Didier Stevens has created a nice little tool to submit malware samples to VirusTotal using python. The tool can be downloaded here. This is really handy for an intrusion analyst (as well as a malware researcher).
Consider this scenario: You're investigating an alert and pull the packets for the session that generated it. You discover the user downloaded, intentionally or not, a binary from some site, purpose unknown. You wget or curl down the file and inspect it with hexedit or bless, but can't determine for certain whether it's malicious or not.
Run virustotal-submit.py and submit the file right from your packet box. No need to transfer the file to another box to submit it (I'm assuming you're not running X on your packet audit box). And you can build this into your own scripts and tools for automated submission (the public API has a limit of four files per minute).
You'll need a couple things to run the tool. There's one dependency, the python module "poster", found here. And you'll need a VirusTotal public API key. All you need to do to get one is create an account on the site at http://www.virustotal.com. Your key will be in your Community profile after you log in.
Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
No comments:
Post a Comment