1 00:00:00,000 --> 00:00:02,580 body are made of aluminum your host for 2 00:00:02,580 --> 00:00:05,940 the next two sessions and I see that you 3 00:00:05,940 --> 00:00:07,470 all made it through the night 4 00:00:07,470 --> 00:00:09,929 unbelievable I think you're more awake 5 00:00:09,929 --> 00:00:13,259 than I am anyway we have two brilliant 6 00:00:13,259 --> 00:00:17,390 presentations ahead of us and one of 7 00:00:17,390 --> 00:00:21,000 them is a very interesting story about 8 00:00:21,000 --> 00:00:22,050 virustotal 9 00:00:22,050 --> 00:00:24,689 from Randy Abrams actually I know Randy 10 00:00:24,689 --> 00:00:27,180 Abrams for how many how many years I I 11 00:00:27,180 --> 00:00:30,150 don't know something like that yeah way 12 00:00:30,150 --> 00:00:32,610 too long I think anyway from Microsoft 13 00:00:32,610 --> 00:00:35,280 from ESET and from some other parties 14 00:00:35,280 --> 00:00:39,270 anyway I would go and give the room to 15 00:00:39,270 --> 00:00:41,520 him at this moment Randy go ahead good 16 00:00:41,520 --> 00:00:43,800 morning and thank you for all showing up 17 00:00:43,800 --> 00:00:45,960 first thing in the morning on Fridays 18 00:00:45,960 --> 00:00:49,289 fatah so I'm going to talk to you a bit 19 00:00:49,289 --> 00:00:51,210 about virustotal as you probably guessed 20 00:00:51,210 --> 00:00:53,250 and I'm going to tell you everything you 21 00:00:53,250 --> 00:00:55,020 need to know about virustotal 22 00:00:55,020 --> 00:00:58,230 on one slide I know you think you 23 00:00:58,230 --> 00:01:00,930 understand what you thought you I said 24 00:01:00,930 --> 00:01:02,579 but I'm not sure you realize that what 25 00:01:02,579 --> 00:01:03,809 you heard is what I meant 26 00:01:03,809 --> 00:01:06,950 and for most people using virustotal 27 00:01:06,950 --> 00:01:11,850 that describes it perfectly so just a 28 00:01:11,850 --> 00:01:14,580 little bit about virustotal it was 29 00:01:14,580 --> 00:01:16,229 started by his physec the spanish 30 00:01:16,229 --> 00:01:18,780 company it was acquired by Google in 31 00:01:18,780 --> 00:01:21,990 September 2012 which kind of caused a 32 00:01:21,990 --> 00:01:25,590 ruckus in the security company security 33 00:01:25,590 --> 00:01:27,290 world wondering what's going to happen 34 00:01:27,290 --> 00:01:30,329 it's a cloud-based security resource a 35 00:01:30,329 --> 00:01:32,850 lot of people call it virus total virus 36 00:01:32,850 --> 00:01:35,159 scanning service it's a lot lot more 37 00:01:35,159 --> 00:01:38,460 than that they provide third-party 38 00:01:38,460 --> 00:01:41,750 analysis of files URLs domains hashes 39 00:01:41,750 --> 00:01:44,040 but they also do some of their own 40 00:01:44,040 --> 00:01:46,380 research and augment it with that and 41 00:01:46,380 --> 00:01:50,490 they have a threat intelligence feed so 42 00:01:50,490 --> 00:01:52,710 this is the interface most people are 43 00:01:52,710 --> 00:01:55,350 familiar with Feroze Tom will you tell 44 00:01:55,350 --> 00:01:58,700 it a file URL whatever and you submit it 45 00:01:58,700 --> 00:02:01,619 but there are other ways to do it their 46 00:02:01,619 --> 00:02:04,079 desktop there's a desktop application it 47 00:02:04,079 --> 00:02:08,429 gives you context menu drag-and-drop you 48 00:02:08,429 --> 00:02:10,919 can use email if you put scan in the 49 00:02:10,919 --> 00:02:13,310 subject line it's going to return this 50 00:02:13,310 --> 00:02:14,930 and results like you would expect if you 51 00:02:14,930 --> 00:02:19,880 put scan plus XML you get XML email is 52 00:02:19,880 --> 00:02:22,670 the lowest absolute lowest priority way 53 00:02:22,670 --> 00:02:25,430 to submit something and for example in 54 00:02:25,430 --> 00:02:27,290 researching the presentation two weeks 55 00:02:27,290 --> 00:02:30,080 ago I submitted a file and it's not back 56 00:02:30,080 --> 00:02:32,800 yet so I don't recommend email 57 00:02:32,800 --> 00:02:36,170 virustotal has a public API I encourage 58 00:02:36,170 --> 00:02:37,670 you to sign up for the virustotal 59 00:02:37,670 --> 00:02:40,330 community you'll get a free api key 60 00:02:40,330 --> 00:02:42,709 unless you don't know how to use an api 61 00:02:42,709 --> 00:02:46,700 like me but if you do go look you know 62 00:02:46,700 --> 00:02:48,860 you don't need me to talk about it I 63 00:02:48,860 --> 00:02:51,440 don't show it but there is a private API 64 00:02:51,440 --> 00:02:53,180 that a lot of researchers in the room 65 