(LosBuntu: VirusTotal)

{ Configure VirusTotal API KEY with Perl and Curl }

Section 0: Background Information

What is the scenario?
- Incident Response Engineers often need to analyze mountains of data very quickly for malware and abnormalities. Consequently, interrogating each executable with one Anti-Virus scanner is not only time consuming, but very inefficient. Accordingly, most Anti-Virus Scanners don't have the resources to alert on everything. But what if there is way to remotely query all the most popular Anti-Virus Scanners using a simple Perl Script?
- The following lesson will walk you through setting up your VirusTotal API Key with a Perl Script to remotely query VirusTotal. In addition this Perl Script will simultaneously create a simply spreadsheet to display Anti-Virus Scanner results for management using the KISS methodology.
What is VirusTotal?
- VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. VirusTotal aggregates 55 antivirus products and 61 online scan engines to check for viruses that the user's own antivirus may have missed, or to verify against any false positives.
What is LosBuntu?
- I wanted to thank my good friend Carlos Cajigas (@carlos_cajigas) for creating LosBuntu and for his generous guidance and mentorship in Cyber Forensics.
- LosBuntu is a Linux Live DVD distribution (distro) that can be used to assist in data forensic investigations. It is a compilation of Master Cajigas' many years of experience as a former law enforcement agent and IBM forensics investigator.
Reference
- http://www.mashthatkey.com/2014/09/using-curl-to-retrieve-virustotal.html
Pre-Requisite Lab
- LosBuntu: Lesson 3: Create LosBuntu Virtual Machine
Lab Notes
- In this lab we will do the following:
  1. Join the VirusTotal Community
  2. Obtain VirusTotal API Key
  3. Configure VirusTotal Perl Script
  4. Test VirusTotal Perl Script
Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2016 No content replication of any kind is allowed without express written permission.

Section 1: Power On the LosBuntu VM

Open VMware Player on your windows machine.
- Instructions:
  1. Click the Start Button
  2. Type "vmware player" in the search box
  3. Click on VMware Player
Edit Virtual Machine Settings
- Instructions:
  1. Select LosBuntu
  2. Click Edit Virtual Machine Settings
Configure Memory
- Instructions:
  1. Click on Memory.
  2. Up the memory to 1 GB
- Note(FYI):
  - LosBuntu really needs 1.5 to 2 GB; however, you are only configuring MimiKatz with Volatility in this lesson.
  - Do NOT Click the OK Button, we still have more to configure.
Configure CD/DVD(IDE)
- Instructions:
  1. Click on CD/DVD(IDE)
  2. Device status: Check Connect at power on
  3. Connection: Click Use physical drive
  4. Select Auto detect
- Note(FYI):
  - Do NOT Click the OK Button, we still have more to configure
Configure Network Adapter
- Instructions:
  1. Click on Network Adapter
  2. Device status: Check Connect at power on
  3. Network Connection: Click NAT: Used to share the ....
  4. Click the OK Button
Play LosBuntu Virtual Machine
- Instructions:
  1. Select LosBuntu
  2. Click Play virtual machine

Section 2: Login to LosBuntu

Login to LosBuntu
- Instructions:
  1. Password: mtk
  2. Press <Enter>
Open Terminal Windows
- Instructions:
  1. Click on the Terminal Window
Become root
- Instructions:
  1. sudo su -
  2. password: mtk
  3. pwd
- Note(FYI):
  - Command #1, Use (sudo su -) to simulate an initial root login where the /etc/profile, .profile and .bashrc are executed. Not only will the root user's environment be present, but also the root user will be placed in it's own home directory (/root).
  - Command #2, Use (pwd) to display the current working directory of the particular user.
Obtain IP Address
- Instructions:
  1. ifconfig -a
  2. Record Your IP Address
- Note(FYI):
  - Command #1, Use (ifconfig) to view all (-a) IP Addresses associated with LosBuntu. You should only have two interfaces: eth0 and lo.
    - eth0 - Is the primary interface. In my case, the IP Address is 192.168.121.203.
    - lo - Is the local loopback address. The loopback address is used to establish an IP connection to the same machine or computer being used by the end-user. The loopback construct gives a computer or device capable of networking the capability to validate or establish the IP stack on the machine.
  - If your host machine has Internet Connectivity, but LosBuntu does not have an IP Address associated with eth0, then issue the following command as root.
    - dhclient -v

Section 3: VirusTotal Registration

Search Icon
- Instructions:
  1. Click on the Search Icon
Start Firefox
- Instructions:
  1. Search for FireFox
  2. Click on the Firefox Web Browser Icon
Navigate to VirusTotal
- Instructions:
  1. Navigate to VirusTotal
    - https://www.virustotal.com
  2. Click on Join our community
- Note(FYI):
  - Command #1, The VirusTotal application allows you to submit and scan files again 60 of the most well known Anti-Virus databases.
Join VirusTotal Community
- Instructions:
  1. First Name
  2. Last Name
  3. Username
  4. Email
  5. Password: Do not use your actual email password.
  6. Confirm Password
  7. Click the Sign up Button
- Note(FYI):
  - In order to use their API, you must join the community. Trust me, their Cyber Kung-Fu is worth it.
VirusTotal Welcome Note
- Instructions:
  1. Click the Close Button
- Note(FYI):
  - A message was sent to your email address with further activation instructions.

