Tag Archives: malware

VirusTotal Scanner

Malware analysis is a very exciting but long task. Sometimes instead of reinventing the wheel, you need to just check if the binary you’re analyzing has already been detected and analyzed by the major AntiVirus companies. There are various sites that allow you to submit binaries and check them against a large list of AV databases. I’ve written a short script here that’ll allow you to automate the process.

https://gist.github.com/Sp3ctr3/5689969

import sys
try:
 from termcolor import colored,cprint
except:
 print "[*]Please install termcolor[*]"
 sys.exit()
try:
 import simplejson
except:
 print "[*]Please install simplejson library[*]"
import urllib
import urllib2
import hashlib
import os
def check(rsc,file):
    parameters= {"resource":rsc,"apikey":"VIRUS_TOTAL_KEY"}  
    data = urllib.urlencode(parameters)
    req = urllib2.Request(url,data)
    response = urllib2.urlopen(req)
    try:
     dt=simplejson.load(response)
    except:
     cprint(file+": Server Error","yellow")
     return
    if dt and dt.get('positives'):
     cprint("%s INFECTED Detections:%d AV "%(file,dt.get('positives')),'red')
     dt=""
    else:
     cprint("%s CLEAN"%(file),'green')
if len(sys.argv) is not 3:
 print "Usage:\n"+sys.argv[0]+" OPTIONS"
 print "OPTIONS:\n -f file_name\n -d directory_name"
 sys.exit()
url= "https://www.virustotal.com/vtapi/v2/file/report"
if sys.argv[1]=="-d":
 path=sys.argv[2]
 for (path, dirs, files) in os.walk(path):
  for file in files:
     f = open(os.path.join(path,file),'rb')
     filehash = hashlib.md5()
     response=None
     while True:
         data = f.read(10240)
         if len(data) == 0:
             break
         filehash.update(data)
     rsc=filehash.hexdigest()
   # print rsc
     check(rsc,file)
if sys.argv[1]=="-f":
 f=open(sys.argv[2])
 filehash=hashlib.md5()
 while True:
   data = f.read(10240)
   if len(data) == 0:
    break
   filehash.update(data)
 rsc=filehash.hexdigest()
 check(rsc,sys.argv[2])

This python script will scan the directories or a specific file that you specify and will upload the MD5 to the VirusTotal servers for checking. It’ll return information on whether the file is infected and if it is, how many AVs recognize it.

Please note that you need to have termcolor and simplejson installed on your system. This can be installed via pip:

First install pip:

sudo apt-get install pip

Then install termcolor and simplejson modules via pip:

sudo pip install termcolor simplejson

For Windows user prepackaged binaries are available at:

http://www.lfd.uci.edu/~gohlke/pythonlibs/

 

After you have installed both, you’ll need to apply for an API key from VirusTotal. It’s free and instantly available at www.virustotal.com . Once you get it paste it in the script in the VIRUS_TOTAL_KEY. Now you’re script is ready for scanning.

To scan a file run:

python avcheck.py -f FILE_NAME

To scan a directory:

python avcheck.py -d FOLDER_NAME

Detections will be displayed in red. Please note that the public API limits requests to 4 requests per minute. If you need more, contact VirusTotal for a private API.

A quick demonstration:

I’m downloading a few malware samples to show you that the script works. I get the Duqu and Stuxnet samples from http://openmalware.org/ and eicar.com malware test file from www.eicar.org/download/eicar.com.txt .

I put them all in a folder named malcode along with a file containing the string “benign” as a test case and ran:
python avcheck.py -d malcode/

Note that the EICAR file shows detection across all AVs.

Note that the EICAR file shows detection across all AVs.

 

Yashin Mehaboobe