Tuesday, 5 March 2019

Time for VT Enterprise to step up

Late last year we announced the release of VT Enterprise for existing VT Intelligence subscribers. Since the launch, we have iterated on and improved upon VT Enterprise and it is time to begin a full deprecation of the old VT Intelligence interface. Today, we are announcing a 1 month deprecation timeline. Note that this does not affect APIv2, Graph or any other VirusTotal functionality. Similarly, this comes at no extra cost and existing users of VT Intelligence will be able to continue to use the solution within the new VT Enterprise interface.

Let us shed some light into what is new, what you are getting for free with this change and why you want to be moving to the new platform right now!

Improved Intelligence modifier-based searching

When searching for files by hash you are searching across the entire history of VirusTotal going back to 2006. This was never the case when combining many advanced search modifiers, for example:

type:doc p:10+ tag:macros tag:run-file metadata:Cyrillic

As many of you have correctly observed over the years, this kind of faceted search was limited to 2 months worth of submissions. The technical cost of being able to mix together more than 40 modifiers when seeking through tens of millions of files forced this limitation upon us. Often this was even more confusing as certain file types (e.g. images without detections) were discarded from indexing.

With VT Enterprise we are increasing your look back period for free from 2 months to 3 months and we are making the index complete, in other words, no more discarding of certain non-interesting file types without detections and some other filtering logic to circumvent index size limitations.

At the same time we are making available even more modifiers. Many of you always wanted more granularity when searching over behavior reports, you felt that searches like behavior:”gate.php” were too broad and wanted to restrict this to just the network communications, this is now possible:
behavior_network:"gate.php"



Other new modifiers include:

behavior_files - changes related to the filesystem
behavior_processes - observations related to execution of processes
behavior_registry - modifications related to the Windows registry
behavior_services - observations related to services and daemons
main_icon_dhash - file icon similarity search, more on this later

No more experimental content searching, welcome VTGREP

File content searching has been in VT Intelligence since 2012, however, it was an experimental project based on suffix arrays, running on just two machines and spanning just 2 weeks worth of data.

With VT Enterprise we have completely rebuilt the content search service with a 5 Petabyte n-gram index, this is akin to Google planet scale in the field of malware; we are calling this new functionality, VTGREP. We are also seamlessly upgrading your subscription to cover 3 months worth of data instead of 2 weeks.

Moreover, unlike the former suffix array based content searching, this new service allows you to combine multiple content conditions in one single query. This is an example to locate VTFlooder samples:
content:"apikey" AND content:"Transfer-Encoding: binary" AND content:"%015d--"
OR conditions are also allowed:
content:/(virustotal|google)/
You can even search over content found in certain decodings/transformations of files, e.g. in macro VBA code streams:
content:"z5bP7"
This starts to look more and more like a lightening fast retrohunt, doesn’t it? More on this in future updates.

Greater Retrospection

If you have ever used retrohunt, you have probably asked yourself why a given file that you know is in VirusTotal does not match against your rule. Retrohunt used to operate on a limited pool of machines, meaning that it was only hunting over approximately the last 45-60 days of submissions, depending on the amount of files submitted during that period. We have noticeably improved the setup and are increasing your retrohunt limit deterministically to 3 months; this makes it consistent with the other two timespan improvements.

Let’s recap, in addition to offering more modifiers and better condition combinations, we are seamlessly and freely increasing your retrospection powers across the 3 advanced searching and hunting capabilities. So can we do any better? Yes. We have poured many more resources into all of these features, and we are announcing a Threat Hunter PRO add-on that allows you to go back in time one year, many of you will have already become aware of this in your retrohunt listings:



For some use cases 3 months retrospection is more than enough, however, if you are tracking advanced actors and truly immersed in the threat intel space you will probably be interested in the extended retrospection add-on. Contact us to learn more about how to get access to it.


Before
Now 
(free upgrade)
With Threat Hunter PRO 
add-on
Advanced search
60 days
90 days
1 year
Retrohunt
45-60 days
90 days
1 year
Content search (VTGREP)
14 days
90 days
1 year

With all that, you may think we’re done with this announcement. Let’s explore some additional benefits of the new interface that further expand the malware hunters’ arsenal.

File icon/thumbnail similarity search

If you have launched a VT Enterprise search you will have probably noticed that we now extract and display file icons for Windows Executables, Android APKs and DMGs. We also create thumbnails for PDFs and MS Office files.



