Opening the Blackbox of VirusTotal

Peng, Peng; Yang, Limin; Song, Linhai; Wang, Gang

doi:10.1145/3355369.3355585

Cited by 62 publications

(16 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To reduce the effect of false positives from individual scanners, we examined websites that were detected as malicious by at least two online scanners. We note that this approach is consistent with the best practice used in many papers that make use of multiple engines/vendors of VirusTotal for the labeling task [16]. As a result, we found that the number was 357, which accounted for roughly 4% of the active Cov19doms websites.…”

Section: Malicious Activities Using Cov19domssupporting

confidence: 84%

A First Look at COVID-19 Domain Names: Origin and Implications

Kawaoka

Chiba

Watanabe

et al. 2021

Passive and Active Measurement

View full text Add to dashboard Cite

This work takes a first look at domain names related to COVID-19 (Cov19doms in short), using a large-scale registered Internet domain name database, which accounts for 260 M of distinct domain names registered for 1.6 K of distinct top-level domains. We extracted 167 K of Cov19doms that have been registered between the end of December 2019 and the end of September 2020. We attempt to answer the following research questions through our measurement study: RQ1: Is the number of Cov19doms registrations correlated with the COVID-19 outbreaks?, RQ2: For what purpose do people register Cov19doms? Our chief findings are as follows: (1) Similar to the global COVID-19 pandemic observed around April 2020, the number of Cov19doms registrations also experienced the drastic growth, which, interestingly, pre-ceded the COVID-19 pandemic by about a month, (2) 70% of active Cov19doms websites with visible content provided useful information such as health, tools, or product sales related to and (3) non-negligible number of registered Cov19doms was used for malicious purposes. These findings imply that it has become more challenging to distinguish domain names registered for legitimate purposes from others and that it is crucial to pay close attention to how Cov19doms will be used/misused in the future.

show abstract

Section: Malicious Activities Using Cov19domssupporting

confidence: 84%

A First Look at COVID-19 Domain Names: Origin and Implications

Kawaoka

Chiba

Watanabe

et al. 2021

Passive and Active Measurement

View full text Add to dashboard Cite

show abstract

“…When we request VirusTotal to scan a URL, it evaluates the maliciousness of about 90 different types of anti-virus software and returns the results to us. Several studies [32,46,55,61,67] used VirusTotal as a metric for evaluation. Then it is appropriate for our study to evaluate how much of the information collected from Twitter are actually malicious URLs.…”

Section: Comparison Of Maliciousness Using Virustotalmentioning

confidence: 99%

“…If VirusTotal had no previous scan results, we requested a scan and obtained the scan results. VirusTotal has also seen cases of false positives from anti-virus vendors [46]; therefore, URLs identified as malicious/suspicious by one anti-virus vendor are not necessarily phishing URLs. As a result, in our study, we compared URLs flagged as malicious/suspicious by at least one and five anti-virus vendors in VirusTotal with CrowdCanary and two existing systems.…”

Section: Comparison Of Maliciousness Using Virustotalmentioning

confidence: 99%

“…The first step in timely combatting this ever-increasing number of phishing attacks is to collect a wider range of phishing cases that reach end users and continue understanding their characteristics. In fact, to that end, numerous studies have been conducted to measure and analyze phishing attacks [26,31,37,46,58,60,61]. The facts about phishing and the weaknesses of the countermeasures revealed by these studies at that time have helped improve the coverage of spam filters in email services (e.g., Gmail and Outlook), web browser blocklists (e.g., Google Safe Browsing [3] and Microsoft Defender SmartScreen [4], threat feeds (e.g., PhishTank [6] and OpenPhish [5]), and security analysis engines (e.g., VirusTotal [10] and urlscan.io [9]).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Nakano¹,

Chiba²,

Koide³

et al. 2023

Preprint

View full text Add to dashboard Cite

The rise in phishing attacks via e-mail and short message service (SMS) has not slowed down at all. The first thing we need to do to combat the ever-increasing number of phishing attacks is to collect and characterize more phishing cases that reach end users. Without understanding these characteristics, anti-phishing countermeasures cannot evolve. In this study, we propose an approach using Twitter as a new observation point to immediately collect and characterize phishing cases via e-mail and SMS that evade countermeasures and reach users. Specifically, we propose CrowdCanary, a system capable of structurally and accurately extracting phishing information (e.g., URLs and domains) from tweets about phishing by users who have actually discovered or encountered it. In our three months of live operation, CrowdCanary identified 35,432 phishing URLs out of 38,935 phishing reports. We confirmed that 31,960 (90.2%) of these phishing URLs were later detected by the anti-virus engine, demonstrating that CrowdCanary is superior to existing systems in both accuracy and volume of threat extraction. We also analyzed users who shared phishing threats by utilizing the extracted phishing URLs and categorized them into two distinct groups -namely, experts and non-experts. As a result, we found that CrowdCanary could collect information that is specifically included in non-expert reports, such as information shared only by the company brand name in the tweet, information about phishing attacks that we find only in the image of the tweet, and information about the landing page before the redirect.

show abstract

“…We were able to prove such behavior by creating a harmless PowerShell code to just display a "hello world" message and obfuscating the file using AES; this file was also detected as malicious by several antivirus programs. The file was uploaded to VirusTotal [77,78] on 18 May 2021, and it was labeled as malicious by 9 antivirus programs.…”

mentioning

confidence: 99%

Evaluation of Local Security Event Management System vs. Standard Antivirus Software

Pérez-Sánchez

Hielscher

2022

Applied Sciences

View full text Add to dashboard Cite

The detection and classification of threats in computer systems has been one of the main problems researched in Cybersecurity. As technology evolves, the tactics employed by adversaries have also become more sophisticated to evade detection systems. In consequence, systems that previously detected and classified those threats are now outdated. This paper proposes a detection system based on the analysis of events and matching the risk level with the MITRE ATT&CK matrix and Cyber Kill Chain. Extensive testing of attacks, using nine malware codes and applying three different obfuscation techniques, was performed. Each malicious code was analyzed using the proposed event management system and also executed in a controlled environment to examine if commercial malware detection systems (antivirus) were successful. The results show that evading techniques such as obfuscation and in-memory extraction of malicious payloads, impose unexpected difficulties to standard antivirus software.

show abstract

Opening the Blackbox of VirusTotal

Cited by 62 publications

References 31 publications

A First Look at COVID-19 Domain Names: Origin and Implications

A First Look at COVID-19 Domain Names: Origin and Implications

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Evaluation of Local Security Event Management System vs. Standard Antivirus Software

Contact Info

Product

Resources

About