fine grained execution details that are presented in an aggregate fashion in the summarized behavior tab or perhaps not even included at all:


Behavior information is essential when diving into investigations because it allows analysts to pivot over certain indicators of compromise and discover other malicious files and network infrastructure that is related to the same campaign or attacker group. For instance, if we focus on the first CVE-2017-11882 file and open it up in VirusTotal Graph:



We can immediately get a sense of the file indeed being malicious (due to its connection to malicious items) but we may also easily discover the network infrastructure used by it, and most importantly, we get to see other malware served by that very same network infrastructure, without having to follow a huge amount of report links:



And this is precisely how we discover some of the deception techniques being used by the attackers behind this particular threat. The exploiting document communicates with a-dce.com, so do 3 other samples. By investigating these in VirusTotal Intelligence we get to see that some of those files were spotted as attachments in spam email files uploaded to VirusTotal, we can see the body of these messages and discover how they trick users into downloading and opening the exploiting document:





Fake purchase orders and invoices remain a common simple bait inducing users to execute malware. Having reached this point it would be a good moment to build a Yara rule to detect variants of this malware family and set them up in Malware Hunting in order to discover new threats created by the very same group and keep expanding the investigation graph.

We hope you find this new sandbox as exciting as we do. We already have more integrations in the pipeline and we are certain this will heavily contribute to identifying new threats and strengthening anti-malware defenses worldwide.


If you have a sandbox setup or develop dynamic malware analysis systems please contact us to join this effort.

Wednesday, May 02, 2018

, , , ,

New Firefox Quantum-compatible VirusTotal Browser Extension

In November 2017 Mozilla released a new and improved version of their browser. This version is called Firefox Quantum. Following that step forward, VirusTotal is releasing major revamp of its browser extension! You may install it at:

Historically VirusTotal had a very simple but popular firefox extension called VTZilla. It allowed users to send files to scan by adding an option in the Download window and to submit URLs via an input box. We had not updated it since 2012.



At the end of 2017 Firefox decided to discontinue support for old extensions and encourage everyone to update their extensions to the new WebExtensions APIs, a common set of APIs designed to be the new standard in browser extensions. As a result our existing VTZilla v1.0 extension no longer worked. At VirusTotal we decided to face this as an opportunity instead of an inconvenience and we started working on a new and improved version of VTZilla.

VTZilla 2.0 has been designed with various goals in mind. We wanted this new version to be easy to use, transparent to users and as customizable as possible. The first thing users will see when installing the extension is the VirusTotal icon. If you click on it you will see the different configuration options:


This will allow users to customize how files and URLs are sent to VirusTotal and what level of contribution to the security community they want.

Users can then navigate as usual. When the extension detects a download it will show a bubble where you can see the upload progress and the links to file or URL reports.


These reports will help users to determine if the file or URL in use is safe, allowing them to complement their risk assessment of the resource. This is a great improvement with respect to the former v1.0 version of VTZilla where we would only scan the pertinent URL tied to the file download. Then you would then have to jump to the file report via the URL report, and this would only be possible if VirusTotal servers had been able to download the pertinent file, leaving room for cloaking and other deception mechanisms.

VTZilla also has functionality to send any other URL or hash to VirusTotal. With a right button click users have access to other VirusTotal functionality:


This is the basis for all future functionality. Feel free to send us any feedback and suggestions. We will be working to improve and add functionality to the extension. Thanks to WebExtensions we will also be able to make this extension compatible with other browsers that support the WebExtensions standard.

Soon after this major revamp we will be announcing new VTZilla features whereby users may further help the security industry in its fight against malware. Even non-techies will be able to contribute, the same way that random individuals can contribute to search for extraterrestrial life with SETI@home or help cure diseases with BOINC, stay tuned and help give good the advantage.

