Thursday, October 31, 2019

VirusTotal += Bitdefender Theta

We welcome the Bitdefender Theta scanner to VirusTotal. This engine is 100% Machine Learning powered and reinforces the participation of Bitdefender that already had a multi-platform scanner in our service. In the words of the company:

“When it comes to pushing things forward in the fight against cyber-crime Bitdefender Theta checks all the boxes. This new technology stack makes use of deep neural networks to provide industry leading detection rates in the fight against ever changing cyber-attacks. Bitdefender Theta is 100% Machine Learning powered and built on top of Bitdefender's state of the art dynamic behavioral analysis and cloud services is used to identify and block threats without the need for daily signature updates.”

Bitdefender has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-Comparatives, an AMTSO-member tester.

Monday, October 28, 2019

, , , , , , , ,

Test your YARA rules against a collection of goodware before releasing them in production

The rising tide of malware threats has created an arms race in security tool accumulation, this has led to alarm fatigue in terms of noisy alerts and false positives. The last thing you need is more false alarms coming from buggy or suboptimal YARA rules, be it the ones you use in VT Hunting or the ones that you feed into your own security defenses.

As you may already know, VT Enterprise incorporates a component that allows you to match your own YARA rules against all newly uploaded files (Livehunt) as well as back in time against our historical malware collection (Retrohunt).

A common challenge for YARA users is that of potential false positives. False positives can have a negative effect on a users Livehunt feed by producing incorrect results. Similarly, a buggy rule can be a waste of your Retrohunt quota, and given that Retrohunt jobs are lengthy, it is also a waste of time. Since many security tools incorporate YARA these days, some users will be launching their rules against a fleet of machines that they manage, meaning that a buggy rule can be a big waste of resources.

In order to address this common pain point we are releasing a new Retrohunt feature: fast hunting over a goodware corpus. When you launch your Retrohunt jobs you can now select the corpus on which it should act:

The goodware corpus is a set of 1M files chosen from the NIST National Software Reference Library, accounting for 147GB. Jobs launched against this collection usually finish in under a minute. As such, we imagine that users may be modifying the way they use VT Hunting. Before writing a Livehunt YARA rule or launching a Retrohunt job, they probably will want to test it against this corpus and tweak the rule in order to prevent false positives and avoid unnecessary and lengthy Retrohunt iterations.

- Goodware Retrohunt jobs are correspondingly tagged -

In an effort to give back to the community behind VirusTotal and its premium services, we are making this feature entirely free. In other words, Retrohunt jobs against the goodware corpus do not consume Retrohunt quota.

This new feature builds upon some major improvements that have been recently released such as the new API endpoints to programmatically interact with VT Hunting. Stay tuned, soon we will be announcing far bigger enhancements to Retrohunt, you can take a sneak peek in our 2019 roadmap (Lightning-fast retrohunt).

Thursday, October 24, 2019

, , , , , ,

Revamping in-house dynamic analysis with VirusTotal Jujubox Sandbox

VirusTotal Jujubox Sandbox in action:

This is a small datastudio set up to illustrate the kind of analytics that can be built with a massive dynamic analysis setup, generating IoCs. Note that there are several pages.

One of the main themes of VirusTotal’s 2019 roadmap is “Holistic Threat Profiling”. Some users never move beyond the basic use case for VT: checking hashes and looking at detections. However, that use case, while still core to VT, is by no means the most popular. VT also provides information on URLs, IPs and domains, and what’s more, it builds a graph that relates all of these observables. In an effort to allow users to identify the complete attack campaign, beyond the individual malware variants, we continue to introduce new tools and features. This new functionality allows users to characterize a threat from different points of view: static analysis, dynamic analysis, code analysis, relationship analysis, and more.

In our ongoing efforts to improve our behaviour analysis infrastructure we are happy to announce the rollout of a new Windows Sandbox that radically improves and complements our previous Windows XP SP1 analysis systems that was launched in 2012. The analyses generated by this new system are seamlessly showing up in new file reports, freely for the community. We are also complementing our threat feed offerings with a dynamic analysis feed derived from this new system, more on this later, let’s first focus on the community impact.