You can click on these icons and search for files with a visually similar icon or thumbnail. This is obviously very useful for locating malware that tries to impersonate certain brands (e.g. banks), for spotting evil at a glance (e.g. executables with a PDF icon) and to immediately see that a similarity search is indeed grouping things that truly have things in common. Moreover, it is a great way to cluster together malware variants belonging to similiar campaigns:
https://www.virustotal.com/gui/search/main_icon_dhash:47474b4b4b4b4b4b/files

This is especially useful if you combine it with other modifiers in order to locate variants of a same campaign which still have low antivirus coverage:
main_icon_dhash:47474b4b4b4b4b4b positives:7-

Direct pivoting within reports

When looking at reports you may spot interesting static properties, having to type a search to locate other files with the same characteristic was slow and tedious. Now you can simply click on the property value and immediately launch the search.



Multisandbox behavior reports and behavior searching

Are you stuck in the old VT Intelligence interface? Then you are probably seeing very little execution behavior information. The old templates do not include the data contributed by the multisandbox project, which already integrates nearly ten sandboxes. Example:
https://blog.virustotal.com/2018/04/meet-virustotal-droidy-our-new-android.html

Moreover, you want to be able to search across these reports, and that is something you can only do in the new VT Enterprise:
type:apk behavior:http behavior:"Sign in to your account"

One-click away commonalities

Have you launched a multihash search in the new VT Enterprise platform? Then you have probably spotted a weird and distortedly big electric blue icon:



It is time to spot metadata patterns that are common to all your files instantaneously, with just one click. Those of you generating IoCs during your investigations will probably find this nifty little feature very useful.



Click on any of the displayed commonalities and pivot to other files exhibiting the same property.

File, URL, domain and IP address lookups all in one place

Many of you have suffered the pain of having to have two open tabs when working with VirusTotal, one pointing to the public website and one pointing to VT Intelligence. The first one used to perform network location lookups and and the second one to perform your file related searches. It was a broken world, it is now time to unify everything in one place and leave the door open for a future inclusion of network location (URLs, domains, IPs) advanced faceted searching.

Richer relationships

If you are stuck in the old Intelligence interface you will not be enjoying some of the new relationships being generated for items in the dataset, for instance, embedded domains and IP addresses. These are domain and IP address patterns found within the binary content of files in the dataset, network location information that often does not surface in behavior reports because of different execution paths, delays, etc.



Not only can you see this data in the fully fledged file reports when navigating to your matches, but also as handy popovers within the search result matches.

Multiple VT Hunting goodies

You may notice far richer and more comprehensive VT Hunting notification listings, improved ruleset searching and retrohunt matches in-app visualizations instead of having to download a plain list of hashes.



As you can see, you no longer have to download the list of matching hashes and then launch a multihash search. Even better, you can now do all of the above via new API endpoints that not only allow you to automate retrohunts and livehunts, but also rule management:
https://developers.virustotal.com/v3.0/reference#livehunt
https://developers.virustotal.com/v3.0/reference#retrohunt

This said, the most attractive new feature of VT Hunting is the fact that you no longer have to wait for the next "train departure" when enqueuing a retrohunt, your jobs are kicked off immediately and results start to come in without delay. This also means that you can launch several retrohunt jobs without waiting for previous tasks to conclude.

Enter VT Graph Premium

If you have a zillion open tabs with multiple file reports and searches related to an investigation, it is time to get smarter. Your subscription now incorporates VT Graph and its premium features for free. You can share graphs with other users, granting them viewer or editor roles. You can also make graphs private so that they do not appear in VirusTotal Community and you don’t disclose your most sensitive investigations. Note that graphs generated by free users become publicly available and linked in reports for items contained in those graphs.

Last but not least, you can create custom nodes such as “attacker”, “victim”, “email”, etc. and draw the full picture of a campaign. This is enriched via the privileged relationship information that is newly available (e.g. embedded domains, embedded ips, etc.) and via the commonality generation that was discussed earlier.



If all of this were not enough, you will discover other little new nifty features along the way such as two factor authentication, improved group management for administrators and further quota consumption insights.

Have we managed to convince you to move over to the new platform? If not, please contact us, we will address your pain points in order to make the migration as seamless as possible.

Similarly, get in touch if you want access to the new Threat Hunter PRO add-on, for many advanced investigations greater retrospection is a must. Why? These are just three clear-cut reasons:
  • When investigating a malware family you want to be able to go back in time to its very first variant. Often in the very first campaigns attackers are careless and leave behind debug artifacts, network infrastructure trails and other hints that enable you to perform attribution and know more about your adversary. Think of a serial killer, police always tries to find other related crimes as these often reveal other clues.
  • Advanced threats are not like commodity malware (adware, banking trojans, etc.), there are no massive campaigns with thousands of variants but rather just a handful of spearheaded attacks sparse over a very long period of time. In order to understand the tactics, techniques and procedures used by attackers you need to see the full picture, you need enough sampling, only extended retrospection capabilities will allow that.
  • A 5 petabyte n-gram index is not something you can do in-house, only a handful of organizations can scale into these numbers. You should be focusing on your investigations and not on maintaining complex hunting infrastructure.

