terça-feira, 17 de agosto de 2010

Virus Total Public API

Today I started to play with Virus Total Public API http://www.virustotal.com/advanced.html

My initial idea was to send files using command line and get the results quickly so I don't need a web browser and spend time uploading the file .

I read their inital samples/docs and build a mix of codes using python (most retrieve from their samples) and perl (only language I can try somehting) . By now what I have :

$ perl vt-auto.pl /LABS/pdf-basics/samples/AdamSamples/15

Sending file /LABS/pdf-basics/samples/AdamSamples/15 to Virus Total ...
Response from VT with resource "86ee2f99a207d31ea2b69198dc2bf5e7c7946eeae7dacdd6032f2c050525bc07-1282091669"

Waiting 120 seconds to wait file /LABS/pdf-basics/samples/AdamSamples/15 be scanned ...

Sending request fo Virus Total about /LABS/pdf-basics/samples/AdamSamples/15 with resource "86ee2f99a207d31ea2b69198dc2bf5e7c7946eeae7dacdd6032f2c050525bc07-1282091669"

Report Results for /LABS/pdf-basics/samples/AdamSamples/15 :
"nProtect": "Trojan-Exploit/W32.Pidief.16718.AV"
 "CAT-QuickHeal": ""
 "McAfee": "Exploit-PDF.b.gen"
 "TheHacker": ""
 "VirusBuster": "JS.Crypt.BSP"
 "NOD32": "PDF/Exploit.Pidief.AUT"
 "F-Prot": "JS/Psyme.HU"
 "Symantec": "Trojan.Pidief.D"
 "Norman": "JS/Shellcode.GS"
 "TrendMicro-HouseCall": "TROJ_PIDIEF.ADY"
 "Avast": "JS:Pdfka-PO"
 "eSafe": "PDF.Exploit.2"
 "ClamAV": "Suspect.PDF.ObfuscatedJS-5"
 "Kaspersky": "Exploit.Win32.Pidief.aut"
 "BitDefender": "Exploit.PDF-JS.Gen"
 "ViRobot": ""
 "Sophos": "Mal/PdfEx-C"
 "Comodo": "TrojWare.Win32.Exploit.Pidief.aut"
 "F-Secure": "Exploit.PDF-JS.Gen"
 "DrWeb": "Exploit.PDF.166"
 "AntiVir": "EXP/Pidief.JX"
 "TrendMicro": "TROJ_PIDIEF.ADY"
 "Emsisoft": "Exploit.Pidief!IK"
 "eTrust-Vet": "PDF/Pidief.IQ"
 "Authentium": "PDF/Obfusc.D!Camelot"
 "Jiangmin": ""
 "Antiy-AVL": "Exploit/Win32.Pidief"
 "Microsoft": "Exploit:Win32/Pdfjsc.AS"
 "SUPERAntiSpyware": ""
 "Prevx": ""
 "GData": "Exploit.PDF-JS.Gen"
 "AhnLab-V3": "PDF/Shellcode"
 "VBA32": ""
 "Sunbelt": "Exploit.PDF-JS.Gen (v)"
 "PCTools": "Trojan.Pidief"
 "Rising": ""
 "Ikarus": "Exploit.Pidief"
 "Fortinet": ""
 "AVG": "Exploit"
 "Panda": ""
 "Avast5": "JS:Pdfka-PO"

Detection : (31/41)

I'll improve and fix the code so I can share because now it's impossible . That 120 seconds that I wait is just to make sure that the scan will finish before I try to retrive the results but sometimes depending on file size it'll probably fail .

Nice resource from VirusTotal Team , congratulations!

Happy Hacking!

Rodrigo "Sp0oKeR" Montoro

Nenhum comentário: