VirusTotal can be an extremely useful tool for any person inquiring about the behaviour or reputation of a file, URL, hash or IP they may wish to check against VirusTotals vast community driven database.
However, because anyone can submit artifacts to VirusTotal, this makes it a source for intelligence gathering. This article will showcase VirusTotals OSINT capabilities.
So, What is VirusTotal?
VirusTotal aggregates many antivirus products and online scan engines to check for viruses that the user’s own antivirus may have missed, or to verify against any false positives… Users can also scan suspect URLs and search through the VirusTotal dataset. (Wiki)
Here are the basic things you can do;
- Upload a file to share it with the VirusTotal community & check it against scan engines
- Search or scan a URL against threat intelligence engines
- Search for hash values against anti-virus databases
You can also use VirusTotal to get information about artifacts from the community of users such as reputation voting, descriptions and VirusTotal graphs that are crafted by threat hunters online.
It is highly recommended to sign up for an account if you are working in a security role.
What we are able to find
You can easily look anything domain on VirusTotal and see an array of samples that have bene uploaded. Some of these happen to be email-verify link tokens, promotional links, payment referrals and claim codes as seen in the following examples;
Figure: Although useless, Nvidia email verify link code, this is an example of the wide range of samples people upload the VirusTotal
Figure: Steam email validation link token
Figure: Google pay promos and claim codes
Additionally, files that have been submitted to VirusTotal ususally contain lots of information and meta-data that gets disclosed on VirusTotal.
For example, every sample submitted openly displays its meta-data such as email addresses, hyperlinks, authors, last modified by file directories that contain lots of information like the following examples;
Figure: File meta-data contains lots of information
Why does this matter?
The type of information that can be pulled out of meta-data from file samples and URLs uploaded to VirusTotal can be used in a type of inference attack.
Inference attacks combine several pieces of non sensitive information to gain access to higher levels of classification by deducing some facts about a collection of data.
In this case, attackers can use VirusTotal as a tool against an organization to observe what is has been legitimately or illegitimately posted. For example, a rogue employee could upload files to VirusTotal containing sensitive information which attackers can now query.
What does the community think about this?
There are many in the information security field that already know and use VirusTotal as a reconnaissance repository, as you can read in this Medium article , which inspired me to use it to check my own clients if they have data on it (they did), and write this blog post.
Moreover, there are many influential information security people that openly mock this on Twitter, for example;
Figure: Various Nvidia download links
There have also been case studies that have won bug bounties using VirusTotal. In this Hacker One Report, Mohammed Fayez was able to find Hacker One invitation tokens which disclosed exposed confidential information.
VirusTotal is a great place to begin any reconnaissance for penetration testers or find information disclosures to understand the potential security impact for the network and organization. However, VirusTotal can be used for malicious practices against networks by leveraging publicly disclosed information to discern attack vectors.
Unfortunately, there is not much these organizations can do to stop people from uploading links to their community database. The main take away here is that security teams should be aware of what is publicly known about the organization they are protecting and try and mitigate their impact.
Last updated for accuracy: July 27, 2020.