Friday, July 5, 2019

, , , ,

June 2019 - Retrohunt over goodware corpus, APIv3 file feed and more

What's new?

  • Retrohunt users can now run their rules against a goodware corpus for rule QA testing. VT Hunting allows users to run Yara rules back in time against VirusTotal submissions. When writing Yara rules it is often difficult to test the quality of the rules and make sure that they do not produce too many false positives and hence too much noise. VT Hunting's Retrohunt now allows you to run Yara rules against a corpus of goodware, in order to make sure that the rules that you craft do not trigger false positives. Users can now test their rules prior to running a fully fledged retrohunt and/or prior to deploying them in VT Hunting Livehunt.
  • File feed implementation in APIv3. APIv3 has not yet been officially announced, however, it has already been stable for nearly two years and many users have already started to adopt it. APIv3 was missing the file and URL feed, i.e. the stream of reports for every single file or URL processed by VirusTotal live. The file feed endpoint has now been implemented in APIv3 and is documented at: https://developers.virustotal.com/v3.0/reference#get-feed-batch.

What's improved?

  • One-click away pivoting within file details, file behavior and file-submission report tabs. Many users overlook the fact that VT Intelligence indexes most of the metadata that VirusTotal generates for the files that it processes, this includes all of the data produced by tools that run on the binaries, e.g. file signature details. When passing the mouse over items in the file details, file behavior and file submission tabs they will now turn blue (link style) in the event that the particular field you are looking at is searchable with VT Intelligence. Upon clicking those elements you will trigger the pertinent search for other files sharing the same property.
  • Preview of resolutions for subdomains in domain reports. One of the relationships highlighted in domain reports is the subdomains of the pertinent domain name. Up until now this was a plain list that would link to the pertinent report on the specific subdomain under consideration. This list now displays a preview of the resolutions for the particular subdomain, the full list is displayed upon following the link to the subdomain report.
  • Flatten and simplify VT Enterprise UI. Following feedback from multiple users we have started to flatten the new VT Enterprise UI, making sure there is not a mix of colors and styles that distracts researchers from their core goal when using the platform. This includes small tweaks such as forcing grayscale on file desktop icon images and recovering its original color only when hovering over the particular file result row.

What's fixed?

  • VT Intelligence multisearch regular expression. VT Enterprise users can paste any random text into the main search bar in VirusTotal, the text will get automatically parsed and relevant indicators of compromise will be extracted (hashes, domains, IP addresses and URLs), then a search for all those observables will be conducted. The pattern to match hashes was not matching hashes immediately preceeded by random text and a colon, without any other stop character. This has been fixed and now repeated strings of the form whatever:2340620f189d821181d42f03eff4cc30c19f576514c5eebad83ad011cabf989a should match. This specifically applies to the text downloadable output of retrohunt jobs.
  • APIv3 search and download endpoint quota consumption. When using APIv3 there was a bug whereby calls to the file search and file downloads endpoints would end up consuming VT Intelligence search and download quota even if you had licensed the premium API. As of now the logic always benefits the user, if you only have VT Intelligence access it will consume search and download quota, if you have both VT Intelligence and VT Premium API or just VT Premium API, it will consume API lookup quota.
  • Display ROM BIOS inner PE GUIDs. The new VT Enterprise UI was missing the GUIDs for PE files found within ROM BIOS images, this data point has been recovered and can be seen upon opening the details of the pertinent contained artefact.