00:02:53,180 --> 00:02:56,330 use and it returns a much richer data 66 00:02:56,330 --> 00:02:59,150 set there's also an Android application 67 00:02:59,150 --> 00:03:01,700 which I kind of find the little androids 68 00:03:01,700 --> 00:03:03,500 they know it but evidently they don't 69 00:03:03,500 --> 00:03:05,540 know Google yet it's all submit Google 70 00:03:05,540 --> 00:03:09,650 for them so who doesn't love a bunny 71 00:03:09,650 --> 00:03:12,709 rabbit a cute bunny rabbit really tell 72 00:03:12,709 --> 00:03:14,660 if you don't love a cute bunny rabbit 73 00:03:14,660 --> 00:03:16,340 you've never seen a good recipe for a 74 00:03:16,340 --> 00:03:19,670 cute bunny rabbit okay 75 00:03:19,670 --> 00:03:21,769 are all of you familiar with the killer 76 00:03:21,769 --> 00:03:25,459 rabbit of Karen okay Wow route this is 77 00:03:25,459 --> 00:03:27,950 referring to a Monty Python sketch that 78 00:03:27,950 --> 00:03:30,799 little cute harmless bunny rabbit jump 79 00:03:30,799 --> 00:03:32,660 up in the air and grab your throat and 80 00:03:32,660 --> 00:03:34,850 kill you in fact it took a Holy Hand 81 00:03:34,850 --> 00:03:38,750 Grenade to kill that little whatever so 82 00:03:38,750 --> 00:03:41,540 I got an email one day and you know it 83 00:03:41,540 --> 00:03:44,239 says this is a cute little bunny rabbit 84 00:03:44,239 --> 00:03:46,730 and it's got the executable attachment 85 00:03:46,730 --> 00:03:49,549 rabbit dot exe and tells me this is 86 00:03:49,549 --> 00:03:52,430 really funny so of course I mean I'm 87 00:03:52,430 --> 00:04:01,609 gonna open it double click and that's 88 00:04:01,609 --> 00:04:03,049 what would happen when you double click 89 00:04:03,049 --> 00:04:05,389 on it and it's like huh I wonder what 90 00:04:05,389 --> 00:04:08,329 else happened so I submitted to 91 00:04:08,329 --> 00:04:11,209 virustotal and this is interesting 92 00:04:11,209 --> 00:04:14,420 I have only found a couple descriptions 93 00:04:14,420 --> 00:04:16,639 Roos SEL sobs there's a lot of variants 94 00:04:16,639 --> 00:04:18,829 but the couple I have found are things 95 00:04:18,829 --> 00:04:21,228 like bots and dental motors and 96 00:04:21,228 --> 00:04:24,890 keystroke loggers and I mean this this 97 00:04:24,890 --> 00:04:26,750 is pretty 98 00:04:26,750 --> 00:04:30,350 common in this result is all see Trojan 99 00:04:30,350 --> 00:04:35,240 LK win Trojan joke we got two languages 100 00:04:35,240 --> 00:04:39,650 here Trojan and joke what general 101 00:04:39,650 --> 00:04:42,470 variant there's all kinds of detections 102 00:04:42,470 --> 00:04:51,110 here it's all over the place so what is 103 00:04:51,110 --> 00:04:53,390 it you know we've got an Artemis Artemis 104 00:04:53,390 --> 00:04:56,780 is mcafee cloud so you can't tell what 105 00:04:56,780 --> 00:05:01,070 it is eight genetic generic versions of 106 00:05:01,070 --> 00:05:03,110 Zeus II you know it's kind of bad stuff 107 00:05:03,110 --> 00:05:07,400 one generic malware ten detection that 108 00:05:07,400 --> 00:05:10,280 call it a joke somewhere in the name a 109 00:05:10,280 --> 00:05:14,780 risk where nine Trojans actually the 110 00:05:14,780 --> 00:05:17,150 rabbit wasn't one but it included a 111 00:05:17,150 --> 00:05:21,260 Trojan joke to pups and twenty-eight 112 00:05:21,260 --> 00:05:24,410 products did not detect this at all as 113 00:05:24,410 --> 00:05:28,060 anything so I got a riddle here for you 114 00:05:28,060 --> 00:05:32,450 if he is she then who is he and is a dog 115 00:05:32,450 --> 00:05:38,240 of fish is a dog of fish yes no nobody's 116 00:05:38,240 --> 00:05:41,900 answer what language are you speaking if 117 00:05:41,900 --> 00:05:45,890 you're speaking Hebrew then he means she 118 00:05:45,890 --> 00:05:47,630 it's a Hebrew word for what we say she 119 00:05:47,630 --> 00:05:52,790 and who is he and then yes a dog is a 120 00:05:52,790 --> 00:05:55,220 fish actually typically it's spelled D a 121 00:05:55,220 --> 00:06:01,220 a G but it's pronounced so remember that 122 00:06:01,220 --> 00:06:03,669 Trojan joke we're using two different 123 00:06:03,669 --> 00:06:06,979 languages here so if I say I was out 124 00:06:06,979 --> 00:06:08,990 walking my dog in the snow when I ran 125 00:06:08,990 --> 00:06:12,020 into a friend of mine do I mean a dog or 126 00:06:12,020 --> 00:06:16,760 was I out walking my fish in the snow he 127 00:06:16,760 --> 00:06:19,130 was wearing a bikini am i talking about 128 00:06:19,130 --> 