Thursday, February 18, 2021

, , , , , ,

When you go fighting malware don´t forget your VT plugins

It's been a year since we launched our VirusTotal plugin for IDA Pro, followed by SentinelOne’s amazing contribution to the community with their VirusTotal plugin for GHIDRA (thanks again for the great job), inspired by the original IDA plugin but adding some cool extra features.

Now, what are IDA Pro and Ghidra? These tools are the more popular disassemblers used by the security community for malware analysis. Basically, they help researchers to understand the functionality of the code used to build the malware.

Most of VirusTotal’s users simply use the web interface or the API in order to do their investigations or enrich their threat intelligence systems, so how and when do these plugins come handy?

Before we go on, make sure to join us for our next webinar with SentinelOne next February 24th where we will demonstrate how to use both plugins with real life examples. Join us and register here!

Looking inside the malware

VirusTotal usually provides all we need to know about a malware sample and more, especially when it comes to context and the relationships with other samples or malicious infrastructure. However, sometimes as analysts we need to take a deeper look, here is when we IDA Pro and Ghidra come to the rescue.

What do VirusTotal's plugins for these disassemblers have to offer? Basically, they make analysts’ life easier by providing several handy functionalities that leverage VirusTotal’s knowledge base. For instance, in one click we can search for samples that use a specific relevant piece of code that we found in the sample we are analyzing. Indeed, plugins’ code similarity search functionality offers new ways to find related samples that aren't easily reachable without going down into the reversing process.

We will usually want to find samples with a similar set of instructions than the one we are analyzing. Let's see an example. If we take a look at both WinMain functions of two different samples (as shown below) it is clear that they are practically identical, only differing in the value of some operands.



If we omit these differences, we can see that they have the same structure and share the same set of instructions.




You never know what kind of valuable information you will find when analyzing a sample. It could be a very peculiar implementation, or a distinctive function that attackers implement in all their samples. It also could be that we are taking a look into earlier versions of recently deployed malware, giving us the opportunity to understand its evolution before attackers implement anti-reversing techniques.

Analyzing corrupted files

Code similarity provides additional advantages. Let’s consider the case where we have some corrupted samples of a recent malware strain. They can be just memory dumped files, or PE files that were modified during the execution - anyways we cannot execute them. These kinds of files are not the best for creating YARA rules, because there is a chance that the content has been modified before the memory image was dumped to disk. In these scenarios is where the use of VirusTotal plugins shine, as we can search for code that we find interesting enough for finding related samples. We previously described this technique to hunt Ryuk samples starting from a corrupted one.

There are many other ways in which these plugins can assist you for code analysis. For instance, we can look for code similarity during a debugging session, the advantage being we can search for decrypted or uncompressed samples uploaded to VirusTotal by just searching for some instructions obtained in runtime. We'll further explore this technique in our webinar with SentinelOne.

What’s next?

So what is the future of the VirusTotal's plugin for IDA Pro? We are working hard on implementing a new exciting set of features focused on assisting you during the reversing process. For instance, we plan to collect contextual information from our database about the sample you are working in and show it in the IDA interface. We will also enrich the disassembled code to highlight the most significant information collected from VirusTotal.

We will show you more about what will be in the new version in our joint webinar next February 24th!

See you there and Happy hunting!

This post was co-authored by Vicente Diaz.

Monday, January 25, 2021

Building towards the richest and most interconnected malware ecosystem

 Investigations on malicious activity usually start with small pieces of a puzzle we don't know how big and complex it will be. Analysts will never have a full picture of the attack under investigation, only attackers know, but probably that's not necessary either. What is needed is to retrieve the context necessary to achieve the goal of the investigation.


How to get this context? Every piece of the puzzle can be used to obtain new pieces. Then, we repeat the process until we don't find any more clues, or we are satisfied with the results. In this case, the pieces of the puzzle will be Indicators of Compromise (IOCs), usually hashes, domains and IPs.