Monday, April 16, 2018

, , , , , , ,

Multisandbox project welcomes Cyber adAPT ApkRecon


Two weeks ago we announced the release of our new VirusTotal Droidy Android sandbox, a virtual environment that executes Android applications in an automated fashion in order to capture all the actions that the given app performs on the operating system.

Today we are excited to announce that Cyber adAPT is becoming a multisandbox project partner and will be contributing data from its ApkRecon product to the fight against malware. Like Droidy, its solution also focuses on the Android environment. In their own words:

ApkRecon is a sandbox environment developed by the research team at Cyber adAPT.  Amongst many features, the sandbox boasts a baited Android environment, a decrypted network application level capture, and an attack payload triggering system to gain insight into the true intent of each piece of analyzed malware. ApkRecon is also used to generate detection logic for Cyber adAPT’s Mobile Threat Detection product to keep users safe all around the world.

These are some example reports displaying the data contributed by Cyber adAPT:


It is worth highlighting the usefulness of this kind of data. When facing unknown files for which you have no context it can be very rich contextual information that allows analysts to have an initial judgement of the file before diving into dissecting it. For example, looking at the last example report above we notice that the file performs an HTTP POST to:

hxxp://85.206.166.7/index.php?action=command

This is a URL that we can look up in VirusTotal Graph and jump to the host referenced in the URL, i.e. 85.206.166.7. When exploring this host we notice that only the file under consideration has communicated with it, however, we do notice that expansions are available according to the referrer files relationship. This relationship pinpoints files that contain the given host within its body, even if they have not been seen communicating with it. Let’s follow this notion, something shady seems to be going on:


Badness is much easier to spot when studying the sample characterised in this other report:

In this case the APK reaches out to the URL:

hxxp://zzwx.ru/apkfff?keyword=BBM

From there we can jump to the domain entity, i.e. zzwx.ru, and expand URLs observed under such domain, as well as files communicating with it. Just two hops and we already have a preliminary idea about the initial APK that reached out to the aforementioned URL being malicious:


These examples highlight the importance of extracting as many attributes and behavioral details as possible from files, not only because they allow us to better understand a particular threat, but because they connect the dots and reveal entire campaigns. For instance, very often blocking a given network location will render ineffective all malware variants of a given campaign (inability to reach the mothership server), so even when certain variants fly under detection radars, there is still hope that network security measures will stop a given attack.

This kind of approach to block badness is something that we have shaped into a particular paper hosted in our www.virustotal.com/learn space, more specifically the paper entitled VirusTotal Intelligence for banking trojans. In this paper malicious network infrastructure is shut down by contacting the pertinent domain registrars and hosting providers, however, organizations can also blacklist these locations in their network security controls.

Thursday, April 05, 2018

, , , , , , ,

Meet VirusTotal Droidy, our new Android sandbox

Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.

This setup characterises the actions that Android APKs perform when installed and opened; it has been baptised as “VirusTotal Droidy”. Droidy has been integrated in the context of the multisandbox project and extracts juicy details such as:
  • Network communications and SMS-related activity. 
  • Java reflection calls. 
  • Filesystem interactions. 
  • SQLite database usage. 
  • Services started, stopped, etc. 
  • Permissions checked. 
  • Registered receivers. 
  • Crypto-related activity. 
  • Etc. 

You may find below a couple of reports showcasing this new functionality. Just select the “VirusTotal Droidy” entry in the multisandbox report selector (whenever there are multiple reports):

Don’t forget to also check the detailed report:


This advanced view allows you to dig into the hooked calls and take a look at the screenshots generated when running the apps:


The multisandbox project is in good shape, and now many samples have reports for multiple sandboxes. For instance, the following report allows you to see the output of Tencent HABO and VirusTotal Droidy:
As you can see, they are pretty complementary, proving the value of having different sandboxing technologies studying the same files.