The project has been baptised as “Jujubox” (a reference to the type of bad karma - juju- objects it processes) and integrated in the context of the multi-sandbox project. This new sandbox is currently running Windows 7 and records the actions of Windows 32bit and 64bit binaries under 80MB when executed. It extracts information such as:

  • File I/O operations.
  • Registry interactions.
  • Network traffic: HTTP calls, DNS resolutions, TCP connections, DGAs, etc.
  • JA3 digests.
  • Dropped files (and the interrelations between them).
  • Mutex operations (Creation, Opening).
  • Runtime Modules
  • Highlighted text in windows, dialogs, etc.
  • Highlighted winapi/syscalls
The information from the execution is indexed and searchable through VT Enterprise and fuels services such as VT Graph. Basically, any text found in these reports is indexed in an elasticsearch database. Each analysis also contains a fully revamped detailed HTML report, with improved filtering capabilities, allowing analysts to grasp the details of sample execution: syscalls, process tree and screenshots.

In order to access the detailed HTML report containing all windows API calls you just need to refer to the multi-sandbox action menu bar:

The detailed HTML report logs API calls and return values, meaning that it can greatly expand the observations contained in the summarized report view. You may refer to the following report in order to see an example of the full HTML report:

Let’s take a look at some specific use cases that can be solved with this new setup.


Pivoting and mapping threat campaigns

After the analysis we can gather information from the sample and use it to either find relationships with other elements or to pivot to other campaign artifacts. This is an example illustrating the sandbox analysis:

This new setup contributes to the relationships created between samples and domains, allowing us to appreciate the DGA used by this particular malicious sample. The same goes for its dropped files. The sandbox analysis acts as a microscope, allowing us to better understand an individual threat. For instance, we can also take a look at where this malicious sample usually stores itself for persistence by checking the copied files and registry keys set:

Using inline hover pivots it is easy to find other reports showcasing this very same behaviour:

To pivot even further and find other similar files, we can use one of the advanced search operators to focus on file activity:
behaviour_files:"C:\Program Files\AVG\AVG9\dfncfg.dat" and sandbox_name:jujubox

Once you have discovered several variants pertaining to the same threat actor, it might be a good time to build a YARA rule and feed it into VT Hunting in order to track the evolution of the given malware family and understand better the attackers behind it.


Finding similar samples by mutexes

Mutexes are often reused by many samples, although most of them are usually common and legit, malware often chooses very characteristic names for its mutexes, making it easy to identify families and threat campaigns. This sample is a perfect example, it has a very specific mutex name:

By clicking on the mutex name we can find samples sharing the same behavior when it comes to mutex creation. Within VT Enterprise we can execute the query behavior:sfdkjjhgkdsfhgjksd to find such samples.


Pivoting on JA3

JA3 hashing is a way to fingerprint TLS client connections. In this particular report we can see a JA3 hash:

To pivot on this JA3 we click on the hash and generate the pertinent search query. This will use the behavior search modifier:

Another JA3 example is to search for samples that use a Tor client:


Programmatically interacting via API

All of the data described above is freely surfacing in APIv3, giving users a complementary characterization of their files beyond file reputation. A common use case is VT Enterprise users setting up YARA rules in VT Hunting in order to track malware variants or threat actors and then automatically retrieving file behavior reports for their notifications. These file behaviour reports are then data mined for patterns in terms of mutexes, contacted domains, file naming conventions, etc. in order to generate indicators of compromise that can be used power-up security defenses.

The following datastudio showcases the kind of insights that can be derived from aggregated study of behavioral observations, it clearly illustrates that by focusing on volume, and beyond that on malware families and clusters, it is sometimes straightforward to identify patterns and commonalities in order to generate alternative detection mechanisms for threats. Note that this datastudio has several pages.


Sandbox feed

This important effort to improve our free community capabilities is also being leveraged to radically improve our premium services. As seen in the datastudio above, when operating at scale we can make use of clustering and data mining in order to generate patterns and commonalities that can be fed into security defenses as yet one more mechanism in our onion layered security model.

