Virustotal is a free online service that analyzes files and URLs in order to detect viruses, worms, trojans and other kinds of malware using a lot of anti-virus engines and website scanners.
Currently, when you upload a file in order to check out if it could be malicious, Virustotal compare it with the anti-virus signatures of the security vendors below:
Agnitum, AhnLab-V3, AntiVir, Antiy-AVL, Avast, AVG, Baidu-International, BitDefender, Bkav, ByteHero, CAT-QuickHeal, ClamAV, Commtouch, Comodo, DrWeb, Emsisoft, ESET-NOD32, F-Prot, F-Secure, Fortinet, GData, Ikarus, Jiangmin, K7AntiVirus, K7GW, Kaspersky, Kingsoft, Malwarebytes, McAfee, McAfee-GW-Edition, Microsoft, MicroWorld-eScan, NANO-Antivirus, Norman, nProtect, Panda, PCTools, Rising, Sophos, SUPERAntiSpyware, Symantec, TheHacker, TotalDefense, TrendMicro, TrendMicro-HouseCall, VBA32, VIPRE, ViRobot.
In my opinion, the only bad thing about this service is that Virustotal doesn't give us the option of not sharing the sample with the anti-virus vendors. If you are developing your own malware (I hope you don't do that) or you are researching a new sample and you upload it to Virustotal, you are sharing your files with the anti-virus companies and you will lose exclusivity.
I know the majority of yours have worked with Virustotal but... Do you know all its features?
Here, I'm going to show you the majority of Virustotal features and some tricks.
How to work with Virustotal:
- Submitting a file to https://www.virustotal.com/ (Maximum file size: 64M)
- Searching the SHA256, SHA1 or MD5 hash in https://www.virustotal.com/en/#search First you need to get the hash and then, type it in the link above.
- Looking for if a domain is hosting or has been hosted malware in https://www.virustotal.com/en/#search
- VirusTotal Uploader: Installing the Windows desktop application you can send files to VirusTotal with just two clicks. You can download this application from https://www.virustotal.com/en/documentation/desktop-applications/virustotal-uploader
- Also, if you open VirusTotal Uploader from Start -> All programs -> VirusTotal Uploader 2.0 you will be able to select a process running in your computer and upload to Virustotal in order to check if it is a malicious process or not.
- VTzilla: Mozilla Firefox Browser Extension. With this plugin you can send the file to Virustotal just before download it.
- Also, with VTzilla, Virustotal install a toolbar in your Firefox browser. Here you can look for viruses, hashes or scan the site you are currently visiting.
- Virustotal app for mobile. With this tool, you can detect if the applications installed in your mobile are detected by some anti-virus. You only need to install it and just open it.
- Email: Sending an email to email@example.com with the suspicious file attached to the email. You should write "SCAN" in the subject field if you want to receive the results in plain text. If you want to receive the result in XML format, you should write SCAN+XML in the subject field. (Maximum file size: 32M)
- Public API: You can upload files to Virustotal without the necessity of using the web browser. It allows you to build your own scripts to work with Virustotal automatically. Nmap has a script that helps you to look for a hash in the Virustotal database from the command line interface but first of all, you need to obtain your API key. To get it, you need to register at the Virustotal website. You can see the key in your user profile. Remember this service mustn't be used for commercial products or services purposes.
nmap --script http-virustotal --script-args='apikey="key",checksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"'
Virustotal offers us other valuable information. In the "File Detail" section you can see the file's details below:
- PE signature block.
- PE header basic information.
- PE sections.
- PE imports.
- Number of PE resources by type.
- Number of PE resources by language.
- ExifTool file metadata.
I don't want to dig into this information in this post because in future posts I'm going to talk about the basics steps to start with how to analyze the malware behaviour.