00:06:22,100 I could I hope not this is bad or was I 129 00:06:22,100 --> 00:06:26,600 saying she is wearing a bikini I always 130 00:06:26,600 --> 00:06:29,150 knew he was strange am I talking about a 131 00:06:29,150 --> 00:06:32,060 guy are a woman that appears to be from 132 00:06:32,060 --> 00:06:37,580 a different species so is the bunny 133 00:06:37,580 --> 00:06:39,370 funny 134 00:06:39,370 --> 00:06:43,300 Artemis I can't tell I suspect that it's 135 00:06:43,300 --> 00:06:45,580 a false positive but I really can't tell 136 00:06:45,580 --> 00:06:47,590 you if that Artemis is saying it's a 137 00:06:47,590 --> 00:06:49,240 joke or a pup or whatever 138 00:06:49,240 --> 00:06:52,810 Zess II Elza almost certainly a false 139 00:06:52,810 --> 00:06:54,880 positive except maybe some of the 140 00:06:54,880 --> 00:06:56,910 variants are I don't know 141 00:06:56,910 --> 00:06:58,990 generic malware that's a false positive 142 00:06:58,990 --> 00:07:02,770 this is not generic malware joke yes 143 00:07:02,770 --> 00:07:04,840 this is a joke email me if you'd like a 144 00:07:04,840 --> 00:07:07,660 copy of rabbit dot exe it's a lot of fun 145 00:07:07,660 --> 00:07:09,070 to send to people well you can't really 146 00:07:09,070 --> 00:07:11,520 send it an email unless you get them to 147 00:07:11,520 --> 00:07:15,820 unzip it risk we're okay in the 148 00:07:15,820 --> 00:07:17,350 corporate environment imagine that 149 00:07:17,350 --> 00:07:18,910 you're sitting in a call centre and 150 00:07:18,910 --> 00:07:21,310 someone opens this up and ten cubes all 151 00:07:21,310 --> 00:07:23,289 around here hey everybody I'm watching 152 00:07:23,289 --> 00:07:25,690 porno and the real risk is still the 153 00:07:25,690 --> 00:07:27,520 person that sent it there's no job 154 00:07:27,520 --> 00:07:30,660 anymore trust me I don't have a job 155 00:07:30,660 --> 00:07:33,070 trojan it's a false positive yeah you 156 00:07:33,070 --> 00:07:36,370 can say any program can be a Trojan I'll 157 00:07:36,370 --> 00:07:40,000 tell you what you detect formula 158 00:07:40,000 --> 00:07:42,460 actually I think it's for mass comm on 159 00:07:42,460 --> 00:07:46,930 the virus bulletin test false positive 160 00:07:46,930 --> 00:07:50,470 this is not a Trojan pup potentially 161 00:07:50,470 --> 00:07:53,260 unwanted who in here does not want 162 00:07:53,260 --> 00:07:57,669 rabbit dot exe and finally no detection 163 00:07:57,669 --> 00:08:00,190 and no detection is completely valid 164 00:08:00,190 --> 00:08:02,169 there's nothing malicious about this 165 00:08:02,169 --> 00:08:04,810 program there are no bad programs 166 00:08:04,810 --> 00:08:09,820 there's bad people so I'm going to go 167 00:08:09,820 --> 00:08:12,430 into some myths about virus total one of 168 00:08:12,430 --> 00:08:14,680 them is that virus total can be used for 169 00:08:14,680 --> 00:08:17,320 comparative testing and I'm not going to 170 00:08:17,320 --> 00:08:19,180 address up all that virus total address 171 00:08:19,180 --> 00:08:21,760 it they're tired of repeating it's not 172 00:08:21,760 --> 00:08:23,530 used for comparative passing and they're 173 00:08:23,530 --> 00:08:25,780 really really nice they say that if 174 00:08:25,780 --> 00:08:27,849 you're doing that you've got implicit 175 00:08:27,849 --> 00:08:29,800 errors in your methodology which is a 176 00:08:29,800 --> 00:08:32,049 very polite way of saying you kind of 177 00:08:32,049 --> 00:08:34,380 don't know what you're doing at all 178 00:08:34,380 --> 00:08:38,110 another myth that virus total detection 179 00:08:38,110 --> 00:08:40,779 of malware means that the antivirus 180 00:08:40,779 --> 00:08:44,290 scanner can detect the malware well as 181 00:08:44,290 --> 00:08:47,230 virustotal explains the versions they 182 00:08:47,230 --> 00:08:49,089 use our command line and I can tell you 183 00:08:49,089 --> 00:08:51,339 from testing that a command line version 184 00:08:51,339 --> 00:08:53,260 does not necessarily behave 185 00:08:53,260 --> 00:08:56,770 as the version with a GUI and they can 186 00:08:56,770 --> 00:08:59,290 have different techniques having a 187 00:08:59,290 --> 00:09:01,360 command-line does not use the full suite 188 00:09:01,360 --> 00:09:03,610 and all the capabilities to provide 189 00:09:03,610 --> 00:09:06,790 protection or detection you can have 190 00:09:06,790 --> 00:09:09,370 desktop and Gateway solutions on the 191 00:09:09,370 --> 00:09:11,740 same scan and you cannot