Virustotal update brings network traffic analysis support
It was not really clear in which direction Virustotal was heading after the acquisition of the service by Google was officially announced. Some feared that it would be integrated into core Google services and shut down, while others had hopes that the service would benefit from the parent company's vast resources.
The service improved afterwards, raising the maximum file size limit to 64 Megabytes in the process and eliminating nearly all of the wait time that users of the service experienced before the acquisition.
Virustotal announced the addition of a new feature two days ago on the official company blog. The service supports the analysis of so-called PCAP data now. PCAP - PAcket CApture - files contain captured network traffic. One use in this regard is the capturing of network traffic during software installations or while software is running that you want to analyze to find out if unauthorized connections are being made, and if this is the case, to which servers. Previously, you were able to scan the file on Virustotal, but that did not necessarily tell you anything about the connections that it made while it was running.
Here is one suggestion on how to make use of the new feature:
- Get a sandboxing application like Sandboxie to run software or files that you want to analyze in the sandbox.
- Use a network monitor like Wireshark to record the network traffic and save it as a PCAP file afterwards.
- Upload the PCAP file to Virustotal to have it analyzed.
Virustotal will scan the file with all scanners as usual, but use the intrusion detection systems Snort and Suricata afterwards to analyze the traffic. It performs a couple of operations that include:
- Extracts file metadata.
- Lists DNS resolutions.
- Lists HTTP communication.
- Extracts files that it recognizes in the network traffic and links to Virustotal reports.
The analysis of network traffic opens up additional possibilities in regards to Virustotal and the service that it makes available. It can be used for other purposes besides monitoring traffic of a sandboxed application. This may include logging the network traffic of a system on boot and shortly thereafter or recording browser exploitation traces.
The feature is a welcome addition to the Virustotal arsenal even though it may be used almost exclusively by security researchers. (via)Advertisement
Install via Sandboxiem, use Wireshark and have the PCAP file analyzed.
9.6 people out of 10 who know how to do this already know how to analyze the results. Welcome addition? Nope. I don’t even see security researchers getting any benefit —- ohhh … other than mining your data for their profit.
Get ready for it .. probably a year away from “Google Safe Haven” – to compete with the other free security suites :)
This new facility is OK, but doesn’t help too much. If you are able to capture a file using Wireshark, it is likely that you will be able to analyse it as well, and you won’t need to send it to Virustotal for that.
The interesting part is passing that capture through Snort/Suricata, a thing that normal (and even more advanced) users don’t think of doing for themselves.