Leveraging VirusTotal for Security Context

Ever since we added file fingerprinting in version 2.2 of the DataGravity Discovery Series I’ve been thinking of ways to help our customers gain immediate security value from the generated file hashes. The first thought that came to mind was providing an interface into VirusTotal’s massive database of uploaded malware hashes.

To gain a sense of why checking a file hash against VirusTotal’s free service is valuable, let’s walk through an example. Here we have a file that was added to the array.

Screenshot 2016-02-22 09.13.37
Previewing the file shows that the document is in a foreign language (in this case Cyrillic): The first sheet of the document, typically represented by ‘Sheet1’, is in Russian script that roughly translates to ‘Select1’.

Screenshot 2016-02-22 09.15.51

If we scroll to the end of the document we see only a few cells with random combinations of the letters ‘e’ and ‘f’.

Screenshot 2016-02-25 12.36.28

If we upload the document to Google Drive and open it as a Google Sheet, we receive a message that the document is corrupt.
Screenshot 2016-02-25 12.47.13

Unless you have dealings with vendors, partners, or customers that provide Cyrillic documents, the lack of credible information in this document, along with the message that it is corrupt, should raise some red flags. So how do we gain more context into what this file might be without opening it in Excel and potentially compromising our system?

When researching malware, one of the first sources of information I typically use is VirusTotal. Luckily, VirusTotal has provided the VTchromizer plugin for Mozilla Firefox, Google Chrome, and Internet Explorer. The plugin allows you to right-click on an on-screen hash, send the hash (and only the hash) to VirusTotal, and check to see if it has ever been uploaded and analyzed in the past.

Installing the plugin is simple–if Google Chrome is your default browser it’s easy to install it as a Chrome extension. To get the plugin, open a browser and go to https://www.virustotal.com/en/documentation/browser-extensions/google-chrome. Select Google Chrome at the top. Midway down the page you should see a button labeled Install VTchromizer.

Screenshot 2016-02-22 09.07.20

Click the Install VTchromizer button and then click the ADD TO CHROME button.

Screenshot 2016-02-22 09.07.56

 

Finally, click the Add extension button and you’re ready to start analyzing hashes.

Screenshot 2016-02-22 09.08.16

Going back to the file and associated hash within your DataGravity dashboard, highlight the suspicious hash in question. Right-click on the hash and select Check with VirusTotal.

Screenshot 2016-02-22 09.14.00

Screenshot 2016-02-22 09.14.24

The odds that someone has previously uploaded a file to VirusTotal, especially a suspicious one, is quite high based on my malware research experience. The VirusTotal screen reveals that this file has been uploaded before AND 26 of 54 malware analysis engines have flagged it as malicious.

Screenshot 2016-02-22 09.14.57

If we look at the Analysis tab, we can see how each anti-malware’s signature engine classified the file. Two keywords immediately stand out in the result column: Downloader and Locky.

Screenshot 2016-02-22 09.19.17

You might remember Locky from my previous post, Detecting Microsoft Word Documents Built for “Locky” Delivery.

A Downloader is an application that will download and install other pieces of malware onto your computer. Think of it as a nondescript envelope surrounding a letter from a creditor, lawyer, or relative that always asks for money. Though sometimes a legitimate piece of a larger application installation process, a downloader flagged as malicious should be avoided.

Looking at the File detail tab gives us additional context that we would not have discovered prior to opening the file. I often find the Commonly abused properties section of great value for a quick overview of a file’s capabilities.

Screenshot 2016-02-25 13.13.01

In the case of our suspicious file, VirusTotal notes that the file makes use of macros. Though often harmless, macros may be abused to perform malicious tasks when working with a document. We also see that the document may open a file, create Object Linking and Embedding (OLE) objects, and contains deobfuscation code. Code deobfuscation is often used to hide additional commands or instructions until the file is opened or an action is triggered, such as a macro.

Finally, if we look at the Additional information tab, we can see information such as the determined file type (in this case a MS Excel spreadsheet, but we already knew that), the associated MD5/SHA1/SHA256 hashes, and the ssdeep signature which can be used for computing and matching Context Triggered Piecewise Hashing (a.k.a. Fuzzy Hashing) values of files.

Like DataGravity, VirusTotal provides contextual tags to help identify this sample based on the automated and static analysis of the file.

Screenshot 2016-02-25 13.32.16

Further down the page we see one final piece of interesting information: the VirusTotal metadata. Looking at the First submission date may give you a sense of when this file was first distributed in the wild – as many researchers and tools upload files for analysis the moment they are detected.

You can also view the last submission time – when it was last uploaded – to give you a window of time for investigation purposes. Finally, you will see the file names of the samples uploaded by the VirusTotal community. A common string, “Rechnung,” is prevalent in many of the sample file names. This is the German word for bill or invoice.

Screenshot 2016-02-22 09.18.01

So what additional insight have we gained from the use of a file fingerprint and VirusTotal? Well, we know with a reasonable amount of certainty that:

  1. A suspicious file, claiming to be a MS Excel Spreadsheet, was found on our array,
  2. The file contains Cyrillic text (indicating that this was most likely created on a Cyrillic-language operating system or that Excel was configured for a Cyrillic language) and random combinations of the letters ‘e’ and ‘f’ in several cells at the end of the document (which is not Cyrillic, but English),
  3. The file fingerprint (a.k.a. hash) of our file matches 20 or more files uploaded to VirusTotal for analysis,
  4. VirusTotal reports that 26 of 54 (48%) of its malware scanning engines associate the file with one or more known malware signatures,
  5. Several engines indicate an association with a downloader or Locky-related file,
  6. The file makes use of macros and may open a file and create OLE objects,
  7. The file contains deobfuscation code which could be used to hide additional malicious commands from the user until they are called by a macro,
  8. Several tags, generated as a result of automated and static analysis of the uploaded file, further corroborate suspicious activity,
  9. The VirusTotal metadata notes the first and most recent uploads of this file – helping to establish an investigation timeline, and
  10. Based on the naming of the files the attacker is likely targeting German or German speaking users.

For those of you counting at home that’s 8 additional points of context to help corroborate that this file is malicious and should be investigated further (if not immediately removed). View the VirusTotal analysis yourself here.

I hope this walkthrough has shed some light on the combined power of being data-aware with DataGravity file fingerprinting capabilities and VirusTotal. Stay tuned for a future blog where I introduce ways to automate some of this detection using PowerShell, Ruby, and Python.

Want an email whenever DataGravity publishes a new blog post? Subscribe to the blog: scroll to the top of the page and look for the subscription box at the top of the right column.  

  Like This
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.