As such, we are creating a new offering that expands our portfolio of feeds (file and URL feed), allowing users to retrieve all the dynamic analysis reports generated for files uploaded to VirusTotal. The value proposition is simple:
  • Ingest every single sandbox dynamic analysis report generated for all files which are analyzed within VirusTotal sandbox. As of October 2019, we do our best to sandbox all PE EXE, MSI, Android, MacOS Mach-O/DMG/PKG files.
  • Datamine the feed and identify domains, IP addresses, URLs, mutexes, registry keys, etc. that may be used as indicators of compromise to power-up your security toolset.
  • Discover unknown malware flying under the radar of antivirus solutions by studying behavioral patterns.
  • Implement complex behavior detection rules.

If you are interested in getting Early Access Preview to this service feel free to reach out to us. In future blog posts we will dive deeper into how the sandbox feed can be leveraged to improve security defenses, stay tuned.

Wednesday, October 23, 2019

, , , ,

VirusTotal multisandbox += VenusEye

VirusTotal multisandbox project welcomes VenusEye. The VenusEye sandbox is currently contributing reports on PE Executables, documents and javascript.

In their own words:

VenusEye Sandbox, as a core component product of VenusEye Threat Intelligence Center, is a cloud-based sandbox service focused on analyzing malwares and discovering potential vulnerabilities. The sandbox service takes multiple(~100) types of files as input, performs both static analysis and behavior analysis after then, and eventually generates a detailed human-readable report in several supported formats like PDF or HTML. Being weaponized with MITRE ATT&CK knowledge base, VenusEye Sandbox combines the product and the service as a whole. With the help of our sandbox service, users can track threat actors or gather threat intelligence for their hunting in a much easier way.

You can find VenusEye reports under the “Behavior” tab:

Take a look at a few example reports within VirusTotal:

Document with macros

Taking a look at the embedded content preview for the sample 8143a2c2666575152896609c1d8d918717a358d4611a57a0cce2559e3c5cabbf we see that the malware is attempting to trick users to enable macros.

The VenusEye sandbox automatically enables macros and allows us to see the execution details, including the HTTP requests, DNS resolutions and process tree.

Javascript files

Wide use of online email services that automatically block executable attachments has led to attackers using alternative file formats for their spam campaigns. As depicted above, documents with macros are one example, Javascript files have also become quite popular. VenusEye represents a very interesting addition to the multi-sandbox project in that, unlike some of the other integrated sandboxes, it also analyses javascript files.

In this particular example, the simple fact that a javascript file that can execute in Windows (as opposed to being a website resource) performs DNS resolutions should be enough to consider the file highly suspicious. More so if we take into account the registry keys with which it interacts:

Rich relationships

The two examples above illustrate VenusEye acting as a microscope to understand what an individual threat does. However, thanks to the network traffic recordings, VenusEye also contributes macroscopic patterns that can be easily understood using VT Graph.

For example, when looking at the javascript file above we can make use of the file action menu in order to open it in VT Graph:

By default a one level depth inspection is performed, but we can always dig deeper. By expanding the files communicating with we get to discover a Windows executable that seems to be using such domain as its command-and-control:

In other words, VenusEye also helps in tracking entire campaigns thanks to the contributed file/domain/IP/URL relationships.

Advanced pivoting

As usual, all of this information is indexed in the elasticsearch database powering VT Enterprise, this makes it trivial to pivot to other variants of a given malware family or other tools built by a same attacker.

Let us now return to the document with macros above, VT Enterprise users can click on any of the behavior report contents in order to launch a VT Intelligence search for files exhibiting the same pattern when executed. Let us click on the first HTTP request entry:

This launches the search behaviour_network:"", finding other samples that communicate with that very same URL. Now that we have identified other variants belonging to the same campaign or threat actor, it is trivial to automatically generate commonalities that we can use as IoCs to power-up our security defenses:

Thank you VenusEye for joining the multi-sandbox family that aggregates more than 10 dynamic analysis partners and counting. If your organization has some kind of dynamic analysis setup, don’t hesitate to contact us to get it integrated in VirusTotal, we will be more than happy to grant you free VT Enterprise quota in exchange.