Blog VirusTotal

VirusTotal Uploader in PC World's '101 Fantastic Freebies' List

We were informed yesterday that VirusTotal Uploader, our small tool to submit files to VirusTotal via Windows context menu, has won an award in the US edition of PC World and has been published in their '101 Fantastic Freebies' list, in fact heading their security section. Thanks a lot guys!

Deleting the option "Do not distribute the sample"

In the last few days, several articles have been published (1,2,3,4), pointing to the "Do not distribute the sample" option in VirusTotal as a tool used by malware developers to avoid detection by AV engines. The reality is quite different and this is a mistaken interpretation. Nevertheless, as a preventive measure, we have agreed with AV developers to delete the "Do not distribute the sample" option from the VirusTotal website, as to prevent potentially malicious uses of that option.

When we launched VirusTotal back in 2004, the non-distribution option was intended to allow the analysis of files and documents containing sensitive data with the complete certainty they would not be sent to AV labs at all. Until now, the main use of this option has been the aforementioned: Analyzing Word files, PowerPoint presentations, PDF files, etc., that contained sensitive data.

Besides this initial function, afterwards we realized other alternative uses could be applied, by both, computer security professionals and malware specialists, as well as malware developers. As explained in the post "The Darker Side of Online Virus Scanners" in Kaspersky's blog, malware developers do not trust VirusTotal and have found their own methods to test their creations in multi-AV services.

Although in the story from Kaspersky a pay underground service becomes the anecdote, at Hispasec we have been aware of underground tools, ready for download, that automatically analyze samples with over 20 AV products in your own computer. These tools use free/shareware/pirated versions of the AV engines that the AV developers make available for download in their own websites. Also, the online AV services based on ActiveX and similar services can be used individually for detection tests in your own computer without sending the malware to third parties.

Example of underground tool

There is an additional technical reason that renders VirusTotal useless for malware developers to learn how to get around the detection of AV engines. Recently, AV solutions have incorporated new technologies, such as detection by behavioral analysis, that aren't available in the classical AV engines based on signatures and heuristic analysis of code that are used in online services. In order to test whether a specimen of malware is detected by these new technologies, the malware must be executed in a system with the AV program installed and activated. This is the reason why professional malware developers maintain many virtual machines with different AV solutions installed in order to execute and test their samples locally, without using online services such as VirusTotal.

So, should AV developers remove their online AV programs? Should they stop providing demo versions of their AV programs to avoid a potentially malicious use? Obviously, we do not think so. If those measures were taken, the worst affected would be legitimate users, since malware developers would still use AVs fraudulently, with pirated versions or properly acquired versions. We mustn't forget that there is a true industry with plenty of resources, ready to make loads of money, behind most current malware.

The use of the non-distribution option was mainly legitimate. Honeypots, CERTs, AV labs, and malware specialists frequently used this option in different processes. Precisely, AV labs knew our non-distribution option worked for sure since they could test this option anonymously and check whether they received the sample or not, while malware developers had no way of testing our system at VirusTotal and hence their lack of trust in our non-distribution option.

Besides all that has been said, we must clarify that the default use of distribution vs. non-distribution was overwhelming. Over 85% of all samples identified as malware in VirusTotal were submitted as distributable, and automatically forwarded in real time to all AV labs whose engines did not detect said samples.

Nevertheless, at VirusTotal we find appropriate to delete the anonymous and indiscriminate non-distribution option in our website to avoid possible suspicions on the use of VirusTotal. We apologize if this measure proves to be inconvenient for the people who used this option legitimately.

VirusTotal is a reliable service that works in close collaboration with the AV industry. All functionalities and decisions in VirusTotal are agreed upon with all AV developers that participate in our service, and we are open to all suggestions about improving our service so it proves more helpful for our community.

Permalinks for VirusTotal Results

The increasing number of AV engines and the new web interface that we started using a few months ago for VirusTotal have meant, as an undesirable side effect, a more difficult time when doing a screen capture of the complete results of an analysis to publish them in web pages.

Although we introduced the new function "Compact" in the results page, that allows the user to compress a report and view it in several formats to avoid scrolling and to make copying & pasting easier, we have realized it would be far more convenient to be able to use links to refer to results.

Until yesterday, URLs referring to VirusTotal results would expire within 20 minutes. From now on, URLs referring to VirusTotal results will be active for days and will never expire once they are linked and visited.

This way, instead of doing a screen capture or copying data, we will be able to refer to specific analysis results by using a link to the URL that appears in the browser, for instance: http://www.virustotal.com/resultado.html?726c9e52b80f4e52e39d9008e980aeab

Changes in the web interface

We're adding some new stuff to the VT web interface. One of them is adding new languages, something that has been possible because a lot of people helped us with translations to languages like Polish, Czech, German, Hungarian and Chinese. Other people are sending us new tanslations so we'll soon include other languages like Brazillian Portuguese and Italian among others. I want to thank to this people for this great work (their names appear in the 'About' section) :) Besides that, and basically because the inclusion of that languages, we've changed the way to express the 'no virus found' in web reports. It has been changed to a simple '-', something more 'language neutral'. Frankly, I think it is also an improvement in legibility for identifying detections.

VirusTotal += Rising

We welcome Rising Antivirus to the list of engines used at VirusTotal. This is a quite large AV company with HQ at Beijing and a big share of the Chinese home user market.

PC World award for VirusTotal.com

PC World people honored VirusTotal.com as best Security Web Site in their '100 Best Products of 2007' awards. It is great for us to get this mention from a so renowned source. Thanks a lot guys!

VirusTotal Uploader

Small tool for sending samples to VirusTotal that you can download here. Once installed, you'll have the 'Send to -> VirusTotal' option in the Windows contextual menu when you right-click on a file. Once the file transfer is done, you'll get the reply through the web interface using your browser.

Comments, problems detected and suggestions are, as always, welcome.