Tag Archive for: virusTotal

Researchers Explore Hacking VirusTotal to Find Stolen Credentials

/in


Security researchers have found a method to collect vast amounts of stolen user credentials by executing searches on VirusTotal, the online service used to analyze suspicious files and URLs.

With a €600 (around $679) VirusTotal license and a few tools, the SafeBreach research team collected more than a million credentials using this technique. The goal was to identify the data a criminal could gather with a license for VirusTotal, which is owned by Google and provides a free service that can be used to upload and check suspicious files and links using several antivirus engines.

A licensed user on VirusTotal can query the service’s dataset with a combination of queries for file type, file name, submitted data, country, and file content, among others. The SafeBreach team created the idea of “VirusTotal hacking” based on the method of “Google hacking,” which criminals use to look for vulnerable websites, Internet of Things devices, Web shells, and sensitive data leaks.

Many information stealers collect credentials from different forums, mail accounts, browsers, and other sources, and write them to a fixed hard-coded file name — for example, “all_credentials.txt” — then exfiltrate this file from the victim’s device to the attackers’ command-and-control server. Using this method, researchers took VirusTotal tools and APIs such as search, VirusTotal Graph, and Retrohunt, and used them to find files containing stolen data.

“It is quite a straightforward technique, which doesn’t require strong understanding in malware,” says Tomer Bar, director of security research at SafeBreach. “All you need is to choose one of the most common info stealers and read about it online.”

The researchers conducted their research using known malware including RedLine Stealer, Azorult, Raccoon Stealer, and Hawkeye as well as known forums such as DrDark and Snatch_Cloud to steal sensitive data. They found their method works at scale.

RedLine Stealer is a form of malware sold on underground forums via a stand-alone purchase or subscription. It uses browsers to collect data such as saved credentials, autocomplete data, and credit card details. When it runs on a target machine, the malware takes a…

Source…

VirusTotal Adds Collections Feature for Better Collaboration and Context

/in


VirusTotal, a key repository of malware samples and suspicious files for security researchers and defenders, is introducing a new service that enables users to collaborate and share data and indicators of compromise in real time.

The Collections feature allows any user to create a new collection for a file or malware sample that includes a variety of different IOCs, such as file hashes, domains or URLs or other information. The collection can also include a description and VirusTotal will add other information to the collection, such as tags and metadata.

Researchers and security teams often use informal methods such as Twitter, Pastebin, or Dropbox for sharing IOCs, threat intelligence, hashes of malware samples, and lists of suspicious domains. There are also a number of private forums in which that information is shared, but those tend to be small and so data is not disseminated widely. Those methods work for specific use cases, but getting threat information out to the widest possible audience of defenders and researchers can make a significant difference in heading off attacks.

The VirusTotal Collections feature is designed to enable researchers and defenders to update their contributions as needed and allow others to consume them.

“Collection owners can update these by adding or removing IoCs. They are public via our UI and API, and they can be shared using their permalink. This makes it a very convenient way of linking to listings of IoCs in blog posts, research reports and the like,” Juan Infantes of VirusTotal said in a post.

VirusTotal has been the default platform for checking potentially malicious files and URLs for many years, and has evolved into a resource for community sharing and discussion, as well.

“Time evolves and now most investigations go beyond one observable, quickly adding up several indicators of compromise (IOCs) for one single incident . With many security researchers sharing their findings in blog posts and tweets, it’s getting hard to keep track of all these data inputs. Moreover, these investigations change over time bringing more difficulty into reporting the new findings,” Infantes said.

Source…

Google’s VirusTotal now picks out suspicious firmware

/in

Google’s VirusTotal service has added a new tool that analyzes firmware, the low-level code that bridges a computer’s hardware and operating system at startup.

Advanced attackers, including the U.S. National Security Agency, have targeted firmware as a place to embed malware since it’s a great place to hide. 

Since antivirus programs “are not scanning this layer, the compromise can fly under the radar,” wrote Francisco Santos, an IT security engineer with VirusTotal, in a blog post on Wednesday.

Also, malware hidden in firmware often can’t be easily erased and can survive reboots and fresh installs of an OS, Santos wrote.

To read this article in full or to leave a comment, please click here

Network World Security

VirusTotal now Scans Mac OS X Apps for Malware

/in

Google has decided to add support for Mac OS X malware detection to its VirusTotal web-based service. VirusTotal — launched in 2004 and acquired by Google in 2012 — is a free and popular online service for security researchers and Hackers that lets you …
mac hacker – read more