So when starting the investigation with only a few pieces... how to find the rest in VirusTotal? It is a pretty massive database, so we have been working hard to find every single clue we could to relate different items for you to complete your puzzle. For instance, if we start with a few malware samples we want to find the infrastructure used in the attack as well as other related files used by the same attacker in the same campaign. Maybe we can even use similarity to find potentially related samples from the same actor.


We have good news for everyone! During the last months we have included additional meaningful relationships to create a rich ecosystem that interconnects samples, URLs, domains and IP addresses. Below we will review what kind of relationships you can find in VirusTotal. You can visualize all the relationships-related information under the “Relations” tab in VirusTotal for any sample and networking item.


Below you can find all the fresh new relationships specific for files:

  • Dropped files: Interesting files written to disk during sandbox execution. Extremely useful to find what dropper was used for any specific malware.

        For example: baad6807d751aa8b44bd464b3302a6ad4c200dc27b22b3845b0397cf366e3f4c


  • Overlay children: Files that are contained as overlay in another sample. Once again, finding information about the parent of some malware sample helps understanding the whole execution chain and properly reproduce the attack.

        For example: 12304478f1c50f9d10497bc8afea771bd1e3bd5bd3beaa0370090f727f3713a1


  • PCAP children: Files seen inside the communication traffic for an uploaded PCAP file. Another valuable source of information, as the communication between samples and Command and Control servers can shed light on the artifacts used by attackers once having a foothold in the victim.

        For example: 2804184381e9c1c51a213bdcd703ae0a9a16c6abc39b43cd44619365d5914934


  • PE Resource children: PE files contained into another file as a resource. Similar to the cases above where we want to find the parent of the malware, this time hiding in a different place.

        For example: 12305f7314b7b3c13657d7da48b73a2d10a2303cc23e76d6954ea909ac74e997

  • In the wild (ITW) IP addresses: We have seen this file being downloaded from these IP addresses. This is how we know how the malware was distributed. It could help to find the malicious infrastructure used by attackers, but also hacked sites used as watering holes for example. 

        For example: a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b

  • Email attachments: Files that were distributed through email as attachments. Spear phishing is still the most popular method employed by attackers to distribute malware. This relationship helps confirm what artefacts were spread this way. 

        For example: 1230725a4b8cbfa70c19c9eaa925b945511374da1cce787ea2854c2a2303f1b6

You can use the have: modifier with the newly added relationships for your searches in the following format have:name_of_relationship. For instance, you can find Emotet samples distributed through email as an attachment using the following query:

        emotet have:email_attachments


You can have the full list of modifiers for your searches here.


For URLs we also have the following new relationships:

  • Communicating files: Given an URL, we can find all files presenting any sort of traffic to it. This helps us understand what files were distributed from some malicious infrastructure or compromised website. Additionally, understanding what legitimate files communicate with a given URL can also provide a valuable insight, for instance for detecting suspicious supply chain activity.

        For example: https://www.virustotal.com/gui/url/a118c67740832dae1943f023be375260d4385a6a214b3ddd77b23cbbc0c841d6/relations

  • Referrer files: Any file that contains the given URL on its strings. Maybe we didn't see these files directly communicating with a given URL but it could be they are only the component containing the configuration.

        For example: https://www.virustotal.com/gui/url/70cd6030d50e8b4717c5a62dfcee6d5a7e5c856b6de68015d8830b00a6bc8c86/relations


In addition to all these relationships, we are also stepping up our passive DNS capabilities. As a result, you can now find the following records for domain resolutions in VirusTotal:

  • CAA records

  • CNAME records

  • MX records

  • NS records

  • SOA records


The example below shows in VirusTotal Graph all these DNS records for a given suspicious domain.



A final reminder: you can automate dealing with all this data to make your hunting experience even smoother using API v3. For instance, you can use the following query to retrieve MX records for the domain above:


curl --request GET --url 'https://www.virustotal.com/api/v3/domains/bvjbygkhq.com/mx_records' --header 'x-apikey: 'your_api_key_here'


Happy hunting!