Monday, May 23, 2022

, , ,

May 23rd, 2022 - Forcing SSO/SAML sign in

What's new?  

Forcing SSO/SAML authentication for corporate VT Enterprise groups. Continuing with our work on the SSO front and after rolling out SAML to support federated login from a wider range of identity providers, VT ENTERPRISE group administrators are now able to force their users to mandatorily sign in via their identity provider, be it the default SSO set or a custom SAML configuration. Group administrators can find the pertinent settings under the "Settings" tab in their group profile view.



Monday, May 16, 2022

, , , , ,

May 16th, 2022 - VT Collections actionability, domain and IP address JARM pivoting, new Linux sandbox partner, VT MISP modules revamp

What's new?  

  • Action menu for VirusTotal collections. VirusTotal Collections allows users to share collections of IoCs (hashes, domains, IP addresses and URLs) among themselves in a more actionable and contextualized manner. You can read more about this in the Introducing VirusTotal Collections blog post, you can also easily create collections via command-line. We have added advanced sorting, filtering, exporting and analysis controls to collections. For example, users can now run minimal curation logic (detections > 5) prior to exporting a given collection when deploying the pertinent artifacts for IoC blocking/flagging in their SIEM, firewalls, protective DNS, etc.

  • JARM pivoting in IP and Domain HTTPS certificates. VT INTELLIGENCE is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. We are adding support for JARM as a pivot property. JARM is an active Transport Layer Security (TLS) server fingerprinting tool. Among other things, it can be used to identify malware command and control infrastructure and other malicious servers on the Internet. VirusTotal sandbox detonation reports already contained JA3 digests, a passive TLS fingerprint, allowing users to find other files communicating with TLS using the same code stack, and thus often grouping together malware family variants. We are now extending such functionality to actively build a fingerprint (JARM) of Domains and IPs scanned by VirusTotal. This extends and complements our existing SSL certificate, whois lookup, DNS record, etc. pivots. The pivot can be found in Domain/IP address reports, under the "Last HTTPS Certificate" section of the "Details" tab. You can also action it by clicking on the similar icon in the top menu bar.

  • New Linux partner sandbox, ELF Digest. VirusTotal not only analyzes files, domains, IP addresses and URLs with multiple antivirus vendors and blocklists, we also run a myriad of home-grown, open source and 3rd-party tools on these artifacts, including dynamic analysis sandboxes. Every executable (and other file formats) uploaded to VirusTotal gets detonated in both VirusTotal-developed and 3rd-party partner dynamic analysis environments to produce behavioral information such as domains contacted, payload download URLs, files created, registry keys set, etc. We have onboarded a new linux sandbox, ELF Digest, as part of the multisandbox.

What's improved?  

  • VirusTotal MISP modules. MISP, an open source threat intelligence platform, integrates with VirusTotal via three modules, two of which provide the essential enrichment functionality: virustotal and virustotal public. We have greatly revamped them in order to take advantage of the new context and threat graph exposed via our APIv3:
    • Threat reputation (Detections) for domains and IPs, not only files/hashes and URLs.
    • Clustering fingerprints such as imphash, TLSH, vhash, ssdeep, etc. allowing you to tie together similar IoCs.
    • Extended static analysis including whois lookups, geoip location, autonomous system information, etc.
    • Related artifacts via our threat graph: URLs from which a file is downloaded, files that communicate with a given domain when detonated in a sandbox, domains historically resolving to a given IP address (pDNS), etc.

Tuesday, April 12, 2022

, , , , , , ,

April 11th, 2022 - SAML authentication, major VT GRAPH revamp, ubiquitous IoC contextualization and more

What's new?  

