VirusTotal += Mac OS X execution

We previously announced sandbox execution of Windows PE files in 2012, and Android in 2013.  We are happy to announce equal treatment for Mac OS X  apps. Files scanned that are Mach-O executables, DMG files, or ZIP files containing a Mac app, will be sent to the sandbox in order to produce behavioral reports.

Users may scan these file types directly on www.virustotal.com, with our OS X Uploader app, or via the API.

As before, users with private API or "allinfo" privileges will see this information in the API responses. For VirusTotal Intelligence customers the information is also indexed and searchable.

Here are a couple of example reports, have a look at the "Behavioural information" tab...

DMG files:

• https://www.virustotal.com/file/22569f42180fbb3ea333d0ca9a8573c2edf3465f3a18a36e4ea7755b34a5fdc5/analysis/1446818987/
• https://www.virustotal.com/en/file/b3606a398ddcbc2833024e128d225f28d6801325be2b3c63a8571a169690376e/analysis/

Mach-O files:

• https://www.virustotal.com/file/58507bcfc4441edead0cb4acca3d60cf55d3d5a3563b3e20ffa4843b156d9cfd/analysis/
• https://www.virustotal.com/en/file/d295807085c96cabe5b4344d0ff2a6eaea6b7eecece859cedf61584670cd4fdf/analysis/

ZIP files with an Mac app inside:

• https://www.virustotal.com/file/ee6409be3374200b92ac9c85ff2647ab498ce03116d665985481a4a025a13ad0/analysis/
• https://www.virustotal.com/file/0b8e83649f8ad3c62fde92c2b944c2180718633c6fcf5815dd1902208f3e35d6/analysis/

If you find issues, or have suggestions to improve the Mac sandbox please send an email to contact [at] virustotal [dot] com.

Read More

KnockKnock += VirusTotal

In October 2013 we announced that Windows Sysinternals Sigcheck was adding integration with VirusTotal in order to help its users with malware triage. Thereafter, Mark Russinovich has continued to plug VirusTotal into other tools commonly used by malware and forensics analysts, namely Sysinternals Autoruns and Sysinternals Process Explorer.

Today we are excited to announce that Patrick Wardle has included VirusTotal information in the Mac OS X equivalent of Autoruns: KnockKnock. In his own words:

"KnockKnock... Who's There?" See what's persistently installed on your Mac!
Malware installs itself persistently, to ensure it is automatically executed each time a computer is restarted. KnockKnock (UI) uncovers persistently installed software in order to generically reveal such malware.

This tool is extremely useful when performing a quick malware hunt down in Mac OS X systems, and the integration with VirusTotal gives further momentum to all the efforts we have been conducting in helping secure Mac OS X users: tools to further characterize Mac OS X executables, VirusTotal Uploader for OS X, etc.

If you want to learn more about KnockKnock and download it, do not hesitate to visit the project's site: https://objective-see.com/products/knockknock.html.

Read More

A closer look at Mac OS X executables and iOS apps

Virustotal has always been able to scan and provide verdicts for Mac OS X executables and iOS apps, these are just some examples:
https://www.virustotal.com/en/file/b9fb26c553e793ac4c598a67447f67c85eb9e561a9b7722667f7f45e34e2f71c/analysis/
https://www.virustotal.com/en/file/c5030830203c3bf67ef49af6908cbeb6aa234fe0346d8d9ebf85d4dd5d7482be/analysis/
https://www.virustotal.com/en/file/63149fe9e2efd94d666402d637d921a6ca4dd73dcda318a7fcc82c274175d19a/analysis/
Actually, scanning capabilities regarding certain file types is a common end-user misconception, virustotal will scan any binary content, with independence of its file type, as antivirus vendors will develop signatures for any file type and target OS with independence of the OS that hosts the engines running in virustotal.

This said, two weeks ago we silently introduced a new tool to further characterize Mac OS X executables and iOS apps, extracting interesting static properties from these types of files, similar to what the pefile python module does for Portable Executables.

The new tool will extract file header information (e.g. required architecture and sub-architecture, flags, magic string, etc.), the file segments and its inner sections, any shared libraries that the executable makes use of, load commands and signature information whenever the mach-o happens to be code signed.

In the event that the Mac OS X executable is a universal binary containing mach-o files for several target systems, a characterization of each one of the embedded files will be provided. You may refer to the file details tab of the above reports in order to see an example of this new set of information.

As to iOS apps, the new tool will not only characterize the executable providing the application's main functionality, it will also generate metadata regarding the package itself (property list configuration information and embedded mobile provision data) and iTunes details.

As you may notice, this tool follows the trend of what we recently implemented regarding ELF files, hopefully it will also help in spotting and studying threats targeting Mac OS X and iOS.

Read More