[This post was submitted by Jesse La Grew]
VirusTotal has become an important tool for researchers and defenders alike. Unusual executables or files can be uploaded to get an idea of how different antivirus vendors will classify it. Keeping the discovery of customized malware secret is also important and, in those cases, file hashes can be used to find any preexisting results. It should always be assumed that any file submitted to VirusTotal is being looked at by someone. The malware seen by public honeypots, such as the DShield honeypot, generally are not considered sensitive. Malware seen by these devices is being broadly used around the world in an attempt to compromise IoT (Internet of Things) devices.
Vendors With No Results
A surprising item was just how many vendors never gave any results for files seen on this honeypot.
A possibility is that many of these vendors are not supplying data at this time or may not have been used in VirusTotal results in the past. These vendor lists do change over time:
Suggested Threat Results
VirusTotal will also give general threat classifications that can help to give a good high-level picture.
Out of over 10,000 different honeypot results, files associated with malicious SSH authorized_keys were the most prevalent. Another item high on the list is Mirai, which is a popular botnet . Many Mirai variants are seen on a regular basis by honeypots. Results Change Over Time We have already seen that results can be different between vendors; those vendors change and even VirusTotal threat classifications can sometimes seem inconsistent. Malware changes and new variants appear. Knowledge about this malware also changes, and this also changes the information received from a variety of tools. Looking at one example, it was seen that within a 6-hour period, the number of vendors seeing a particular hash as malware increased by 13, and the threat classification from VirusTotal also change from “trojan.mirai/linux” to “trojan.linux/mirai”.
Normalizing the stored hashes with the latest stored VirusTotal threat classification gives a different picture than seen before.
Mirai is still a significant contender for popularity but the use of creating an authorized_keys file is by far the most common. A little help came from Excel and the XLOOKUP function to gather the latest locally stored results for a particular hash .
Different Provider Comparisons
So far, this has only focused on suggested classifications from VirusTotal. The naming of these threats from the various vendors also differs quite a bit and we see a much different number of results.
This also highlights towards the end of this list vendors that did not have any results. Looking at some of the most popular providers, we also see a difference with naming of threats.
Avast and AVG have the same results and numbers, although this is likely due to Avast acquiring AVG in 2016 .
Summarized and detailed hash data can be downloaded from here .
When using tools like VirusTotal it is important to be aware of name changes over time and that vendors have their own naming schemes. Make sure that you’re using the latest available results and using the “Reanalyse File” option within VirusTotal to update analysis information.
I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Safari 2022
Sep 12th 2022
Sep 12th 2022
2 weeks ago
Sep 13th 2022
1 week ago