compare those 192 00:09:11,740 --> 00:09:13,600 for comparative testing that's apples 193 00:09:13,600 --> 00:09:16,110 and oranges or apples and fish and dogs 194 00:09:16,110 --> 00:09:20,230 and then the developers the researchers 195 00:09:20,230 --> 00:09:22,300 can add their own command lines which 196 00:09:22,300 --> 00:09:25,410 can dramatically increase or decrease 197 00:09:25,410 --> 00:09:31,300 your heuristic capabilities more geek 198 00:09:31,300 --> 00:09:34,540 mythology lack of detection means the 199 00:09:34,540 --> 00:09:37,319 file is safe 200 00:09:43,209 --> 00:09:46,250 you don't believe that do you I have to 201 00:09:46,250 --> 00:09:48,200 explain that to anyone in the audience 202 00:09:48,200 --> 00:09:52,779 please say no thank you 203 00:09:52,779 --> 00:09:57,290 well oh I didn't there's some people 204 00:09:57,290 --> 00:10:00,290 don't realize that because they can have 205 00:10:00,290 --> 00:10:03,440 custom detections they can choose not to 206 00:10:03,440 --> 00:10:05,779 detect a file they detect it but they 207 00:10:05,779 --> 00:10:07,760 choose not to because they don't want to 208 00:10:07,760 --> 00:10:09,740 tip their hands to the virus malware 209 00:10:09,740 --> 00:10:13,420 authors that are using virustotal but 210 00:10:13,420 --> 00:10:17,600 you start getting into context let's 211 00:10:17,600 --> 00:10:20,660 assume that this file is completely and 212 00:10:20,660 --> 00:10:22,160 totally clean in fact the one I 213 00:10:22,160 --> 00:10:24,620 submitted is probably completely and 214 00:10:24,620 --> 00:10:26,600 totally clean but that doesn't mean it's 215 00:10:26,600 --> 00:10:29,180 safe if you look at this in the 216 00:10:29,180 --> 00:10:32,660 additional file detail the certificate 217 00:10:32,660 --> 00:10:35,269 was explicitly revoked by the publisher 218 00:10:35,269 --> 00:10:39,649 now I was curious snooper is a weird 219 00:10:39,649 --> 00:10:42,050 copyright usually it's incorporate or 220 00:10:42,050 --> 00:10:44,149 something the research I did led me to 221 00:10:44,149 --> 00:10:45,890 believe that there a valid publisher 222 00:10:45,890 --> 00:10:48,290 they might have revoked the certificate 223 00:10:48,290 --> 00:10:51,170 because it got stolen that's probable I 224 00:10:51,170 --> 00:10:52,579 don't know you could revoke a 225 00:10:52,579 --> 00:10:54,589 certificate because it's got such a bad 226 00:10:54,589 --> 00:10:56,390 security risk you don't want people 227 00:10:56,390 --> 00:10:59,540 installing it but a clean detection it 228 00:10:59,540 --> 00:11:01,670 may be harmless you probably don't want 229 00:11:01,670 --> 00:11:05,660 to run it another one they saw a 230 00:11:05,660 --> 00:11:07,420 certificate out of validity 231 00:11:07,420 --> 00:11:09,920 someone could have forgot to time stamp 232 00:11:09,920 --> 00:11:11,270 it maybe the company went out of 233 00:11:11,270 --> 00:11:12,950 business but this is important 234 00:11:12,950 --> 00:11:16,880 contextual information file not found a 235 00:11:16,880 --> 00:11:19,010 lot of people think this file came in 236 00:11:19,010 --> 00:11:22,130 under suspicious circumstances it's not 237 00:11:22,130 --> 00:11:25,190 found and extrapolate okay nobody 238 00:11:25,190 --> 00:11:27,350 detects this brand new unknown piece of 239 00:11:27,350 --> 00:11:29,449 malware no it just means virustotal 240 00:11:29,449 --> 00:11:31,490 hasn't seen it in one in case that 241 00:11:31,490 --> 00:11:34,040 happened so I went to ops wot to there 242 00:11:34,040 --> 00:11:36,050 meta Defender and it turns out if 243 00:11:36,050 --> 00:11:37,970 virustotal had that sample you would 244 00:11:37,970 --> 00:11:39,470 have seen at least three different 245 00:11:39,470 --> 00:11:42,230 products detecting it so it's always 246 00:11:42,230 --> 00:11:44,269 good to get a second opinion or third or 247 00:11:44,269 --> 00:11:46,360 fourth there's a lot of stuff out there 248 00:11:46,360 --> 00:11:50,510 false positive means false positive and 249 00:11:50,510 --> 00:11:53,930 that isn't exactly true like I said 250 00:11:53,930 --> 00:11:54,920 visit the 251 00:11:54,920 --> 00:11:57,290 senators can withhold they can add high 252 00:11:57,290 --> 00:12:00,260 heuristics but this was really 253 00:12:00,260 --> 00:12:02,680 interesting that several scanners 254 00:12:02,680 --> 00:12:06,200 false-positive on hello world it was a 255 00:12:06,200 --> 00:12:09,110 debug version and Jim Regan I'm Steve 