  • SAML Authentication. Following our recent work on the SSO front, we have now widely rolled out SAML to support federated login from a wider range of identity providers. Among others, this allows organizations to use popular services such as Okta to sign in to VirusTotal. If you are a VT ENTERPRISE group administrator and you want to upgrade your team's account security please refer to the "Settings" tab of your VirusTotal group profile page:

  • VT GRAPH revamp. VirusTotal is all about threat context. One of the pillars of context generation is IoC interlinking. We do not stop and providing threat reputation for individual IoCs, we try to build parent-child relationships between all the items in the dataset, e.g. a given file contacts a CnC domain, a URL downloads a given malicious file, etc. All these rich relationships can be explored visually in a single canvas with VT GRAPH, one of main components of VT ENTERPRISE. We have rolled out a new VT GRAPH version (learn more) incorporating:
      •  Filtering engine. Graphs are sometimes noisy, the new filtering wizard allows to easily and instantly (client-side) focus on nodes matching certain criteria, e.g. display only detected domains. AND/OR conditions are allowed.
      • Expansion through VT Collections. Domains/IPs/URLs/files are now related to VT Collections, meaning that you can now pivot from a single IoC to a threat campaign/malware toolkit grouping to unearth additional IoCs that may not be directly tied to your starting point.
      • Export a graph as a VT Collection. While graphs are fancy, it is difficult to action them in a corporate security stack. To ease this task we now allow you to export a graph into a VT Collection that can then be consumed via STIX and other standard formats in your SIEM/EDR/NDR/etc.
  • Ubiquitous IoC contextualization. One of VirusTotal's major use cases is automated security telemetry enrichment (false positive discarding, true positive confirmation, alert/incident prioritization and alert/incident contextualization). VirusTotal has become the backbone of many SecOps flows, as a result, most security products have bring-your-own API key integrations to power enrichment use cases with our crowdsourced threat intelligence. This said, some of these integrations might be suboptimal in terms of overlaid context. Similarly, you might be using a niche product without off-the-shelf integration or you might not have administration permissions to activate certain enrichment plugins. We have revamped our VT4Browsers extension to solve this and provide superior threat context in a single pane of glass fashion across all your security products. The new functionality will automatically identify IoCs contained within websites of your choice and will incorporate VirusTotal's context to power faster and more accurate response.
  • New "androguard_package" VT INTELLIGENCE search modifier. VT INTELLIGENCE is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. For example, users can search for documents that launch powershell when opened, for files containing certain binary/text patterns, for domains registered by a same registrant, for URLs containing a given CnC panel path pattern, etc. IoCs are also tagged with certain informative labels such as CVE numbers for vulnerabilities that they exploit, file types, etc. We have added a new search modifier for Android applications (APKs) that acts on the Android Package Name. Why is this useful?
      • Tracking malware families. Attackers often leverage malware builders or simply recompile/repackage their malicious code to launch new attack instances. This leads to malware family variants exhibiting common properties, these commonalities can be used for detection and campaign monitoring purposes. See example.
      • Brand impersonation monitoring. Attackers will often create fake apps impersonating renown brands and financial services. For instance, mobile banking trojans will pose as the legit banking app in order to deceive users into installing them and eventually intercept their banking credentials to perform fraudulent transactions. The new search modifier allows you to identify apps that are impersonating your brand. See example
  • Malicious IP address resolution call out in Domain reports. VirusTotal is not only about file reputation and file context, these days we have equally rich context on domains, IP addresses and URLs. Moreover, network IoCs tend to be more actionable than hashes as malware infrastructure tends to get reused across attacks and binary-distinct malware variants. Domain reports now highlight whether the domain last resolved to a detected IP address, without having to pivot to the IP address itself. This data point complements the domain reputation itself and can shed additional light whenever the domain itself is still undetected:

 

What's improved?

  • Re-sending activation emails. Customers access VT ENTERPRISE with individual user accounts tied to a given corporate group. You can create a VirusTotal user account here. Upon signing up, an activation email is sent. Users that have not followed the activation link are not able to use the service. From time to time users miss this activation email or it ends up in some spam filter. If you now try to sign in with an inactive user account, you will be informed about the account state and the system will allow you to re-send the activation email.

What's changed?

  • Dynamic analysis Sysmon logs exported in XML format instead of binary. VT INTELLIGENCE is sometimes described as both a telescope for the threat landscape and a microscope for individual IoCs. Dynamic analysis of files submitted to VirusTotal (sandbox detonation) is one of the microscope-like capabilities. Moreover, VirusTotal aggregates multiple 3rd-party and home-grown sandboxes in order to improve visibility into threats, making cloaking more complex (different OS, different language packages, different software, distinct execution tracing techniques, etc.). VirusTotal's own home-grown sandboxes produce Sysmon execution logs that can be downloaded from VT INTELLIGENCE, alongside the network trace (PCAP), memory dump, detailed execution trace, etc. Sysmon traces were being exported in their raw binary format, we have changed this to XML, this results in two major improvements:
      • Event data is streamed out of the sandbox machines in real time, this prevents missing data due to unfinished analyses or crashes.
      • Better noise filtering as events can be automatically discarded in the sandbox itself.

