3.2 Querying Hash Values Using VirusTotal Public API

 VirusTotal also provides scripting capabilities via its public API (https://www.virustotal.com/en/documentation/public-api/); it allows you to automate file submission, retrieve file/URL scan reports, and retrieve domain/IP reports.

The following is a Python script that demonstrates the use of VirusTotal's public API. This script takes the hash value (MD5/SHA1/SHA256) as input and queries the VirusTotal database. To use the following script, you need to use a Python 2.7.x version; you must be connected to the internet and must have a VirusTotal public API key (which can be obtained by signing up for a VirusTotal account). Once you have the API key, just update the api_key variable with your API key:

The following script and most of the scripts written in this book are used to demonstrate the concept; they do not perform input validation or error handling. If you wish to use them for production, you should consider modifying the script to follow the best practices mentioned here: https://www.python.org/dev/peps/pep-0008/.
import urllib
import urllib2
import json
import sys

hash_value = sys.argv[1]
vt_url = "https://www.virustotal.com/vtapi/v2/file/report"
api_key = "<update your api key here>"
parameters = {'apikey': api_key, 'resource': hash_value}
encoded_parameters = urllib.urlencode(parameters)
request = urllib2.Request(vt_url, encoded_parameters)
response = urllib2.urlopen(request)
json_response = json.loads(response.read())
if json_response['response_code']:
    detections = json_response['positives']
    total = json_response['total']
    scan_results = json_response['scans']
    print "Detections: %s/%s" % (detections, total)
    print "VirusTotal Results:"
    for av_name, av_data in scan_results.items():
        print "	%s ==> %s" % (av_name, av_data['result'])
else:
    print "No AV Detections For: %s" % hash_value

Running the preceding script by giving it an MD5 hash of a binary shows the antivirus detections and the signature names for the binary.

$ md5sum 5340.exe
5340fcfb3d2fa263c280e9659d13ba93 5340.exe
$ python vt_hash_query.py 5340fcfb3d2fa263c280e9659d13ba93
Detections: 44/56
VirusTotal Results:
  Bkav ==> None
  MicroWorld-eScan ==> Trojan.Generic.11318045
  nProtect ==> Trojan/W32.Agent.105472.SJ
  CMC ==> None
  CAT-QuickHeal ==> Trojan.Agen.r4
  ALYac ==> Trojan.Generic.11318045
  Malwarebytes ==> None
  Zillya ==> None
  SUPERAntiSpyware ==> None
  TheHacker ==> None
  K7GW ==> Trojan ( 001d37dc1 )
  K7AntiVirus ==> Trojan ( 001d37dc1 )
  NANO-Antivirus ==> Trojan.Win32.Agent.cxbxiy
  F-Prot ==> W32/Etumbot.K
  Symantec ==> Trojan.Zbot
  [.........Removed..............]

The other alternative is to use PE analysis tools such as pestudio (https://www.winitor.com/) or PPEE (https://www.mzrst.com/). Upon loading the binary, the hash value of the binary is automatically queried from the VirusTotal database and the results are displayed, as shown in the following screenshot:

Online scanners such as VirSCAN (http://www.virscan.org/), Jotti Malware Scan (https://virusscan.jotti.org/), and OPSWAT's Metadefender (https://www.metadefender.com/#!/scan-file) allow you to scan a suspect file with multiple anti-virus scanning engines, and some of them also allow you to do hash lookups.

There are a few factors/risks to consider when scanning a binary with Anti-Virus scanners or when submitting a binary to online anti-virus scanning services:

  • If a suspect binary does not get detected by the Anti-Virus scanning engines, it does not necessarily mean that the suspect binary is safe. These anti-virus engines rely on signatures and heuristics to detect malicious files. The malware authors can easily modify their code and use obfuscation techniques to bypass these detections, because of which some of the anti-virus engines might fail to detect the binary as malicious.
  • When you upload a binary to a public site, the binary you submit may be shared with third parties and vendors. The suspect binary may contain sensitive, personal, or proprietary information specific to your organization, so it is not advisable to submit a binary that is part of a confidential investigation to public anti-virus scanning services. Most web-based anti-virus scanning services allow you to search their existing database of scanned files using cryptographic hash values (MD5, SHA1, or SHA256); so an alternative to submitting the binary is to search based on the cryptographic hash of the binary.
  • When you submit a binary to the online antivirus scanning engines, the scan results are stored in their database, and most of the scan data is publicly available and can be queried later. Attackers can use the search feature to query the hash of their sample to check whether their binary has been detected. Detection of their sample may cause the attackers to change their tactics to avoid detection.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.216.94.152