256 00:12:09,110 --> 00:12:11,360 Reagan it was awesome he asked the 257 00:12:11,360 --> 00:12:13,820 vendors why it happened and the 258 00:12:13,820 --> 00:12:16,480 responses were interesting 259 00:12:16,480 --> 00:12:19,790 Iram said that the layers work in 260 00:12:19,790 --> 00:12:22,279 conjunction and since they've only got 261 00:12:22,279 --> 00:12:24,500 the command line that false-positive 262 00:12:24,500 --> 00:12:26,510 could have been mitigated by additional 263 00:12:26,510 --> 00:12:30,050 components doctors been krauser from 264 00:12:30,050 --> 00:12:31,010 CrowdStrike 265 00:12:31,010 --> 00:12:32,600 read the article he has some humorous 266 00:12:32,600 --> 00:12:34,790 stuff in there too but works with 267 00:12:34,790 --> 00:12:39,260 several other layers of defense ROG 268 00:12:39,260 --> 00:12:42,410 don't no one you know that just uses 269 00:12:42,410 --> 00:12:46,100 their dynamic machine learning engine or 270 00:12:46,100 --> 00:12:48,290 a static one they've got dynamic you can 271 00:12:48,290 --> 00:12:50,079 use multiple layers so that 272 00:12:50,079 --> 00:12:54,920 false-positive Garneau from f-secure it 273 00:12:54,920 --> 00:12:56,600 wouldn't have triggered on the customer 274 00:12:56,600 --> 00:12:59,300 machine because they have mitigation and 275 00:12:59,300 --> 00:13:01,519 f-secure like many vendors in this room 276 00:13:01,519 --> 00:13:05,390 also have machine learning vincent wafer 277 00:13:05,390 --> 00:13:07,250 for McAfee it was on the gateway it 278 00:13:07,250 --> 00:13:09,350 probably was a true false positive if 279 00:13:09,350 --> 00:13:10,910 you want to call it that on the Gateway 280 00:13:10,910 --> 00:13:13,040 heuristic aliy I think it's acceptable 281 00:13:13,040 --> 00:13:16,220 but again it's that would have been seen 282 00:13:16,220 --> 00:13:18,079 on the endpoint 283 00:13:18,079 --> 00:13:22,329 I loved how Ryan described this because 284 00:13:22,329 --> 00:13:25,940 it's a valid approach just because it 285 00:13:25,940 --> 00:13:28,850 doesn't do something bad it doesn't mean 286 00:13:28,850 --> 00:13:30,740 you don't detect it it doesn't appear to 287 00:13:30,740 --> 00:13:32,930 do anything good at all and what he's 288 00:13:32,930 --> 00:13:35,690 talking about is application reputation 289 00:13:35,690 --> 00:13:37,910 you get that in smart screen you get 290 00:13:37,910 --> 00:13:40,519 that in Google Safe Search it's a very 291 00:13:40,519 --> 00:13:43,279 valid way of blocking unknown malware 292 00:13:43,279 --> 00:13:45,140 you're gonna get some unknown clean 293 00:13:45,140 --> 00:13:48,050 files developers can get off of the bad 294 00:13:48,050 --> 00:13:54,620 application reputation list here's one 295 00:13:54,620 --> 00:13:56,870 false positive means false positive well 296 00:13:56,870 --> 00:14:00,250 what about this four out of how I mean 297 00:14:00,250 --> 00:14:04,339 you know 57 is it a false positive at 298 00:14:04,339 --> 00:14:06,680 four have it's a I don't care it's 299 00:14:06,680 --> 00:14:08,840 adware up up whatever and 300 00:14:08,840 --> 00:14:11,630 testing that's not a valid sample now as 301 00:14:11,630 --> 00:14:13,670 a consumer I might care I might not want 302 00:14:13,670 --> 00:14:16,250 and I might even say consistently 303 00:14:16,250 --> 00:14:18,980 products detect more pups than others 304 00:14:18,980 --> 00:14:21,470 that their methodology their 305 00:14:21,470 --> 00:14:23,330 decision-making is different I want the 306 00:14:23,330 --> 00:14:25,700 one that gets the pups to but that's 307 00:14:25,700 --> 00:14:27,890 frequently also a configuration thing in 308 00:14:27,890 --> 00:14:30,800 the GUI detection by more scanners is 309 00:14:30,800 --> 00:14:34,490 better coverage oh man that one drives 310 00:14:34,490 --> 00:14:37,279 me nuts the number of scanners that 311 00:14:37,279 --> 00:14:40,790 detect a file are not relevant as much 312 00:14:40,790 --> 00:14:43,430 as how many people in corporations are 313 00:14:43,430 --> 00:14:52,130 actually protected so virustotal here 32 314 00:14:52,130 --> 00:14:55,610 out of 64 is that good coverage bad 315 00:14:55,610 --> 00:14:59,390 coverage mediocre coverage well let's 316 00:14:59,390 --> 00:15:03,260 look at who's got it on lab this speaks 317 00:15:03,260 --> 00:15:05,690 to geographical geography makes a 318 00:15:05,690 --> 00:15:07,760 difference on labs in Korea so we've got 319 00:15:07,760 --> 00:15:12,380 some Korean coverage