I’m pleased to present to you in this post one of my favourite tools for Malware scanning called Virustotal. This is such a great tool, community based and free to use (although there is a paid license plan) that most of the cybersecurity professionals should know about.
How can I use Virustotal?
The usage it’s pretty simple and web based. First, access to https://www.virustotal.com/ and you will see the landing page:
In the landing page, there are 3 options in different tabs to start using the virus/malware analyser:
- File: In this option, you can upload from your device the file that you want to scan for malware. Ensure to not upload any kind of sensitive information like anything with private information, medical records or your employer confidential information. Uploading such information means information leakage.
- URL: This is another interesting option to check information like the threat intelligence and reputation of a URL. Just copy and paste the URL that you want to scan and to obtain more information about:
- Search: In this option, you will be able to introduce a more wide input to scan like URL, IP Address, domain or a file hash.
Scan a file from your device with Virustotal
Let’s say that you already downloaded a file and you are unsure that this file is malicious or not. Then the “File” option from Virustotal is what you are looking for.
Ensure to not upload any kind of sensitive information like anything with private information, medical records or your employer confidential information. Uploading such files with this information could lead to information leakage since the file it’s shared with a third party who doesn’t have the authorisation to access this information.
In this example, I’m going to show you what the scan results after uploading a small bash script package called “bash_test.sh”. The content is:
$ cat bash_test.sh
#!/bin/bash
echo "test"
cat /etc/hosts
last | headNext, upload it in “File” option from Virustotal and “Confirm upload”:
After some seconds for Virustotal to scan the file, the report obtained is the following:
Let’s drill down the report to know more about what kind of information and how could be used for malware analysis:
1 – The green circle shows how many antivirus engines flagged this file as malicious. In this case, 0 of 58 antivirus has detected any threat on the file therefore, it seems to be legit.
2 – The community score it’s useful to know the reputation of the scanned file. Since it is a custom bash script recently uploaded, the scoring is currently unknown.
3 – The SHA-256 of the scanned file and the file name. This is useful to check more information from other sources or to use this as an IOC to blacklist on antivirus, EDR or Firewall.
4 – Shows some details of the file like the file size and the last scan date.
5 – On the “Security Vendors’ Analysis” you will find the results for each of the antivirus that scanned the file. A green tick means that no threat has been detected on the file.
On the report “Details” tab you can check:
6 – Different hashes of the file: MD5, SHA-1, SHA-256
7 – Fuzzy hashes TLSH (Trend Micro Locality Sensitive Hash) and SSDEEP which are used to identify similarity between files. This could be useful to identify similar IOC in different files although their content may differ in order, thus, with different md5, sha1 or sha256.
In the “Behaviour” tab, you can get the details of what the file does when running. This could be the commands executed, the libraries and processes loaded, the files created and so on. So the “Behaviour” tab could be very helpful to complement and support a verdict since it shows what the file can do if it is executed. However, bear in mind that there is sophisticated malware that can hide its true behaviour if it detects that it is running in a sandboxed environment.
Virustotal does sandboxing with different tools in order to get these behavioural data and soVirustotal does sandboxing with different tools in order to get these behavioural data and sometimes uses more than a single tool. Therefore, you can click on the highlighted blue text (In this case Zenbox inbox is shown in the above picture) to check if there is additional data from other sandbox tools used to analyse the file.
On the “Community” tab, there could also be useful information regarding other scanning data external to Virustotal or other analysis from the community. Depending on the information posted, it could help to understand the file analysed and to elaborate a more accurate verdict. In this particular case, since it is a custom file, there’s no comments currently.
There’s another tab called “Relations”, but it doesn’t appear in this case because there is no such information gathered. It corresponds to the IP’s contacted by the file when running, other processes that have been detected running this file in previous scans done before, any files created by the analysed file during execution and so on.
In the following picture, you can see the “Relations” tab from other scan report got from other file called “Eicar”:
Testing Virustotal with Eicar
Eicar stands for “European Institute for Computer Antivirus Research” and it is a well-known or standard way of testing an antivirus accepted by a wide range of antivirus manufacturers without the need of risking the system being tested.
Basically, Eicar it’s a specific string/text that you can find in https://en.wikipedia.org/wiki/EICAR_test_file and it is recognised, as stated previously, by many antivirus software without being a virus. Since it is only text based and doesn’t have code, it is harmless to your system, therefore you can use it in order to test if the antivirus on your system is working without the fear of getting infected.
Before starting the test, do not reproduce these steps in production environments or any job related devices despite that Eicar it is a harmless file. The issue is not the file by itself, but the trigger effect that it could have on the antivirus (detection, alarms or even automated actions). Ensure to do it in a testing and controlled environment or device, preferably on a sandbox or VM.
