Showing posts with label Passive DNS replication. Show all posts
Showing posts with label Passive DNS replication. Show all posts

Monday, April 08, 2013

, , ,

Passive DNS API

Last week we announced the inclusion of passive DNS data in VirusTotal. Today we are excited to let you know that we have included two new API calls to automatically query this data and build tools and plugins with our dataset:

https://www.virustotal.com/documentation/public-api/#getting-ip-reports
https://www.virustotal.com/documentation/public-api/#getting-domain-reports

When we released the web interface passive DNS search feature many users already wanted to build tools around it:


Now that the API is in production it is absolutely safe to start implementing your ideas, not only do we allow you to do so but also strongly encourage you to take advantage of this API.

As you may have noticed, rather than a dedicated API to retrieve exclusively passive DNS data, they are calls to gather information regarding IP addresses and domains. It has been built this way because we intend to extend the fields present in the returned JSON. As of right now the detected_urls field might be present, this field records the latest URLs detected by at least one URL scanner as malicious and hosted at the queried host. In the near future we would like to include other notions such as:
  • What were the latest malware samples that communicated with the given host?
  • What were the latest malware samples downloaded from the given host?
  • What were the latest malware samples that contained the given host in their strings dump?
  • Have we seen a particular exploit kit hosted at the given host?
And many more exciting features that we will keep to ourselves in order to keep you reading our blog :P


Read More

Monday, April 01, 2013

, , ,

VirusTotal += Passive DNS replication

Passive DNS replication is a technology which constructs zone replicas without cooperation from zone administrators, based on captured name server responses. As explained by Merike Kaeo from the Internet Systems Consortium in this presentation, the main idea behind passive DNS is as follows:
  • Inter-server DNS messages are captured by sensors and forwarded to a collection point for analysis.
  • After being processed, individual DNS records are stored in a database where they can be indexed and queried.
As such, passive DNS can help in answering the following questions:
  • Where did this domain name point to in the past? 
  • What domain names are hosted by a given nameserver? 
  • What domain names point into a given IP network? 
  • What subdomains exist below a certain domain name?
It is, thus, obvious that passive DNS may be very useful in malware investigations as it may help researchers in discovering network infrastructure operated by the same group of criminals, other domains being to used to distribute a given malware variant, algorithm-governed C&C communication points, etc.

There are plenty of amazing passive DNS services out there, for example, BFK passive DNS replication, we do not intend to compete with these services but rather offer the security community the perspective VirusTotal has regarding network infrastructure involved in malicious incidents. VirusTotal visits many URLs related to malware and executes thousands of samples per day that communicate with certain domains, as such, we have a privileged position when it comes to passive DNS focused on malware research. 

Not so long ago we started to record domain resolutions, exclusively address (A) records, and we are now offering this feature via our standard search form. If you search for an IP address you will be redirected to a site with passive DNS information for that address:


Similarly, if you use the domain:example.domain.com search modifier you will be redirected to a site with information regarding the given domain.:


We are really excited about this new feature, not only because it is going to help the security community but because it opens the door to future improvements of the IP address and domain information panes. Wouldn't you love to be able to answer the following questions?
  • What were the last malicious files downloaded from a given host?
  • What were the latest executed malware samples that communicated with the given host?
  • Has this host been seen to use some exploit kit?
  • What were the latest malicious URLs identified at the particular host?
  • What were the latest submitted malware samples that contained the particular host in its strings?
  • And a very long etcetera.
With this new feature there is also a commitment from our side to work on answering these questions so that you can make your malware investigations more productive.
Read More
Subscribe to: Posts (Atom)