Do you know all the Virustotal features?

Virustotal is a free online service that analyzes files and URLs in order to detect viruses, worms, trojans and other kinds of malware using a lot of anti-virus engines and website scanners.

Currently, when you upload a file in order to check out if it could be malicious, Virustotal compare it with the anti-virus signatures of the security vendors below:

Agnitum, AhnLab-V3, AntiVir, Antiy-AVL, Avast, AVG, Baidu-International, BitDefender, Bkav, ByteHero, CAT-QuickHeal, ClamAV, Commtouch, Comodo, DrWeb, Emsisoft, ESET-NOD32, F-Prot, F-Secure, Fortinet, GData, Ikarus, Jiangmin, K7AntiVirus, K7GW, Kaspersky, Kingsoft, Malwarebytes, McAfee, McAfee-GW-Edition, Microsoft, MicroWorld-eScan, NANO-Antivirus, Norman, nProtect, Panda, PCTools, Rising, Sophos, SUPERAntiSpyware, Symantec, TheHacker, TotalDefense, TrendMicro, TrendMicro-HouseCall, VBA32, VIPRE, ViRobot.

In my opinion, the only bad thing about this service is that Virustotal doesn't give us the option of not sharing the sample with the anti-virus vendors. If you are developing your own malware (I hope you don't do that) or you are researching a new sample and you upload it to Virustotal, you are sharing your files with the anti-virus companies and you will lose exclusivity.

I know the majority of yours have worked with Virustotal but... Do you know all its features?

Here, I'm going to show you the majority of Virustotal features and some tricks.

How to work with Virustotal:

• Submitting a file to https://www.virustotal.com/ (Maximum file size: 64M)

• Searching the SHA256, SHA1 or MD5 hash in https://www.virustotal.com/en/#search First you need to get the hash and then, type it in the link above. 

 

• Looking for if a domain is hosting or has been hosted malware in https://www.virustotal.com/en/#search

• VirusTotal Uploader: Installing the Windows desktop application you can send files to VirusTotal with just two clicks. You can download this application from https://www.virustotal.com/en/documentation/desktop-applications/virustotal-uploader

• Also, if you open VirusTotal Uploader from Start -> All programs -> VirusTotal Uploader 2.0 you will be able to select a process running in your computer and upload to Virustotal in order to check if it is a malicious process or not.

• VTzilla: Mozilla Firefox Browser Extension. With this plugin you can send the file to Virustotal just before download it.

• Also, with VTzilla, Virustotal install a toolbar in your Firefox browser. Here you can look for viruses, hashes or scan the site you are currently visiting. 

• Virustotal app for mobile. With this tool, you can detect if the applications installed in your mobile are detected by some anti-virus. You only need to install it and just open it.

• Email: Sending an email to scan@virustotal.com with the suspicious file attached to the email. You should write "SCAN" in the subject field if you want to receive the results in plain text. If you want to receive the result in XML format, you should write SCAN+XML in the subject field. (Maximum file size: 32M)

• Public API: You can upload files to Virustotal without the necessity of using the web browser. It allows you to build your own scripts to work with Virustotal automatically. Nmap has a script that helps you to look for a hash in the Virustotal database from the command line interface but first of all, you need to obtain your API key. To get it, you need to register at the Virustotal website. You can see the key in your user profile. Remember this service mustn't be used for commercial products or services purposes.

nmap --script http-virustotal --script-args='apikey="key",checksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"'

Virustotal offers us other valuable information. In the "File Detail" section you can see the file's details below:

• PE signature block.
• PE header basic information.
• PE sections.
• PE imports.
• Number of PE resources by type.
• Number of PE resources by language.
• ExifTool file metadata.

I don't want to dig into this information in this post because in future posts I'm going to talk about the basics steps to start with how to analyze the malware behaviour.

Read More

Google Antivirus: Camp (Content-Agnostic Malware Protection)

Modern Malware is one of the new background businesses. Every day thousands of users’ machines are infected via so-called drive-by downloads or social engineering techniques. The simple act of visiting a website with a vulnerable browser may be enough for an attacker to gain control over the vulnerable computer allowing her to install arbitrary code.

CAMP was presented in February 2013 at the Network and Distributed System Security Symposium and was explained in a research paper

"CAMP consists of a client component built into Google Chrome and a server component responsible for maintaining a reputation system that predicts the likelihood that a downloaded binary is malicious"

After six-month deployment with more than 200 million Google Chrome users and approximately five million intentional malware downloads per month detected, Google Researchers say that they have developed an Antivirus able to detect the 99% of all malicious downloads in less than 130 ms on average using a reputation-based detection .


The current Security Systems Weakness

The document says the major Antivirus engines detect only 35% to 70% of modern malware. Antivirus are signature-based detection to identify variants of a known malware. Because of this, they cannot protect againts sophisticated techniques like packing, polymorphism and unknown malware. Additionally, some Antivirus has created a CloudAV. CloudAV upload the binaries files to a third-party cloud which implies loss privacy for the users.

Blacklist from Google’s Safe Browsing API , McAfee’s Site Advisor or Symantec’s Safe Web are useful when the compromised or malware distribution websites tend to be a long live but they are unuseful when the malware distribution frequently changing the domain.

Whitelist can be effective in an enterprise environment but they are very restrictive.


CAMP, a different approach

CAMP protects users from malware binaries without requiring (a-priori) knowledge of the binary augmenting whitelists and blacklists with a content-agnostic reputation system.

CAMP is composed of two parts: client (Google Chrome Web Browser) and Google Servers where client connect to download blacklist, whitelist and sends a request to CAMP's reputation service.

How the client works

1. The browser tries to determine if a download came from a malicious site by checking the download URL against a list of URLs known as "malware distribution" using Google's SafeBrowsing API.
2. The browser checks locally against a dynamically updated list of trusted domains and trusted binary signers to determine if the downloads are benign.
3. The browser extracts content-agnostic features from the download and sends a request to CAMP's reputation service for downloads that don't match any of the local lists. 
4. If a malicious download is requested and detected, Google Chrome warning the users giving her two options: Block or Pass the download.

The features sends to Google CAMP Server will be:

• The URL and IP of the server hosting the download.
• Any referrer URL and IP encountered when starting the download.
• The size of the download and her hash.
• The signature attached to the download including the signer and any certificate chain leading to it.
• The browser will never send the binary itself reducing the privacy impact.

Read More