Monday, April 25, 2011

Quick Virus Total Batch Submission



Every now and then you end up with a boat load of potentially "interesting" executables you've recovered from various suspect systems. Where do you start your analysis? Rule out the known stuff first with this handy script to batch submit hashes to Virus Total.

First a snip from VT's ToS:
"When you submit a file to VirusTotal for scanning, we may store it and share it with the anti-malware and security industry (normally the companies that participate in VirusTotal receive the samples that their engines do not detect and are catalogued as malware by at least one other engine). The samples can be analysed by automatic tools and security analysts to detect malicious code and to improve antivirus engines."

This may be bad juju for some, so the script only submits the MD5 sum of each suspect file rather than the file itself.

Also of note, you will need an API Key from Virus Total. You can get this by creating an account with them. The script expects the key to be in a file. General API use from VT allows only 20 submissions per 5 mins which is accounted for in the script's logic.

Three variables in the script will need to be changed prior to use:
  1. searchPath - Set this to the top level directory where your suspect files live. The script will descend into all subdirectories hashing files with extensions listed in the extensions variable.
  2. VTApiKey - Set this to the path for the file that contains your VT API Key. This file should contain one line that is the printable hex representation of the key such as "e6062291ac3191db3493738755d3afb3e19a760c290d657d0712b4899538295d" (NOT A VALID KEY)
  3. extensions - This sets the file extensions the script will target. Make changes as necessary. The default list should cover most common executable formats. A more correct way to perform this check is to use the MIME type of the file. Patches are welcome. NOTE: files are hashed as the script finds them - i.e. archives are not expanded.
Output will be written in a file called VTData to the directory where the suspect file resides and will contain all known AV detections, if any. Change the logic if this is lame to you.. Below is an example of what VTData could contain:
UPS.zip::2b2f7daa1db9c20bc06c24604caadad9::Mon, 25 Apr 2011 18:17:29 +0000::2011-04-19 10:56:07::TrojanDownloader.Deliver.v,Generic Packed,Trojan/CI.gen,Trojan,Trojan.DL.Deliver!GQjxYKDCRwo,probably a variant of Win32/TrojanDownloader.Zurgop.J,W32/Oficla.DS,Trojan.Sasfis,W32/Suspicious_Gen2.KFEYR,TROJ_AGENTT.AI,Win32:Malware-gen,Trojan.Spy.Zbot-464,Trojan-Downloader.Win32.Deliver.v,Trojan.Generic.KD.173334,Backdoor.Win32.Buterat!IK,Trojan-Spy:W32/Zbot.AHTR,Trojan.DownLoad2.22301,Trojan.Win32.Generic!BT,TR/Spy.ZBot.ZD,TROJ_AGENTT.AI,Generic Packed,Troj/FakeAV-DCB,Win32/Bredolab.ARL,Trojan/Win32.Deliver.gen,Trojan.Win32.Downloader.33280.APH,Medium Risk Malware,Trojan.Generic.KD.173334,W32/Oficla.DS,Win-Trojan/Chepvil.33280,Trojan.Deliver.4421,Trojan.Sasfis,Trojan.Win32.Generic.12848B1B,Backdoor.Win32.Buterat,W32/Chepvil.EF6A!tr,Cryptic.CNN,Trj/Sasfis.B,Win32:Malware-gen

As you can see the format of the file is such for items with detections:
[filename]::[hash]::[localsystemtime(gmt)]::[datefromvtdata]::[avalerts]
and without detections:
[filename]::[hash]::No Match Found: [localsystemtime(gmt)]

No comments:

Post a Comment