I'm glad us malware analysts can come together as a community and share valuable insights on suspicious IP-addresses
seen from China
seen from United States
seen from Russia
seen from Germany
seen from United States

seen from Malaysia
seen from Germany
seen from France
seen from Russia
seen from United Kingdom
seen from China
seen from China
seen from United States

seen from Norway
seen from China

seen from Norway

seen from Malaysia
seen from Italy

seen from Germany

seen from Türkiye
I'm glad us malware analysts can come together as a community and share valuable insights on suspicious IP-addresses
Analyze that: Malware analysis using the Virus Total API
amzn_assoc_ad_type = "banner"; amzn_assoc_marketplace = "amazon"; amzn_assoc_region = "US"; amzn_assoc_placement = "assoc_banner_placement_default"; amzn_assoc_campaigns = "amzn_vicc_cloudcam_1017"; amzn_assoc_banner_type = "category"; amzn_assoc_isresponsive = "true"; amzn_assoc_banner_id = "1J0CHGJT75D586M66602"; amzn_assoc_tracking_id = "kraljevicn1-20"; amzn_assoc_linkid = "c122cc4768b349b4aab7d3099b74ea1c";
2017 was really supposed to be the year of the Chatbot but chatbots never really took off trust me I wrote a few. What 2017 actually was, was the year of the API. I actually spent a fair portion of 2017 working with API's and with the general automation and IoT trends that are picking up more and more API's have become essential for almost every kind of digital product or service including security.
Setup
Setup is quite simple with the project from Erethon run the following commands
$ mkdir virustotal $ cd virustotal/ $ git clone https://github.com/Erethon/vta.py.git
Once you have cloned the repo you will need to update the contents inside the vta.py with your virus total api key and then you are ready to go:
#self.api = "ASWGFHAHJGASDAGHHKHEGWARJLQGEIQYEQWIUAGHDASD" self.api = "INSERT YOUR VIRUS TOTAL PUBLIC API HERE"
Checking websites with VirusTotal
With the vta.py simple api interface you can quickly scan a website with virus total wit the below command
$ python vtwrapper.py -u www.security-sleuth.com
Once complete you will catch the output that looks something like the below:
You should be able to view the output results in a browser like the below:
Checking files with VirusTotal
Aside from url scanning you can also perform file scans with the command below:
$ python vtwrapper.py -F eicar_test.txt
Results will look something like this:
Just like the url scan you can view the results online aswell:
The test file contains an eicar test pattern:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Conclusion
As always I hope you found this tutorial useful. Please let me know if you would like to see more api / VirusTotal focused tutorials in the near future.
As always thanks for your support! Until next time,
The Security Sleuth
Well which is it??
i'm sure most of you know better than to click mystery links in e-mails. but if you absolutely must be a curious cat, there is a helpful tool called VIRUSTOTAL, where you can upload files, links, and photos before you open them. It will run inputs through its database and tell you if the item in question is infected or not.
Obligatory link, but feel free to use a search engine to look it up instead.
VirusTotal
Be safe out there, friends, and don't go getting your computers infected.
iT4iNT SERVER OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills http://dlvr.it/TQqq41 VDS VPS Cloud
Yelled "RISKY!" 🚩
VirusTotal: Mostly whispered "Clean." ✅
Now, what in tarnation does THAT mean?! Why ain't they seein' the same thing? This got us thinkin'...
We're breakin' down this head-scratcher on the blog. Come on over and see what we found! 👇
https://lnkd.in/eYGFf_Rf
Virustotal: Phần mềm diệt virus dành cho Window
VirusTotal là một phần mềm quét mã độc và diệt virus trực tuyến tốc độ cao cho dành cho máy tính Window. VirusTotal được tích hợp từ nhiều chương trình Antivirus trên toàn cầu giúp người sử dụng quét và phân tích mã độc có trong các tệp, các đường link, đảo bảo an toàn cho máy tính.
Bởi VirusTotal là phần mềm đến từ Google nên có thể đảm bảo an toàn khi sử dụng. Ngoài ra thì tính năng của VirusTotal đơn giản dễ sử dụng. Cùng với đó là ngôn ngữ trên phần mềm AntiVirus này có tiếng Anh nên phù hợp với tất cả người dùng. Lưu ý là VirusTotal quét các tệp tin có dung lượng đến 550MB.
Xem chi tiết:
VirusTotal là web do công ty bảo mật Tây Ban Nha Hispasec Sistemas tạo ra vào tháng 6, 2004, được Google Inc. mua lại vào tháng 9, 2012
So VirusTotal. Last week they published a report titled "Deception at Scale," where they laid out the terrain of the malware samples that are uploaded to them more or less constantly to be analyzed. They sit in the perfect place to see what's going on. They've got great scope.
I've explained in the past that signing my own executables, I've discovered the hard way, because people were saying, hey, Windows is saying this is not safe, you've got a virus, it's like, no, I don't. Actually, it didn't say that. It just said this is, you know, you don't have any reputation here. So the point is that signing my executables was not sufficient proof of the integrity of my apps to bypass various of what are now hair-triggered malware cautions.
