October 25, 2018 / by Mervin Marks / In threat-intelligence /

Detecting malicious URLs with DNIF and VirusTotal

Greeting readers! I’m excited to share a world of possibilities that open to you, when you have a validation service like VirusTotal working in collaboration with a Real-time Data Analytics platform, DNIF (this blog shows how you can integrate VirusTotal with DNIF).

Detecting malicious urls

How can you cut down on detection time and automate the process to make it more efficient?

I’m going to show you how DNIF fetches URLs from log events and uses VirusTotal to validate those URLs. If found to be malicious, a module as well as an alert notification email is sent to all stakeholders, and yes, this whole process is automated. VirusTotal not only tells you whether a given antivirus solution detected a submitted URL as malicious, but also displays each engine’s detection label (e.g., I-Worm.Allaple.gen). URL scanners will discriminate between malware sites, phishing sites, suspicious sites, etc. Some engines will provide additional information, stating explicitly whether a given URL belongs to a particular botnet, which brand is targeted by a given phishing site, and so on.

The below mentioned query fetches URLs from log events and validates them with VirusTotal. If their VT Positive is more than 1, which means it is malicious, a module is raised and a notification email is sent to a group of people or a specific individual. Using VirusTotal, DNIF validates whether a particular URL is malicious or not using the below mentioned query . Once again, this is assuming that you have a working setup of DNIF as well as access to the VirusTotal API. If not, please refer to the blog about “Using the VirusTotal API with DNIF”.

How to get started

The below mentioned query can be used to detect and raise a module/alert

_fetch * from event where $Duration=1h group count_unique $URL limit 4
>>_lookup virustotal get_url_report $URL
>>_checkif int_compare $VTPositives > 1 include
>>_raise module virustotal malicious_url_detected $URL 3 10m
>>_trigger template_group virustotal malicious_url_detected_alert notify_group groupname

What does this query do?

_fetch * from event where $Duration=1h group count_unique $URL limit 4

In the above mentioned query, we run a workbook query every one hour (Depends on the duration we choose) and we are grouping all the unique URLs.

query to group all URL
resultset

>>_lookup virustotal get_url_report $URL

In the pipelined query, we are now running a lookup on VirusTotal to get the Url Report

lookup pipelined query
resultset
extended resultset

>>_checkif int_compare $VTPositives > 1 include

The next pipeline query is to check if the resulting response for the lookup run against the URL has been flagged by VirusTotal as positive.

checkif query to get threat intelligence from more than one threat intel providers
resultset with more than one threat intel providers

>>_raise module virustotal malicious_url_detected $URL 3 10m

In the following pipelined query, in case the URL is flagged as malicious, a Module within DNIF is raised as the next steps (A module is basically a description telling the SecOps personnel why a particular alert was raised, as in the next query the alert will be raised)

raise directive to trigger module
resultset of the pipelined query
resultset

>>_trigger template_group virustotal malicious_url_detected_alert notify_group groupname

Here we are also triggering a templated message via DNIF to any integrated messaging system through the messaging services API informing the concerned groups members of what has been detected via VirusTotal and DNIF.

email received

Conclusion

It’s always recommended to purchase a license to VirusTotal services if the services are to run in a production environment. If the idea is to test the services as part of a POC (Proof Of Concept) then the free VirusTotal API key would suffice. I’ve shared one use-case showcasing the combined capabilities and benefits of integration plugin built by the DNIF Team in collaboration with VirusTotal. Would love to hear if you’ve created any use cases around VirusTotal and DNIF. Please share in comments below.