Additional Crispiness on the MacOS box of apples sandbox

In November 2015 we first released our MacOS sandbox. We now have an incremental feature improvements live on our site to help our users get further behavioral information from samples scanned with VirusTotal

Several improvements visible to users are:

• Sandbox updated to OSX 10.11 El Capitan in sandbox.  We have a High sierra update planned for later this year. 
• Detailed HTML analysis report is now available. 
• Screenshots of the software under analysis to provide more contextual information:
• Show screenshots of what a user would see
• Help determine if the sample is waiting for user input
• Network traffic reports updated
• Country Detection
• Timestamps on file operations,  to help show the sequence of events.
• Process tree is shown if there is more than one level of processes

To view the detailed behavior report, click on the behavior tab, then select the Box of Apples sandbox, then click on the detailed report link

Click on the detailed behavior report. 

Some Samples that might be interesting, that contain the new features:
ec7241a6009f1fff38b481d8b4fd6efede4cc2f9d8ee20d9ca2b4ff66d656171
3b196c1c1a64aca81dec5a5143b3f2faaadcc4034b343f46f23348f34a2ef205
694c23b548249056bf90b2b2c252a8c9abfae4aeb611476cbdaa8dc112f79d8f

Screenshots and File operations

DNS, IP Traffic and Behavior tags

This is part of the Multi-Sandbox project.    We’ll continue to improve our own and 3rd party sandbox providers that wish to integrate sandboxes into VirusTotal.

If you find any issues, or have feature requests, please don’t hesitate to reach out to us by emailing  contact@virustotal.com

Read More

VirusTotal += Mac OS X execution

We previously announced sandbox execution of Windows PE files in 2012, and Android in 2013.  We are happy to announce equal treatment for Mac OS X  apps. Files scanned that are Mach-O executables, DMG files, or ZIP files containing a Mac app, will be sent to the sandbox in order to produce behavioral reports.

Users may scan these file types directly on www.virustotal.com, with our OS X Uploader app, or via the API.

As before, users with private API or "allinfo" privileges will see this information in the API responses. For VirusTotal Intelligence customers the information is also indexed and searchable.

Here are a couple of example reports, have a look at the "Behavioural information" tab...

DMG files:

• https://www.virustotal.com/file/22569f42180fbb3ea333d0ca9a8573c2edf3465f3a18a36e4ea7755b34a5fdc5/analysis/1446818987/
• https://www.virustotal.com/en/file/b3606a398ddcbc2833024e128d225f28d6801325be2b3c63a8571a169690376e/analysis/

Mach-O files:

• https://www.virustotal.com/file/58507bcfc4441edead0cb4acca3d60cf55d3d5a3563b3e20ffa4843b156d9cfd/analysis/
• https://www.virustotal.com/en/file/d295807085c96cabe5b4344d0ff2a6eaea6b7eecece859cedf61584670cd4fdf/analysis/

ZIP files with an Mac app inside:

• https://www.virustotal.com/file/ee6409be3374200b92ac9c85ff2647ab498ce03116d665985481a4a025a13ad0/analysis/
• https://www.virustotal.com/file/0b8e83649f8ad3c62fde92c2b944c2180718633c6fcf5815dd1902208f3e35d6/analysis/

If you find issues, or have suggestions to improve the Mac sandbox please send an email to contact [at] virustotal [dot] com.

Read More

A closer look at Mac OS X executables and iOS apps

Virustotal has always been able to scan and provide verdicts for Mac OS X executables and iOS apps, these are just some examples:
https://www.virustotal.com/en/file/b9fb26c553e793ac4c598a67447f67c85eb9e561a9b7722667f7f45e34e2f71c/analysis/
https://www.virustotal.com/en/file/c5030830203c3bf67ef49af6908cbeb6aa234fe0346d8d9ebf85d4dd5d7482be/analysis/
https://www.virustotal.com/en/file/63149fe9e2efd94d666402d637d921a6ca4dd73dcda318a7fcc82c274175d19a/analysis/
Actually, scanning capabilities regarding certain file types is a common end-user misconception, virustotal will scan any binary content, with independence of its file type, as antivirus vendors will develop signatures for any file type and target OS with independence of the OS that hosts the engines running in virustotal.

This said, two weeks ago we silently introduced a new tool to further characterize Mac OS X executables and iOS apps, extracting interesting static properties from these types of files, similar to what the pefile python module does for Portable Executables.

The new tool will extract file header information (e.g. required architecture and sub-architecture, flags, magic string, etc.), the file segments and its inner sections, any shared libraries that the executable makes use of, load commands and signature information whenever the mach-o happens to be code signed.

In the event that the Mac OS X executable is a universal binary containing mach-o files for several target systems, a characterization of each one of the embedded files will be provided. You may refer to the file details tab of the above reports in order to see an example of this new set of information.

As to iOS apps, the new tool will not only characterize the executable providing the application's main functionality, it will also generate metadata regarding the package itself (property list configuration information and embedded mobile provision data) and iTunes details.

As you may notice, this tool follows the trend of what we recently implemented regarding ELF files, hopefully it will also help in spotting and studying threats targeting Mac OS X and iOS.

Read More

VirusTotal open sources uploader for Mac OSX and Linux

Recently we released the VirusTotal uploader for OS X. It now supports Linux, and we are releasing it as open-source under the Apache License 2.0 terms so 3rd parties can package it for different linux distributions. You can git the source at: http://github.com/VirusTotal/qt-virustotal-uploader

Systems administrators, engineers and security analysts often use GNU/Linux, Mac OS, or BSD. The VirusTotal uploader can be compiled and distributed on these systems. This will give users the 2nd opinion that that VirusTotal can offer and should make queueing scans on VirusTotal easier.

The requirements to compile on linux are:

• C++ compiler (gcc tested)
• QT Version 5 or newer development packages. Most linux distributions have this already.
• C Interface to VirusTotal API which we recently open-sourced.

To compile on Mac OS X, you will need xcode development tools.

The Features of the program are the same:

• Drag and drop a file to the VirusTotal Uploader in order to scan it with over 50 antivirus solutions.
• Drag and drop a folder to the VirusTotal Uploader and schedule the analysis of its content
• Allow you to "Open With" in a file browser to scan a file.

If anyone wishes to send patches, please do a pull request to us on github. Comments and suggestions are welcome. 

Read More