here Avast has a 320 00:15:12,380 --> 00:15:15,050 large market share I do 321 00:15:15,050 --> 00:15:19,430 China ESET has a large market share 322 00:15:19,430 --> 00:15:22,070 Kaspersky does Malwarebytes does too 323 00:15:22,070 --> 00:15:23,660 however malwarebytes is a bit 324 00:15:23,660 --> 00:15:25,730 interesting because frequently it's used 325 00:15:25,730 --> 00:15:28,520 after the fact it's not unless you have 326 00:15:28,520 --> 00:15:30,230 a paid version that won't protect you as 327 00:15:30,230 --> 00:15:31,790 it comes in but it's good for the 328 00:15:31,790 --> 00:15:33,890 techies that are trying to help a friend 329 00:15:33,890 --> 00:15:38,150 clean up McAfee 330 00:15:38,150 --> 00:15:42,380 Jihu 360 China again rising China China 331 00:15:42,380 --> 00:15:45,860 seems to have really good coverage 332 00:15:45,860 --> 00:15:48,680 Tencent would make it better Trend Micro 333 00:15:48,680 --> 00:15:52,850 so we're seeing a lot of people being 334 00:15:52,850 --> 00:15:57,200 covered but look who missed it Microsoft 335 00:15:57,200 --> 00:16:00,050 and Symantec that's a large number of 336 00:16:00,050 --> 00:16:02,180 people and if Symantec had gotten that 337 00:16:02,180 --> 00:16:04,790 one in this case you could have had 10 338 00:16:04,790 --> 00:16:07,010 scanners that detected it not detect it 339 00:16:07,010 --> 00:16:10,070 and more people are protected in fact in 340 00:16:10,070 --> 00:16:13,400 this case you know 14 out of 58 it looks 341 00:16:13,400 --> 00:16:16,970 like pretty poor protection but Symantec 342 00:16:16,970 --> 00:16:19,250 got it and that protected a heck of a 343 00:16:19,250 --> 00:16:20,360 lot of people 344 00:16:20,360 --> 00:16:22,460 Jihu and rising that whole 345 00:16:22,460 --> 00:16:24,560 some China you know Kaspersky ISA the 346 00:16:24,560 --> 00:16:28,430 vast so it's not the number of scanners 347 00:16:28,430 --> 00:16:30,860 it's the number of people that they 348 00:16:30,860 --> 00:16:35,240 protect that matters for coverage okay 349 00:16:35,240 --> 00:16:37,339 malicious website means malicious 350 00:16:37,339 --> 00:16:40,540 website another myth 351 00:16:40,540 --> 00:16:44,570 this was an interesting one to me the 352 00:16:44,570 --> 00:16:47,089 detection ratio three site said it's 353 00:16:47,089 --> 00:16:49,700 malicious that's not uncommon even with 354 00:16:49,700 --> 00:16:51,680 really malicious websites that's not 355 00:16:51,680 --> 00:16:53,660 uncommon for just a couple they call it 356 00:16:53,660 --> 00:16:57,800 bad but in this case that site is a 357 00:16:57,800 --> 00:17:00,620 legitimate political party one of the 358 00:17:00,620 --> 00:17:03,440 oldest political parties in Hong Kong 359 00:17:03,440 --> 00:17:05,900 and their site was compromised 360 00:17:05,900 --> 00:17:08,990 and I found this very interesting that 361 00:17:08,990 --> 00:17:11,660 when you go to the URL there's this PHP 362 00:17:11,660 --> 00:17:13,400 file and some of the data you can get 363 00:17:13,400 --> 00:17:16,309 from virustotal is what other file names 364 00:17:16,309 --> 00:17:19,939 have we seen it under and when I'm not 365 00:17:19,939 --> 00:17:21,800 gonna go through the whole step but one 366 00:17:21,800 --> 00:17:24,470 of the other file names I saw was the 367 00:17:24,470 --> 00:17:26,599 name of a tool it ended up with that zip 368 00:17:26,599 --> 00:17:30,710 a zip and a PHP as you know but in the 369 00:17:30,710 --> 00:17:33,830 file name it said arpan and so what's 370 00:17:33,830 --> 00:17:37,429 arpan and arpan is a chinese website and 371 00:17:37,429 --> 00:17:41,270 I don't read Chinese so thank you google 372 00:17:41,270 --> 00:17:44,540 for translating it for me and you see 373 00:17:44,540 --> 00:17:49,940 this Wi-Fi Universal key what could go 374 00:17:49,940 --> 00:17:54,860 wrong so I go click on it and I come to 375 00:17:54,860 --> 00:17:57,530 the app information page QR code you can 376 00:17:57,530 --> 00:18:00,950 just scan it and download it there was 377 00:18:00,950 --> 00:18:02,720 below there a button for download so I 378 00:18:02,720 --> 00:18:05,780 use the button and what could possibly 379 00:18:05,780 --> 00:18:08,270 go wrong so it's interesting that you 380 00:18:08,270 --> 00:18:10,250 can chain events together through the 381 00:18:10,250 --> 00:18:12,740 forensic information virustotal provides 382 00:18:12,740 --> 00:18:17,200 and find out where it ends up at 383 00:18:17,200 --> 