But VirusTotal reported among other things, get this, that fully 87% of the more than one million malicious samples which were signed at the time they were uploaded to VirusTotal since the start of last year, January 2021, contained a valid signature. 87% had a valid signature, those that were signed. So what that tells us is that signing code no longer means much. It's necessary, but not sufficient. The bad guys are arranging to obtain code-signing credentials, just like any other legitimate code publisher would. Just like I do.
So moving forward, the only thing that can be used, that is, can be relied upon, is the reputation of the hash of a given executable that is earned over time. Any new hash will need to start over from scratch earning the reputation that that specific exact code that it's the hash of is trustworthy.
And there was another little interesting tidbit. If you care to protect yourself somewhat by inspecting the Certificate Authority who issued the Authenticode certificate that was used to sign a program which you're considering running, it's worth noting that more than half, actually more than 58% of the most-often-abused code-signing certificates were all issued by just one company, a Certificate Authority known as Sectigo.
And if the name Sectigo isn't ringing any bells, it's probably because they renamed themselves after their repeated conduct spoiled and soiled their previous name, which was Comodo. We've talked about Comodo quite a bit in the past, all the different mistakes they made like allowing people to create their own certificates through problems in their web interface and giving certificate minting authentication to people who didn't warrant it and so forth.
Anyway, I imagine that they're the favorite of malware authors mostly because their certs are less expensive than the competition. And really it's not their fault that VirusTotal sees most malware signed by their certs, since anyone can purchase a code-signing certificate from any certificate authority, so going to go with the cheapest.
I don't, but I don't want to be signed by Comodo, now named Sectigo. And the whole thing is roughly analogous to what Let's Encrypt did to TLS connections; right? Once upon a time having a web server certificate meant something. Not anymore. Today, everyone needs to have one, and they mean nothing because they're just being minted by automation based on the domain of the server that they're sitting behind. So okay.
Anyway, VirusTotal also revealed that the top three most-often-spoofed programs were Skype, Adobe Reader, and VLC Player. Malware is masquerading as those three utilities - one of those three, Skype, Adobe Reader, and VLC as the top three - as basically, obviously, as a means to abuse the well-earned trust that they've earned, that those apps have earned with users everywhere.
And while those are the top three, the top 10 are rounded out by 7-Zip, TeamViewer, CCleaner, Edge, Steam, Zoom, and WhatsApp. So, yeah, the top of the popular apps that people are needing now to grab wherever they are.
So VirusTotal said in their report last week: "One of the simplest social engineering tricks we've seen involves making malware look like a legitimate program. The icon of these programs is a critical feature used to convince victims that these programs are legitimate." Just the icon. Of course, no one is surprised that threat actors employ a variety of approaches to compromise endpoints by tricking unwitting users into downloading and running seemingly trusted executables.
The other way this is achieved is by taking advantage of genuine domains, at least the top-level or second-level domains, to get around IP-based firewall defenses. Some of the most abused domains which VirusTotal has seen are discordapp.com, squarespace.com, amazonaws.com, mediafire.com, and qq.com. In total, more than 2.5 million suspicious files were downloaded from 101 domains belonging to Alexa's top 1,000 websites. In other words, 10% of the top 100 website domains have been used as sources for malware. And the misuse of Discord has been well-documented, with that platform's content delivery network becoming a fertile ground for hosting malware alongside Telegram, while also offering a perfect communications hub for attackers.
So ultimately, checking anything that's downloaded which might be suspicious against VirusTotal, I think, is the best thing anyone can do. As I mentioned a while ago, back when I was needing to bring old DOS machines onto my network in order to debug SpinRite on them, I was sometimes needing to go to well-off-the-beaten-path driver repositories to locate old drivers for old network adapters. Driver repositories are classic sources of malware.
So in every case, I ran anything that I downloaded past VirusTotal to make sure that it didn't raise any alarms. And normally you get like one or two, some weird obscure, you know, VirusTotal I think scans across or against as many as 75 different virus, you know, antivirus engines. And you'll typically get a couple reds, misfires, false positives from some scanners you've probably never heard of. And so that's not a problem. It's when you see like 20 or 30 of them lighting up red that it's like, okay, do not click this thing so that it's able to run. And stepping back from all this a little bit, it's so annoying that so much energy is being spent holding back the forces of darkness. Look at how much we put in now to doing that. But on balance it's worth it because what can be done with computers today is truly amazing.