Monday, 25 February 2019

Multisandbox update to Dr.Web vxCube 1.2 brings Android analysis

The multi-sandbox project is under continual improvement. In June 2018, we announced our integration with Dr.Web vxCube. Today we are happy to announce an update to Dr.Web vxCube that adds support for Android. With more than 2 billion active android devices, having visibility into android is a very welcome feature. Note that this adds to other multi-sandbox Android setups such as Tencent HABO for Android and VirusTotal Droidy.

In their own words:
We are proud to introduce our newest malware analyzer that now supports Android platform - Dr.Web vxCube 1.2. It maintains the same fast and versatile functionality when working with the Android files. Dr.Web vxCube 1.2 conducts a thorough analysis of APK files and provides in-depth reports on their behavior in the sandbox environment, including information about SMS and calls they could try to make. Moreover, each report includes manifest information with a full list of app’s permissions, activities, broadcast receivers and services.
To view the details generated by Dr.Web vxCube make sure to click on the behavior tab:


To demonstrate some of the features, lets take a look at a few malware samples:

https://www.virustotal.com/gui/file/beb7eefb2008aaf28e75d6ec24eb055c57473c4fd91c4ed70c15e352c0c825f8/behavior/Dr.Web%20vxCube

https://www.virustotal.com/gui/file/a8bf520bcc7336ec447d58794be22715f65ccd0f1c020b5cb7fd6a3599d79e44/behavior/Dr.Web%20vxCube

Detection summary

At the top of the detailed report we can clearly see a detection summary for this APK file. Note that it display a verdict based on execution behavior, this verdict may complement  Doctor Web's antivirus engine running in VirusTotal.


 

Malicious functions

We can see the app is sending SMS spam with malicious URLs:





 

Network activity

The network activity map, visually shows where the traffic goes, along with protocol and address information.


 

Connect the dots

With VT Graph you can see all the relationships above in a single nodes and arcs graph enriched with the historical knowledge of the VirusTotal dataset. Forget about having dozens of open tabs to investigate a single incident, one canvas is all you need.



Moreover, as you can see above, you can easily generate an embeddable graph object in order to display your investigation in sites other than VT Graph.

 

Digging deeper

VT Enterprise users can try some more advanced searches using search modifiers in order to identify interesting samples based on behavioral observations and other structural and in-the-wild metadata.

For example you can search for filenames within the behavior data:
behavior_files:"com.adobe.flash/files/BotPrefix"



Similarly, the behavior-scoped modifiers can be combined with any other facets in order to pinpoint not only malware families but also their command and command-and-control servers, drop-zones, additional infrastructure, etc.

type:apk androguard:"android.permission.READ_PHONE_STATE" behavior_network:http positives:10+


 

More insights and giving back to Doctor Web and the community

If you are as grateful as we are for this new insights into Android apps, you can give back to Doctor  Web and the community by helping them receive more APKs so that they can continue to improve their defenses. The easiest way to do this is through a community-developed VirusTotal App that will make the task of uploading new APKs to VirusTotal a no-brainer:

https://play.google.com/store/apps/details?id=com.funnycat.virustotal

We look forward to keep working close with Doctor Web, meanwhile we continue to encourage other sandbox setups to join the multisandbox project.

Thursday, 7 February 2019

Multisandbox project welcomes SecondWrite

We are excited to announce the integration of  SecondWrite into the multi-sandbox project. The multi-sandbox project's goal is to aggregate many sandboxes in a similar fashion as the way we integrate Anti-Virus products. With this integration we are now up to 6 sandboxes including  ReaQta-Hive, Tencent HaboVirusTotal DroidyCyber adAPT ApkRecon and Dr. Web vxCube.  SecondWrite offers some cool features which we will detail below. 


In their own words:

SecondWrite’s next-generation malware detection engine delivers a combination of automatic deep code inspection and accurate scoring of zero-day malware. Its platform combines dynamic sandbox analysis with static analysis to leverage the best features of both. Its patented technology on forced code execution finds and executes hidden code paths that other sandboxes miss. It uses advanced neural networks that can auto-learn what suspicious code patterns to look for, without human-specified signatures. The neural networks are further enriched by its technology to detect evasive and anti-analysis features in malware.