00:18:19,490 virustotal is not real time protection 384 00:18:19,490 --> 00:18:21,860 and they stress that the quoted part is 385 00:18:21,860 --> 00:18:23,900 virus told themselves they don't replace 386 00:18:23,900 --> 00:18:26,360 other security products are fantastic 387 00:18:26,360 --> 00:18:28,220 but that's not what they try to do and 388 00:18:28,220 --> 00:18:31,010 so because these presentations are 389 00:18:31,010 --> 00:18:32,690 supposed to be vendor-neutral i'm going 390 00:18:32,690 --> 00:18:35,840 to show a couple other scanning services 391 00:18:35,840 --> 00:18:38,570 jadi actually is the one that's closest 392 00:18:38,570 --> 00:18:39,130 to 393 00:18:39,130 --> 00:18:42,020 virustotal they have fewer scanners but 394 00:18:42,020 --> 00:18:45,470 some people hate virus I hate Google so 395 00:18:45,470 --> 00:18:46,970 they're not going to do that and Giada 396 00:18:46,970 --> 00:18:48,799 is an alternative for me what I really 397 00:18:48,799 --> 00:18:50,270 liked about Johnny when I was 398 00:18:50,270 --> 00:18:52,730 researching this virustotal is rolling 399 00:18:52,730 --> 00:18:54,500 out a new interface it's pretty cool but 400 00:18:54,500 --> 00:18:55,909 it's not throughout the world and I 401 00:18:55,909 --> 00:18:57,740 started with the old interface and I had 402 00:18:57,740 --> 00:19:00,440 to go to different countries for my VPN 403 00:19:00,440 --> 00:19:03,140 in order to get you know the same types 404 00:19:03,140 --> 00:19:05,960 of output and the problem was that I 405 00:19:05,960 --> 00:19:08,510 point my VPN at Spain and everything's 406 00:19:08,510 --> 00:19:11,149 coming back in Spanish now with jadi you 407 00:19:11,149 --> 00:19:13,460 can actually choose what language you 408 00:19:13,460 --> 00:19:15,320 want to see no matter what pop you're 409 00:19:15,320 --> 00:19:18,110 coming out of payloads secure it is 410 00:19:18,110 --> 00:19:19,730 another one they have a hybrid scanner 411 00:19:19,730 --> 00:19:23,120 they call it a strong on heuristics in 412 00:19:23,120 --> 00:19:24,890 virustotal there's a little place where 413 00:19:24,890 --> 00:19:27,320 it has comments and typically these 414 00:19:27,320 --> 00:19:31,070 comments are useless but payloads are 415 00:19:31,070 --> 00:19:33,380 typically really good they provide some 416 00:19:33,380 --> 00:19:36,580 information heuristic information and 417 00:19:36,580 --> 00:19:39,559 it's pretty rich it's like this document 418 00:19:39,559 --> 00:19:42,039 you know risk assessment remote access 419 00:19:42,039 --> 00:19:47,750 fingerprinting the Machine it's you know 420 00:19:47,750 --> 00:19:51,919 it detects stealthiness there's a 421 00:19:51,919 --> 00:19:55,149 variety system security a variety of 422 00:19:55,149 --> 00:19:58,039 heuristic indicators which you combine 423 00:19:58,039 --> 00:20:00,380 those with what virustotal just told you 424 00:20:00,380 --> 00:20:02,090 and now you're getting some forensic 425 00:20:02,090 --> 00:20:05,000 information and I like that they give 426 00:20:05,000 --> 00:20:07,010 most recently submitted because it's 427 00:20:07,010 --> 00:20:09,380 kind of fun to see what's been submitted 428 00:20:09,380 --> 00:20:11,809 most recently what might be attacking me 429 00:20:11,809 --> 00:20:16,880 very soon there's NSS Labs NSS no longer 430 00:20:16,880 --> 00:20:19,909 has the free version of cause which is 431 00:20:19,909 --> 00:20:22,880 too bad it was fun but NSS isn't about 432 00:20:22,880 --> 00:20:24,980 virus scanning they're not about malware 433 00:20:24,980 --> 00:20:27,590 scanning they're really about providing 434 00:20:27,590 --> 00:20:30,350 a threat information and do you have a 435 00:20:30,350 --> 00:20:34,100 threat feed but also down below this is 436 00:20:34,100 --> 00:20:37,429 more global this the bypassing security 437 00:20:37,429 --> 00:20:39,740 products is talking about a specific 438 00:20:39,740 --> 00:20:41,750 profile what products that I choose in 439 00:20:41,750 --> 00:20:44,809 my environment that I want tested so 440 00:20:44,809 --> 00:20:46,640 this was the interface and they don't 441 00:20:46,640 --> 00:20:48,500 scan all file types there they're very 442 00:20:48,500 --> 00:20:49,520 exploit 443 00:20:49,520 --> 00:20:52,820 centric and so you have a limited set 444 00:20:52,820 --> 00:20:54,560 and they're looking for exploits in the 445 00:20:54,560 --> 00:20:58,280 documents etc and so here I have Windows 446 00:20:58,280 --> 00:21:01,070 Defender Barracuda and far Dannette and 447 00:21:01,070 --> 00:21:03,980 you can see these detection czar blocks 448 00:21:03,980 --> 00:21:05,570 they're actually blocks or exploits are 449 00:21:05,570 --> 00:21:07,370 all over the place but at school I can 450 00:21:07,370 --> 00:21:08,930 also choose applications in my 451 00:21:08,930 --> 00:21:13,940 environment Kataria labs own their their 452 00:21:13,940 --> 00:21:15,920 focus actually is on helping protect 453 00:21:15,920 --> 00:21:22,130 website owners and they help get people 454 00:21:22,130 --> 00:21:23,720 off blacklist too which is really 455 00:21:23,720 --> 00:21:25,790 important it's a difficult thing to do 456 00:21:25,790 --> 00:21:27,800 so their product one of their products 457 00:21:27,800 --> 00:21:30,640 is threat sign and this explains 458 00:21:30,640 --> 00:21:33,290 basically any website built manage 459 00:21:33,290 --> 00:21:35,300 hosted on any platform that's what 460 00:21:35,300 --> 00:21:37,400 they're trying to perfect protect it's 461 00:21:37,400 --> 00:21:39,530 just happens that they also have a URL 462 00:21:39,530 --> 00:21:41,570 scanner and they provide information 463 00:21:41,570 --> 00:21:43,880 about like what how many files are being 464 00:21:43,880 --> 00:21:50,480 downloaded at the time they also like 465 00:21:50,480 --> 00:21:52,400 this site has been blacklisted if I'm a 466 00:21:52,400 --> 00:21:54,650 customer I want to know is my site been 467 00:21:54,650 --> 00:21:55,550 blacklisted 468 00:21:55,550 --> 00:21:58,160 you know what was being downloaded clean 469 00:21:58,160 --> 00:22:00,380 files malicious files suspicious files 470 00:22:00,380 --> 00:22:02,600 so that's another resource for you and 471 00:22:02,600 --> 00:22:06,520 of course Ops SWAT met a defender and as 472 00:22:06,520 --> 00:22:09,380 I showed earlier there was a time when 473 00:22:09,380 --> 00:22:11,750 virustotal hadn't seen a file ops what 474 00:22:11,750 --> 00:22:14,090 did and so I got that information and 475 00:22:14,090 --> 00:22:15,680 you're gonna find the reverse of it too 476 00:22:15,680 --> 00:22:18,740 but I mean the standing is just part of 477 00:22:18,740 --> 00:22:21,170 overall service and they have some 478 00:22:21,170 --> 00:22:22,970 really cool free tools that you can use 479 00:22:22,970 --> 00:22:25,880 also and of course you know they've got 480 00:22:25,880 --> 00:22:29,450 a big portfolio so yeah you might call 481 00:22:29,450 --> 00:22:31,010 them competition but they're really not 482 00:22:31,010 --> 00:22:33,170 that's just integration with an existing 483 00:22:33,170 --> 00:22:37,460 infrastructure so you know I want to 484 00:22:37,460 --> 00:22:39,860 conclude with a few bullets virustotal 485 00:22:39,860 --> 00:22:42,710 provides some great information that a 486 00:22:42,710 --> 00:22:44,830 lot of people don't understand is 487 00:22:44,830 --> 00:22:47,030 available they provide threat 488 00:22:47,030 --> 00:22:48,860 intelligence as do other companies I 489 00:22:48,860 --> 00:22:50,870 don't think most companies IT 490 00:22:50,870 --> 00:22:53,020 professionals are going to use only one 491 00:22:53,020 --> 00:22:57,910 threat feed I don't really consider them 492 00:22:57,910 --> 00:23:00,080 competition for companies providing 493 00:23:00,080 --> 00:23:03,129 thread feeds as much as 494 00:23:03,129 --> 00:23:06,740 complementing a lot of contextual 495 00:23:06,740 --> 00:23:08,749 information if you haven't gone to tabs 496 00:23:08,749 --> 00:23:11,389 other than scan oh man go through it 497 00:23:11,389 --> 00:23:12,710 there's really cool stuff you'll get 498 00:23:12,710 --> 00:23:14,809 links to hashes where it'll tell you 499 00:23:14,809 --> 00:23:16,639 more things if I had more time I would 500 00:23:16,639 --> 00:23:19,220 show you this huge chain of events where 501 00:23:19,220 --> 00:23:21,200 a file was clean it's just it showed up 502 00:23:21,200 --> 00:23:25,669 with 30 other malicious files and I 503 00:23:25,669 --> 00:23:29,299 really value virus totaling I'm happy 504 00:23:29,299 --> 00:23:31,549 and grateful that Julio was willing to 505 00:23:31,549 --> 00:23:34,129 review the content for this presentation 506 00:23:34,129 --> 00:23:36,950 and make sure I didn't give you bad 507 00:23:36,950 --> 00:23:39,940 information that you would hammer me on 508 00:23:39,940 --> 00:23:42,289 so if you have any questions Julio's 509 00:23:42,289 --> 00:23:44,649 here