As one of the oldest attack methods, malware is both well-known to security professionals and well-loved by malicious actors. According to the Independent IT-Security Institute, the total amount of malware has exponentially increased since 2008. However, new malware variants appear to be on the decline, identifying approximately:
- 150 million new malware in 2021
- 100 million new malware in 2022
- 30 million new malware in the first 8 months of 2023
Simultaneously, the 2023 Data Breach Investigations Report noted that the System Intrusion attack category, including malware and ransomware, accounted for:
- 3,966 incidents
- 1,944 incidents with confirmed data disclosure
As organizations seek to keep pace with malicious actors, they can use VirusTotal to detect malware and integrate it into their continuous monitoring activities.
What is VirusTotal?
Founded in 2004 then acquired by Google in 2012, VirusTotal aggregates malware signatures collect from various antivirus engines, website scanners, file and UL analysis tools. Additionally, users can contribute to the database by submitting files, URLs, and domains.
VirusTotal’s Application Programming Interface (API) enables organizations to integrate with various centralized log management and Security Information and Event Management (SIEM) tools. By integrating VirusTotal into their ongoing monitoring, organizations can enrich data with:
- Indicators of Compromise (IoC) relationship
- Sandbox dynamic analysts information
- Static information for files
- YARA Livehunt & Retrohunt management
- Crowdsourced detection details
VirusTotal offers both free, Public and paid, Premium APIs. When trying to decide between the two APIs, you should know that:
- The Public API limits the number and rate of requests per day while the Premium is unlimited.
- The Public API must not be used in commercial products or services or with business workflows that do not contribute new files.
- The Premium API returns more threat context and exposes advanced threat hunting and malware discovery.
VirusTotal’s community of researchers and volunteers actively contribute content to contextualize the signatures. As a crowd-sourced dataset, VirusTotal allows community members to rate and comment on files to help each other by sharing:
- Disinfection instructions
- In-the-wild locations
- Reverse engineering reports
- Reputation scores that gauge information’s usefulness and accuracy
What is VirusTotal used for?
Most organizations use VirusTotal to scan files and URLs.
With the unpaid version, users can access:
- API scripts and client libraries: automating activities like file uploads and scans, URL submission and scans, completed scan reports, URL and sample comments
- YARA rules: GitHub repository to help create descriptions of malware families based on textual or binary patterns
- Desktop Apps: downloadable uploader tools aligned to MacOS, Linux, and Windows, although VirusTotal no longer maintains the Windows uploader and suggests a third-party open-source alternative
- Browser extensions: plug-ins that enable users to right-click on suspicious links or downloadable files to scan them for malware
- Mobile apps: links to third-party apps that enable greater visibility into threats
Organizations that opt to pay for VT Enterprise, the paid suite of services, can also choose from the following:
- VT Intelligence: search engine for VirusTotal’s dataset
- VT Hunting: live and historical samples that enable organization to apply YARA rules
- VT Graph: visualizations that enable organizations to discover threat commonalities
Depending on whether you use the free or paid versions of VirusTotal, it can help you with:
- Monitoring for phishing, fraud, and brand impersonation
- Vulnerability management
- Advanced threat hunting
- Enriching security data
- Responding to incidents and forensic analysis
What reports does VirusTotal offer?
When security teams scan files and URLs, VirusTotal provides reports that offer additional details.
URL Reports
The Summary provides at-a-glance visibility into:
- Number of partners who think it’s harmful and number who reviewed it
- URL scanned
- Link to domain repository
- Review date and time
- Resource’s content type, like html, xml, or email
- URL favicon
The Details provide findings from Partners, like:
- Clean: no malware
- Unrated: no partners reviewed this
- Malware: known to distribute malware
- Phishing: known to steal credentials
- Malicious: known to contain exploits or malicious artifacts
- Suspicious: possibly dangerous
- Spam: known involvement in unsolicited email, popups, automatic commenting
Additionally, you can use the Details to get more information about:
- Scanned resource, like content category or HTTP response headers
- Relationships between the scanned URL and other activities identified in the database
- File submission details
- Community member comments
File Reports
The Summary report provides at-a-glance visibility into:
- Number of partners who think it’s harmful and number who reviewed it
- User-determined URL reputation
- SHA-256 that identifies the file and threat
- File name
- Tags
- Review’s date and time
- File type’s icon
- Button to reanalyze file
The Details report provides findings from Partners that include:
- Undetected: file not detected as malicious
- Suspicious: file flagged as suspicious
- Unable to process file type: file type submitted not recognized by engine
- Timeout: engine took too long processing the file so no verdicts recorded
Additionally, you can use the Details to get more information about:
- Item, like macros in an Office document file or metadata about submissions
- Relationships between the scanned file and other activities in the database
- High-level overviews about what the sample did in a sandboxed environment
- Community member comments
Domain and IP Address Reports
These reports contain different information because they don’t include partner reviews. However, they do provide details like:
- IP address country location
- IP-domain mappings
- Whois lookups
- Subdomains based on domain information stored in VirusTotal
- Sibling domains
- URLs seen under the identified domain or IP address
- Dowloaded files linked to the URLs sitting at the identified domain or IP address
- Communicating files that when executed in a sandboxed virtual environment communicate with the identified domain or IP address
- Files that reference the identified domain or IP address based on inspecting the strings contained in submitted files
Graylog Security: Integrating VirusTotal to Enrich Malware Monitoring
Graylog Security provides one-click search capabilities that enable you to compare IP addresses found during an investigation with VirusTotal’s domain and IP address database.
Additionally, you can integrate VirusTotal into your Graylog instance using the API, gaining the full value of the contextual data. With this additional data, you can reduce alert fatigue with improved detections and streamline investigations to contain threats more rapidly.
With Graylog Security and Graylog API Security, you get the key features and functionality that you would want from a SIEM without the complexity that increases your total cost of ownership. Graylog security enables you to create high-fidelity alerts and investigate detections at lightning-fast speed to empower your security and IT teams.
To learn more about Graylog Security, contact us today!