To view the SecondWrite report make sure to check out the detailed report.


Within the detailed reports, for a quick summary, take a look at the detection scores and classifications.

Malware Score


Classification of different categories

Let's dig a little deeper and see some more features:

Forced Code Execution (FCE)

See for example the file  fcd6c16a61b286bb6951e49869fcadbc9bf83bccf31dc2e3b3c8f7ad23d6054f.

Within the detailed report you can see the IOCs generated by the FCE feature, extracted by SecondWrite's driver. In this example we see that the sample attempts to repeatedly call a a single API to avoid analysis. The FCE feature can rewrite one or more conditional statements to get the code sample to execute. Furthermore, some of the discovered events were characterized as Ransomware IOCs, Stealth IOCs, and Anti-Analysis IOCs.

 

Program-Level Indicators (PLI)

 


Typical hook-based approaches gather information about program behavior by capturing application to library function calls and application to kernel system calls. This approach is very effective at capturing how an application interacts with the underlying system through supported Application Program Interfaces (APIs), but it completely misses classes of evasion techniques intended to modify a program running in memory. SecondWrite's Program-Level Indicators are patterns that can only be discovered by looking at the assembly instructions themselves. Frequently the instruction sequences chosen by malware have second-order effects that are beneficial only to malicious programs attempting to hide something. The following report contains two such examples: anti-binary translator code to defeat static analysis and an Import Address Table (IAT) bypass.



Machine learning can be very effective at finding subtle, multivariable associations that are impossible for a human to find. The most granular dataset to feed to a machine learner is sequences of assembly instructions. SecondWrite's Automatic Sequence Detection technology is able to discern instruction sequences that are only found in malicious applications and give a confidence level. It is precise enough to limit false positives, but also broad enough to not be susceptible to artificial changes injected to malware strains such as is the case with polymorphic malware. The following report shows a sample that was determined to be malicious by Automatic Sequence Detection with a 93% confidence:
https://www.virustotal.com/gui/file/520c376e726ca11d47566cbbd03f764646c4e498d76b8457e4cf28e940ca79f1/behavior/SecondWrite

Next we can click on the relations tab, we can see how it's related to other IP Addresses, Domains, and URLS.


In this graph we can see related files based on network communication, with common URLs, Domains and IP addresses:



Tuesday, 15 January 2019

Distribution of malicious JAR appended to MSI files signed by third parties

Microsoft Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer (.MSI) files signed by any software developer. This behaviour can be exploited by attackers to bypass some security solutions that rely on Microsoft Windows code signing to decide if files are trusted. The scenario is especially dangerous when the appended code is a malicious JAR because the resulting file has a valid signature according to Microsoft Windows and the malware can be directly executed by Java.

Code signing is the method of using a certificate-based digital signature to sign executables and scripts in order to verify the author's identity and ensure that the code has not been changed or corrupted since it was signed by the author.[1] This way, for example, if you modify the content or append any data to a signed Windows PE (.EXE) file the signature of the resulting file will not be valid for Microsoft Windows, as expected. This behaviour changes when you append any data to the end of a signed Windows Installer (.MSI), the resulting file will pass the verification process of Microsoft Windows and will show just the original signature as valid without any other warning.

This behaviour could be used to hide and distribute malicious code in MSI signed files, in fact several security solutions rely on the output of Microsoft Windows code signing validation to avoid an in-depth scan when the file has a valid signature by a well-known and trusted software developer. Such an attack vector is not very interesting if the resulting file is not designed to execute the attached payload, because the attacker would need an additional component already running in the target to extract and execute the appended malicious code. However, JAR files have a characteristic that allows them to run directly in this scenario, making them the perfect candidate to take advantage of this situation.

A JAR file allows Java runtimes to efficiently deploy an entire application, including its classes and their associated resources, in a single request.[2] The interesting part for exploiting the commented scenario is the JAR file format is based on ZIP to store the different components and resources, and this kind of ZIP is correctly identified by the presence of an end of central directory record which is located at the end of the archive to allow the easy appending of new files.[3] When Java opens a JAR file it looks at the end instead of the beginning of the file, so a JAR file is executed independently of the data at the beginning of the file. In addition, on Microsoft Windows systems, the Java Runtime Environment's installation program will register a default association for JAR files so that double-clicking a JAR file on the desktop will automatically run it with "javaw -jar". Dependent extensions bundled with the application will also be loaded automatically. This feature makes the end-user runtime environment easier to use on Microsoft Windows systems.[4]

In short, an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according Microsoft Windows. For example, via the command "copy /b signed.msi + malicious.jar signed_malicious.jar". The victim can be infected with just a double-click in such a file.