To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

Now, these may seem like minimal features to improve VirusTotal’s “microscope” capabilities for better understanding a particular threat. In fact, the changes go much deeper. All of our sandboxing information nurtures other services such as VirusTotal Intelligence and VirusTotal Graph. The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal. This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations. For example, let us look at the graph of one of the domains seen in the previous reports:


At a glance you can understand that something shady is going on with wonderf00l.gq and you are able to discover other malicious domains such as flashinglight.tk, checkingupd.tk, flashupdservice.cf, etc. Some of these, for instance checkolimpupd.tk, are not only used as C2 infrastructure for malware but also serve as malware distribution points.

Very often during an investigation, you might not have enough context about an individual threat, and so being able to look at the connected URLs, domains, files, IP addresses, etc. becomes crucial in understanding what is going on. My colleague Evan explains this far better than I can do in just a couple of paragraphs, so make sure you check out his video dissecting a cryptomining attack at https://www.virustotal.com/learn/watch/.

Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.  

Sunday, April 01, 2018

, ,

Meet FORTUNE COOKIE

VirusTotal is always working to improve our users' experience and our partner ecosystem. We have a robust community of security professionals who research, study, and collaborate through VirusTotal's diverse tools and capabilities.

In our labs, our top engineers are working hard to develop new ways of understanding how samples relate to each other, to campaigns, and to the users who ultimately fall victim to them.

We're thrilled to share with you the brand new VirusTotal Free Object Randomized Tester Utilizing Nil Evaluative Code with Object Oriented K-means Inference Engine, or FORTUNE COOKIE for short.

FORTUNE COOKIE is a bleeding edge system that brings about a highly accurate randomized verdict for your entertainment and enjoyment. It knows very little about malware, reverse engineering, or file analysis, but could theoretically be capable of leveraging machine learning, blockchain, and/or random numbers to bring about an entirely new class of verdicts.

An example of its detection capabilities can be found below:


We think FORTUNE COOKIE will change the way you use VirusTotal, and due to the incredibly amazing power it offers, it will only be available for a short time.

Enjoy!

Tuesday, March 06, 2018

, , , , , ,

Additional Crispiness on the MacOS box of apples sandbox

In November 2015 we first released our MacOS sandbox. We now have an incremental feature improvements live on our site to help our users get further behavioral information from samples scanned with VirusTotal

Several improvements visible to users are:


  • Sandbox updated to OSX 10.11 El Capitan in sandbox.  We have a High sierra update planned for later this year. 
  • Detailed HTML analysis report is now available. 
  • Screenshots of the software under analysis to provide more contextual information:
    • Show screenshots of what a user would see
    • Help determine if the sample is waiting for user input
  • Network traffic reports updated
    • Country Detection
  • Timestamps on file operations,  to help show the sequence of events.
  • Process tree is shown if there is more than one level of processes


To view the detailed behavior report, click on the behavior tab, then select the Box of Apples sandbox, then click on the detailed report link

Click on the detailed behavior report. 




Some Samples that might be interesting, that contain the new features:
ec7241a6009f1fff38b481d8b4fd6efede4cc2f9d8ee20d9ca2b4ff66d656171
3b196c1c1a64aca81dec5a5143b3f2faaadcc4034b343f46f23348f34a2ef205
694c23b548249056bf90b2b2c252a8c9abfae4aeb611476cbdaa8dc112f79d8f


Screenshots and File operations

DNS, IP Traffic and Behavior tags


This is part of the Multi-Sandbox project.    We’ll continue to improve our own and 3rd party sandbox providers that wish to integrate sandboxes into VirusTotal.

If you find any issues, or have feature requests, please don’t hesitate to reach out to us by emailing  contact@virustotal.com

Wednesday, January 24, 2018

VirusTotal and Chronicle

It's been more than five years since Google acquired VirusTotal. Today we have another update: VirusTotal will moving to become part of Chronicle, a new Alphabet company focused on cyber security. This update, like our move to Google a few years back, does not change the mission or focus of VirusTotal. We'll continue to operate independently, focused on our mission of helping keep you safe on the web.

For press inquiries, please contact press@chronicle.security