Tuesday, March 8, 2022

, , , , , , , ,

March 7th, 2022 - YARA dotnet module in VT Hunting, new VT Intelligence search tags and SAML preview

What's new? 

  • YARA dotnet module available for Livehunt and Retrohunt. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. Similarly, VT Hunting allows you to run these rules back in time against the historical corpus through a component called Retrohunt. Retrohunt allows you to map out threat campaigns, to find the first instance of an attack or to unearth unknown malware. VT Hunting Livehunt already supports the pe, elf, math, magic, hash, and cuckoo YARA modules. We are rolling out support for the dotnet module, both in Livehunt and Retrohunt. The dotnet module allows you to create more fine-grained rules for .NET files by using attributes and features of the .NET file format. 

  • New "spreader" tag for files in VT INTELLIGENCE. VT Intelligence is often described as the Google for malware. It allows users to search for IoCs and access superior context to understand threats. It also allows users to perform reverse searches, i.e. to find files, URLs, domains and IPs matching certain criteria. For example, users can search for documents that launch powershell when opened, for files containing certain binary/text patterns, for domains registered by a same registrant, for URLs containing a given CnC panel path pattern, etc. IoCs are also tagged with certain informative labels such as CVE numbers for vulnerabilities that they exploit, file types, etc. We have added a new tag (spreader) that describes malware families which are polymorphic in nature and once executed may produce new instances of the same variant. You can test it with the following search: tag:spreader.
  • New "first_submitter" VT INTELLIGENCE search modifier. As described above, VT Intelligence allows you to perform reverse searches over VirusTotal's IoC corpus. Those reverse searches can match {behavioural/execution, static, binary, metadata, relationship, etc.} properties. The criteria can even act on upload/submission information. For example, users were already able to leverage the submitter modifier to search for files uploaded from a given country or through a given interface (api, web, email). In the event of multiple submissions, this modifier acted on any of the submission countries/interfaces. We have added a new modifier to narrow down searches based on the first submitter country/interface, example: first_submitter:ES  AND first_submitter:web.

What's in preview?

  • SAML Authentication. Following our recent work on the SSO front, we are starting to test SAML to support federated login from a wider range of identity providers. Among others, this allows organizations to use popular services such as Okta to sign in to VirusTotal. If you are a VT ENTERPRISE customer and you want to upgrade your team's account security testing our preview SAML functionality please don't hesitate to contact us.

Monday, February 14, 2022

, , , , ,

February 14th, 2022 - MISP + VirusTotal, Livehunt improvements and notifications on missing hashes

What's new? 

  • MISP and VT Collections integration. VT Collections allows users to easily share with each other listings of threat campaign, threat actor or malware tookit IoCs. MISP users can now create a VT Collection based on a MISP event with a single click. Similarly, VirusTotal users can now export VT Collections as STIX to import them into their security stack, including their own MISP instance. Read more.   
  • Ruleset owner in Livehunt. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. In VT Hunting, YARA rules can be shared with other users, which effectively allows them to share feeds of IoC matches. Livehunt ruleset listing summaries now display the owner of the ruleset whenever that owner is not you, this allows you to identify at a glance rulesets shared with you.

 

  • Notifications on missing hashes. VirusTotal allows you to search for file analysis reports using the file's MD5, SHA1 or SHA256 hash. When searching for a file that is not yet in the corpus you can now easily create a YARA rule to get automatically notified if VirusTotal ever receives it. A single click of a button is all that is needed.


Monday, February 7, 2022

,

February 7th, 2022 - SSO support for Microsoft

What's new? 