This attack vector was detected in a sample sent to VirusTotal and flagged by VirusTotal Monitor (a service to detect and avoid false positives).[5] We have not found evidence of this technique being used massively to distribute malware.

We would like to thank Mark Russinovich and Mark Cook from Microsoft for working with us in the study of the issue and their quick response with a Sysinternal's Sigcheck update to detect this kind of malformed files.[6] VirusTotal also detects this attack vector via the updated version of Sigcheck with the warning "Signed but the filesize is invalid (the file is too large)" in the Signature info section.[7]

Thanks also to Microsoft Security Response Center for the study of the issue. This attack vector has been verified in the latest and updated versions of Windows 10 and Java available at the timing of writing (Windows 10 Version 1809 and Java SE Runtime Environment 8 Update 191). Microsoft has decided that it will not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly.

Last but not least, thanks to all our security partners at VirusTotal for making Internet safer. An early version of this blog post has been shared with all of them in order to provide an adequate response to detect and stop these types of attacks with their antivirus, antimalware and next-gen solutions.


[1] Code signing [Wikipedia] https://en.wikipedia.org/wiki/Code_signing

[2] JAR (file format) [Wikipedia] https://en.wikipedia.org/wiki/JAR_(file_format)

[3] Zip (file format) [Wikipedia] https://en.wikipedia.org/wiki/Zip_(file_format)#Structure

[4] JAR File Overview [Oracle] https://docs.oracle.com/javase/6/docs/technotes/guides/jar/jarGuide.html

[5] VirusTotal Monitor [VirusTotal] https://www.virustotal.com/#/monitor-overview

[6] Sigcheck 2.70 [Microsoft Sysinternals] https://blogs.technet.microsoft.com/sysinternals/2018/10/21/sigcheck-2-70-bginfo-v4-26-and-vmmap-v3-22/

[7] Signed .MSI with malicious JAR appended [VirusTotal] https://www.virustotal.com/gui/file/dd71284ac6be9758a5046740168164ae76f743579e24929e0a840afd6f2d0d8e/details


Francisco Santos & Bernardo Quintero

Tuesday, 8 January 2019

Multisandbox project welcomes ReaQta-Hive

We are pleased to announce the addition of ReaQta-Hive to the multisandbox project, after the integrations of Tencent Habo, VirusTotal Droidy, Cyber adAPT ApkRecon, and Dr. Web vxCube. The unique new feature that this integration brings is XSL documents in addition to  PE files, PDF, MS Office documents and scriptlets.

In their own words:

ReaQta-Hive is an Endpoint Threat Response and Hunting platform that uses A.I. to detect new types of attacks. A live hypervisor, called the NanoOS, collects detailed security information at the lowest possible level of an endpoint, which Hive uses to perform dynamic behavioral analysis. This analysis is automatic and constructs a comprehensive storyline of an attack. The end result is an intuitive report of all the actions carried out by an attacker, including a summary of the meta-behaviors that highlight key components of the attack. ReaQta-Hive is a vector-agnostic platform, so it can analyze the behavior of any type of attack, whether it is file-less, script-based, exploit driven, or a plain executable file. We are happy to use our software and expertise to contribute actively to the VirusTotal community, and to help analysts worldwide be more effective and efficient.


To view the ReaQta report when viewing a file analysis, click on the Behaviour tab, select  ReaQta-Hivethen the detailed report.



In the detailed report, you can view copious amounts of information obtained by ReaQta-Hive:


Lets take a look at some example use cases where this data is interesting. 

XSL document  / #squiblytwo

This example is an interesting malicious XSL document which only ReaQta processes:
https://www.virustotal.com/#/file/9d3746779bc2b2d1ecbd90da8626f81978db4be1eb346106a6334295fce568cd/behavior 
In the relationships tab you can see a  link to VT Graph where you we can see some relationships to other domains and URLs VirusTotal has seen before.


 

Malicious document using LOLBins

Malicious code using Living off the land binaries and scripts (LOLBins) have become popular since they are binaries/scripts that are included with the operating systems, hence trusted. Here is a MS Office trojan that does so: 
https://www.virustotal.com/#/file/1f4f22f1814712880b2bbdc5c6418aeaf08c598be0990c5fad55136c9e769951/behavior 

 

Windows PE file, detecting behaviors like  key-logging/screenshots

https://www.virustotal.com/#/file/d72f74208c8960ae70469af3968324c6d5f90a305931763c0f5e23cd7922bcea/behavior
In the report we can see the detection and severity: