Hidden Artifacts On VirusTotal

Introduction

VirusTotal can be an extremely useful tool for any person inquiring about the behaviour or reputation of a file, URL, hash or IP they may wish to check against VirusTotals vast community driven database.

However, because anyone can submit artifacts to VirusTotal, this makes it a source for intelligence gathering. This article will showcase VirusTotals OSINT capabilities.

So, What is VirusTotal?

        VirusTotal aggregates many antivirus products and online scan engines to check for viruses that the user’s own antivirus may have missed, or to verify against any false positives… Users can also scan suspect URLs and search through the VirusTotal dataset. (Wiki)

vt

Here are the basic things you can do;

  • Upload a file to share it with the VirusTotal community & check it against scan engines
  • Search or scan a URL against threat intelligence engines
  • Search for hash values against anti-virus databases

You can also use VirusTotal to get information about artifacts from the community of users such as reputation voting, descriptions and VirusTotal graphs that are crafted by threat hunters online.

It is highly recommended to sign up for an account if you are working in a security role.

What we are able to find

You can easily look anything domain on VirusTotal and see an array of samples that have bene uploaded. Some of these happen to be email-verify link tokens, promotional links, payment referrals and claim codes as seen in the following examples;

nvidia email verify

Figure: Nvidia email verify link code

steam validate email

Figure: Steam email validation link token 

google pay refereal code promo code

Figure: Google pay promos and claim codes

Additionally, files that have been submitted to VirusTotal ususally contain lots of information and meta-data that gets disclosed on VirusTotal.

For example, every sample submitted openly displays its meta-data such as email addresses, hyperlinks, authors, last modified by file directories that contain lots of information like the following examples;

emails

Figure: File meta-data contains lots of information

What does the community think about this?

There are many in the information security field that already know and use VirusTotal as a reconnaissance repository, as you can read in this Medium article , which inspired me to use it to check my own clients if they have data on it (they did), and write this blog post.

Moreover, there are many influential information security people that openly mock this on Twitter, for example;

swift on security

Figure: @SwiftonSecurity

nvidia download files

Figure: Various Nvidia download links

There have also been case studies that have won bug bounties using VirusTotal. In this Hacker One Report, Mohammed Fayez was able to find Hacker One invitation tokens which disclosed exposed confidential information.

Conclusion

VirusTotal is a great place to begin any reconnaissance for penetration testers or find information disclosures to understand the potential security impact for the network and organization. However, VirusTotal can be used for malicious practices against networks by leveraging publicly disclosed information to discern attack vectors.

Unfortunately, there is not much these organizations can do to stop people from uploading links to their community database. The main take away here is that security teams should be aware of what is publicly known about the organization they are protecting and try and mitigate their impact.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s