  • SSO authentication support for Microsoft. Last November we announced SSO support in VirusTotal. We have now extended the original set of supported identity providers (Google, Twitter and GitHub) with Microsoft. Microsoft customers can now sign in or sign up to VirusTotal with a single click. As a reminder, the SSO feature works with pre-existing VirusTotal Community accounts, in other words, if you already had an account tied to your Microsoft powered identity you may still use SSO as a more convenient and secure way to log in to VirusTotal.

What's fixed?

  • Creation date pivots. VT INTELLIGENCE allows users to pivot on any file, domain, IP address or URL analysis attribute, meaning that they can search over VirusTotal's historical corpus for other IoCs that share the same property. One of the analysis attributes available for pivoting is the file "creation date". This property means different things for different file types. For a Portable Executable file it is the PE compilation timestamp, for a PDF it is the generation date metadata field, same for Office documents. It is a field that can be tampered with, but very often certain malware builder kits will not change it, thus, it may be used for clustering purposes. Similarly, it can be used to try to understand attack timelines. There was a bug whereby the single-click pivot for the field in file reports was adding a trailing "UTC" to the search string, which is not supported and not needed, this has now been fixed. You can create on the "Creation Time" property of this file in order to test it.


 

 

 

Tuesday, February 1, 2022

, , , , ,

January 31st, 2022 - Enterprise controls, URL tags and new detection and contextualization sources

What's new? 

  • Extended editor controls for Livehunt rules. VT Hunting Livehunt allows VT Enterprise users to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal. It has become a de-facto standard to monitor threat campaigns and malware toolkits, as well as to track threat actors going forward. In VT Hunting, YARA rules can be shared with other users, which effectively allows them to share feeds of IoC matches. We have improved the editor controls for rule sets, editors share similar powers to that of rule set owners:
    • Add/remove other editors.
    • Enable/change the rule set notification email.
    • Modify the rule set daily notification limit. 
    • Modify the rule set name.
  • Pending VT Enterprise group invitations. VT Enterprise access is group-based. Organizations license the service and access it through a VT Enterprise group which can hold as many corporate users as they want. Group administrators can invite users from their organization in their VT Enterprise group profile page. Users being invited do not need to have a pre-existing VirusTotal account, when they do not hold an account they receive an email to join VirusTotal and once joined they get automatically added to the pertinent corporate group. This process used to lack feedback. Pending invitations are now listed in the group profile users tab and can be revoked if they become stale.   
  • New URL scanning partners. VirusTotal not only analyzes and contextualizes files, but also domains, IP addresses and URLs. We have added 3 new partners providing verdicts on whether a given URL is malicious or not: ViriBack C2, Chong Lua Dao and Acronis
  • New URL corpus search tags. VT INTELLIGENCE allows users to search through VirusTotal's historical corpus of files, URLs, domains and IPs. Users can perform reverse searches, i.e. identify IoCs that exhibit certain properties, network communications, contents, submission metadata, etc. For convenience, some of those properties are condensed into tags. The tags ontology for URLs has been extended and now supports two new tags:
    • multiple-redirects: when visiting the pertinent URL there is a redirect chain with multiple hops.
    • ns-port: non-standard port. The web server for this URL is listening on a non-standard port (i.e. not 80/443).

What's improved?

  • New crowdsourced YARA rule sources for detection and contextualization. At VirusTotal we build towards something that we call "multi-angular detection". One of our goals is to aggregate as many orthogonal detection engines/mechanisms as possible so as to implement a multi-layered defense-in-depth approach at the IoC detection level. If a malware is undetected by the antivirus industry, it might still be flagged with our crowdsourced intrusion detection system rules, SIGMA rules, etc. VirusTotal file reports also get enriched with detections coming from YARA rules crowdsourced from the security community. We have added 4 new sources, they do not only provide extended detection capabilities but also very handy context whenever antivirus generic detections, heuristics or machine learning kicks in.

What has changed?

  • FireEye file scanning engine renamed to Trellix. Following the merger of security firms McAfee Enterprise and FireEye, the FireEye engine has been renamed to Trellix, which is the name given to the new company. You might want to update any VT INTELLIGENCE queries that leveraged the "fireeye" search modifier or VT API scripts that accessed the corresponding detection structure key.

Tuesday, January 25, 2022

, ,

January 24th, 2022 - More intelligible API quotas, onboarding handholding and VTDIFF fix

What's new? 

  • More intelligible API limits view. VirusTotal API keys are governed by a set of privileges and consumption quotas. Consumption quotas dictate how many lookups a given user can perform in a given time frame. There are three different types of quotas that can apply to API keys: per minute, per day and per month. If you consume your per minute allowance, you will be unable to retrieve any further information from the API until the next minute. The same goes for the daily limit and monthly limits. In other words, the most limiting quota is enforced. This often led users to misunderstandings. We have revamped the user API key and the premium group API key views in an effort to make things more understandable, similarly, we have introduced shortcuts to common tools and documentation for the API:

  • Onboarding handholding. At VirusTotal we are committed to making our users successful. We want you to become power users and we want to make sure our platform aligns to your goals. New users added to VT ENTERPRISE groups are now receiving some onboarding tips and materials. For now these mostly point to our golden use cases outlined in our Getting Started guide

What's fixed?

  •  Session not found bug in VTDIFF. VTDIFF is a VT HUNTING component that allows users to automatically identify optimal binary patterns to detect a group of files and build YARA rules with these. Recent improvements had introduced a transient bug whereby a "Not found" view was being displayed upon launching a new VTDIFF job. This has now been fixed and you should no longer see this random behaviour.

Tuesday, January 18, 2022

, , , , , , ,

January 17th, 2022 - Palo Alto Cortex XSOAR marketplace and new VirusTotal Collections sources

What's new? 

  • Premium VT API packs in the Palo Alto Cortex XSOAR marketplace. We have published 4 new premium VT API packs in the Palo Alto Cortex XSOAR marketplace. XSOAR (formerly Demisto), is a Security Orchestration Automation and Response platform that allows companies to collect threat-related data from a range of sources (SIEM, Firewall, IDS, etc.) and automate the responses to the threat. Palo Alto Networks customers can now spend their credits towards the VirusTotal integration to contextualize incidents with superior crowdsourced visibility and perform more effective triage through multi-angular detection (sandboxing, YARA analysis, SIGMA behavioural flags, antivirus scanning, etc.).


  • Vir.IT file scanner. Since our last release notes update we have added a new malware scanning engine to VirusTotal: Vir.IT eXplorer PRO. You can read more about this inclusion in the welcome post. Similarly, you can see it in action detecting a file in this VirusTotal report
  • VirusTotal Collections. Since our last release notes we have also launched some major functionality to allow users to share collections of IoCs (hashes, domains, IP addresses and URLs) among themselves in a more actionable and contextualized manner. You can read more about this in the Introducing VirusTotal Collections blog post, you can also easily create collections via command-line

What's improved?

  • New VirusTotal collections sources for additional contextualization. The aforementioned VirusTotal Collections functionality is not only driven by user contributions, VirusTotal is also crowdsourcing relevant threat information sources such as AlienVault OTX, Malpedia or Abuse.ch. In this development iteration we have added two new sourced:
    • Sicehice - Sicehice fingerprints common attacker infrastructure and aggregates data from a number of sources in a way that is more easily searchable.
    • Zeusmuseum - The Zeus banking malware has been a fixture within the cybercrime landscape since 2006. With the release of its source code in 2011, Zeus has splintered into many different malware families. The goal of the zeusmuseum. is to find, categorize, and lightly document every version of these Zeus-derived families.

Monday, November 29, 2021

November 29th, 2021 - SSO, Extended crowdsourced YARA detection and new relations

What's new? 

  • SSO Authentication. Users can now sign in  or sign up to VirusTotal via single sign-on. 3 identity providers have been added: Google, Twitter and GitHub. Microsoft will soon follow, SAML soon thereafter. The new SSO feature works with pre-existing VirusTotal Community accounts, in other words, if you already had an account tied to your Gmail account, for example, you may still use SSO as a more convenient way to log in to VirusTotal. 

What has changed?

  • Numeric identifiers for crowdsourced YARA rulesets. Numeric identifiers for existing Crowdsourced YARA rulesets have changed. This means that searches like crowdsourced_yara_rule:002735f19d|PyInstaller may return 0 results if 002735f19d is an old identifier. All links in our UI already have the new identifiers, so this should affect only those users that stored the identifiers on their side and may be using them to run periodic searches.