Let’s do some hands-on work with Eicar and Virustotal. First, download the Eicar from the official site:
$ curl -s https://secure.eicar.org/eicar.com.txt -o eicar.com.txt
$ cat eicar.com.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*Next, go to Virustotal page and on the landing page which will show “File” option tab as the default, click on “Choose File” to upload the previously downloaded Eicar file. The scan results will be similar to:
You may notice that in some of the antivirus detection tags (red text) there are stating explicitly “Not a Virus” or “Test File” that confirms the harmless nature of the file.
In addition, Eicar can be uploaded in a less intrusive way, which is facilitating to Virustotal the Eicar URL on the “URL” scan option:
The output will look like the following:
Results may differ between scan options (URL or File) despite the URL containing the Eicar file, since the URL deals with additional information like HTTP headers. If you go to the “Details” tab from this report, there is a “Body SHA-256” value on the “HTTP Response” which corresponds to the Eicar file sha256.
Searching with hash, sample or IOC in Virustotal
Another typical way to get information from previously scanned files by Virustotal is through the file hash or, in other words, IOC or sample. The hash algorithm can be MD5, SHA-1, or SHA-256 being this last one the most preferred.
Normally, if the antivirus detects any threat or suspicious activity by any process on any device, it will automatically send the information related to the hash. So instead of getting the file to upload it to Virustotal, the first step should be to search with the hash.
Nevertheless, if you don’t have it, you may run the following command to calculate different hashes to check in Virustotal:
$ file=test.crt; sha256sum $file; sha1sum $file; md5sum $file
17747b5146e0e7a6c929998f61f7c6f9fce943cdeae5d0dd81982e9981e4fd14 test.crt
dc3c28171d6ba568e90b45fbd917b2ee9fa353ac test.crt
aaca213adc5b2bcc9c2d3000e12e4ac6 test.crtThen get the sha256 and check it on Virustotal:
For this particular testing file “test.crt”, there is no analysis information yet as you may appreciate in the above picture (This is normal because it is a custom file).
In a real world scenario, this cannot be enough to elaborate a verdict since there is not enough information to conclude whether the file is malicious or not. Then, what you can do in this situation is to analyse other contents of the file like strings, urls, ips, domains or emails. In addition, another alternative to continue with your analysis is by using Yara rules or run the file in a sandboxed environment like cuckoo sandbox or https://app.any.run/ in order to get the dynamic or behavioural analysis.
Any Run is another awesome free community driven malware analysis service that can be combined to complement your analysis. But I will explain this service in another post.
In the following URL from Any Run, you can see previously uploaded files by other users to study its behaviour https://app.any.run/submissions. You can see, in each item uploaded, the calculated hashes of the uploaded file so, getting randomly one of them that was deemed malicious by Any Run:
And checking it in Virustotal with the SHA-256:
bd468c47fb6d1bba163e75f05b0533558a25d5cd4541115f1eb2bbaa190e3f67We got the following results:
In this case, it’s pretty probable that this file it’s not legit at all, because both Virustotal and Any Run marked it as malicious.
Bear in mind to not download anything from Any Run since it could potentially be malicious. Just copy the hashes to get more information from previous scans on Virustotal.
Gather indicators of compromise or IOC information from Virustotal
The indicators of compromise or IOC are the traces or proofs that the threat was or it’s currently active in your device or even the corporate network. With the help of different tools and sensors deployed over the network like SIEM, EDR, Network Monitoring, Next Generation Firewalls, IDS/IPS you can detect those traces, block them and prevent them from happening again in your network.
In this terms, Virustotal could provide some of the indicators of compromise of a scanned file that finally is deemed as malware like:
- The hashes of the file
- The IP’s contacted by the analysed file
- Domains contacted by the analysed file
- Additional files created and it’s hashes
- Files bundled in the analysed file
The IOCs above could be good candidates to be blacklisted in the different detection and prevention tools, specially the hashes. With these hashes, you can perform some additional threat hunting activities with your SIEM, EDR and next generation firewall to detect where the threat has been spread in your network.
The domains and IPs are more sensitive so, before blocking anything, double check and ensure in your network monitoring and firewalls to confirm that there is no other traffic besides what the malicious file generated. It could be also very helpful to check with the network team to better understand whether this traffic to those domains or IPs are only malicious, and does not carry any actual business for your organisation. This is really important because blocking them wrongly could lead to organisation network or service disruption.
Can I rely solely on Virustotal to elaborate a verdict or conclude that a file is malware?
As everything in this world, Virustotal is not perfect despite that it holds the greatest malware and threat database information. There are situations where it could flag false positives and this needs to be double checked or confirmed with additional proofs or sources that support any kind of compromise.
Therefore before blacklisting anything in the production environment with a minimal sign of detection, ensure to keep calm and confirm the IOC with other sources, unless the detection is so obvious (many detections).
There is a helpful source of information in each virus total scan report which is the community information. In this tab it holds the information that the community shared related to the file scanned. So, if it is a very recent true positive, you’ll find additional information once available and posted by any user from the community. Again, try to get additional information from other sources besides Virustotal (Like Any Run mentioned in this post). Then with this additional info, you can make better decisions whether the file in question is truly a threat or not.