Section 4: VirusTotal API Key

View VirusTotal Email
- Instructions:
  1. Go to your Inbox and click on the message from VirusTotal
    - Subject: VirusTotal Community account activation
VirusTotal Activation Code
- Instructions:
  1. Click the Activation Link
- Note(FYI):
  - Obviously, my link will be different than yours.
VirusTotal Sign in
- Instructions:
  1. Click the Sign in Button
VirusTotal Login
- Instructions:
  1. Supply Username or email
  2. Supply Password
  3. Click the Sign in Button
Access API Key
- Instructions:
  1. Click on Your Name
  2. Click on My API key
Copy API Key
- Instructions:
  1. Highlight and Right Click on Your Name
  2. Select Copy
Search Icon
- Instructions:
  1. Click on the Search Icon
Open gedit
- Instructions:
  1. Search for: gedit
  2. Click on the gedit text editor
Paste Key
- Instructions:
  1. Edit --> Paste
Save File (Part 1)
- Instructions:
  1. Edit --> Save As
Save File (Part 2)
- Instructions:
  1. Name: VT_KEY.txt
  2. Click on Home
  3. Click the Save Button
- Note(FYI):
  - Command #1, This is the file that will contain your virus total api key.

Section 5: Download VirusTotal Perl Script

Open Terminal Windows
- Instructions:
  1. Click on the Terminal Window
- Note(FYI):
  - Command #1, Clicking on the Terminal Window icon will display your previous Terminal Window, if you already did not close it.
Download VirusTotal Perl Script
- Instructions:
  1. wget http://www.computersecuritystudent.com/FORENSICS/LosBuntu/lesson5/parse_VT.pl.TXT
  2. mv parse_VT.pl.TXT parse_VT.pl
  3. chmod 700 parse_VT.pl
  4. ls -l parse_VT.pl
  5. perl -c parse_VT.pl
- Note(FYI):
  - Command #1, Use (wget) to download a perl script that uses curl and a VirusTotal API key to POST a SHA-256 signature to the VirusTotal Application. This Perl Script is in no way associated with VirusTotal. It was written by (Computer Security Student, LLC) to demonstrate very basic perl programming and automation.
  - Command #2, Use (mv) to rename parse_VT.pl.TXT -to- parse_VT.pl.
  - Command #3, Use (chmod) to provide the owner of (parse_VT.pl) read(4), write(2) and execute(1) permission.
  - Command #4, Use (ls -l) to list the permission and ownership details of (parse_VT.pl).
  - Command #5, Use (perl -c) to allow the perl interpreter to check the grammar/code for syntax errors.
Scan Non-Malicious SHA-256 Hash
- Instructions:
  1. ./parse_VT.pl eb9da6ecf0de642b724a48db71e5b9d16a6b453553a22011e6965c20022712d3
- Note(FYI):
  - Command #1, The above SHA-256 Hash was taken from a non-infected cmd.exe file. The SHA-256 Hash was checked against VirusTotal's 65 Anti-Virus databases.
Scan Non-Malicious SHA-256 Hash
- Instructions:
  1. ./parse_VT.pl bfb609d3dff4f184caf9455124dda6eca706a62fa537953757fe3995087e347f
- Note(FYI):
  - Command #1, This SHA-256 Hash was taken from a (exploit/windows/local/bypassuac) stager. 40 out of 65 Anti-Virus engines were able to identify the stagger as malware (Backdoor, Trojan, etc).
View Primitive VirusTotal CSV
- Instructions:
  1. ls -l vt_log.csv
  2. head vt_log.csv
- Note(FYI):
  - A CSV file stands for Comma Separated Value. This file can be easily imported into a spreadsheet. Notice that each column is separated by quotes(") and commas(,).
    - E.g., "Column1","Column2","Column3"
  - Command #1, Use (ls -l) to view the permissions and ownership of the vt_log.csv file.
  - Command #2, Use (head) to view the first 10 lines of the vt_log.csv file.

Section 6: Convert VirusTotal Output to Spreadsheet

Search Icon
- Instructions:
  1. Click on the Search Icon
Open LibreOffice
- Instructions:
  1. Search For: libreoffice
  2. Click on LibreOffice
Open VirusTotal Spreadsheet (Part 1)
- Instructions:
  1. File --> Open
Open VirusTotal Spreadsheet (Part 2)
- Instructions:
  1. Click on the mtk folder
  2. Select the vt_log.csv file
  3. Click the Open Button
Import VirusTotal CSV File
- Instructions:
  1. Character set: Unicode (UTF-8)
  2. Separator options: Separated by
  3. Check Tab
  4. Check Comma
  5. Check Semicolon
  6. Click the OK Button
Turn on Auto Filtering
- Instructions:
  1. Data --> Filter --> AutoFilter
Filter by Detection
- Instructions:
  1. Select the Detect Down Arrow
  2. Uncheck false
  3. Click the OK Button
View VirusTotal Detection Results
- Note(FYI):
  1. The results display the Anti-Virus Scanners that detected the SHA-256 Hash to represent a Virus. This could make a nice clean simple report for management. Typically, upper level management does not like all the bells and whistles to contribute to their ADHD. So, it is best to practice KISS. (KISS = Keep It Simple Stupid).

Section 7: Proof of Lab

Resume Terminal Session
- Instructions:
  1. Click the Terminal Icon
Proof of Lab
- Instructions:
  1. cd /home/mtk
  2. perl -c parse_VT.pl
  3. grep "true" vt_log.csv | tail -5
  4. date
  5. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - e.g., echo "John Gray"
- Note(FYI):
  - Command #1, Use (cd) to change directory into /home/mtk.
  - Command #2, Use (perl -c) to instruct the perl interpreter to analyze the code (parse_VT.pl) for proper syntax.
  - Command #3, Use (grep) to search vt_log.csv for the string(true), then use (tail -5) to display the last 5 lines of the output filtered by (grep).
- Proof of Lab Instructions:
  1. Do a PrtScn
  2. Paste into a word document
  3. Upload to Moodle