Detecting malicious URLs with DNIF and VirusTotal
Greeting readers! I’m excited to share a world of possibilities that open to you, when you have a validation service like VirusTotal working in collaboration with a Real-time Data Analytics platform, DNIF (this blog shows how you can integrate VirusTotal with DNIF).
Detecting malicious urls
How can you cut down on detection time and automate the process to make it more efficient?
I’m going to show you how DNIF fetches URLs from log events and uses VirusTotal to validate those URLs. If found to be malicious, a module as well as an alert notification email is sent to all stakeholders, and yes, this whole process is automated. VirusTotal not only tells you whether a given antivirus solution detected a submitted URL as malicious, but also displays each engine’s detection label (e.g., I-Worm.Allaple.gen). URL scanners will discriminate between malware sites, phishing sites, suspicious sites, etc. Some engines will provide additional information, stating explicitly whether a given URL belongs to a particular botnet, which brand is targeted by a given phishing site, and so on.
The below mentioned query fetches URLs from log events and validates them with VirusTotal. If their VT Positive is more than 1, which means it is malicious, a module is raised and a notification email is sent to a group of people or a specific individual. Using VirusTotal, DNIF validates whether a particular URL is malicious or not using the below mentioned query . Once again, this is assuming that you have a working setup of DNIF as well as access to the VirusTotal API. If not, please refer to the blog about “Using the VirusTotal API with DNIF”.
How to get started
The below mentioned query can be used to detect and raise a module/alert
_fetch * from event where $Duration=1h group count_unique $URL limit 4 >>_lookup virustotal get_url_report $URL >>_checkif int_compare $VTPositives > 1 include >>_raise module virustotal malicious_url_detected $URL 3 10m >>_trigger template_group virustotal malicious_url_detected_alert notify_group groupname
What does this query do?
_fetch * from event where $Duration=1h group count_unique $URL limit 4
In the above mentioned query, we run a workbook query every one hour (Depends on the duration we choose) and we are grouping all the unique URLs.
>>_lookup virustotal get_url_report $URL
In the pipelined query, we are now running a lookup on VirusTotal to get the Url Report
>>_checkif int_compare $VTPositives > 1 include
The next pipeline query is to check if the resulting response for the lookup run against the URL has been flagged by VirusTotal as positive.
>>_raise module virustotal malicious_url_detected $URL 3 10m
In the following pipelined query, in case the URL is flagged as malicious, a Module within DNIF is raised as the next steps (A module is basically a description telling the SecOps personnel why a particular alert was raised, as in the next query the alert will be raised)
>>_trigger template_group virustotal malicious_url_detected_alert notify_group groupname
Here we are also triggering a templated message via DNIF to any integrated messaging system through the messaging services API informing the concerned groups members of what has been detected via VirusTotal and DNIF.
It’s always recommended to purchase a license to VirusTotal services if the services are to run in a production environment. If the idea is to test the services as part of a POC (Proof Of Concept) then the free VirusTotal API key would suffice. I’ve shared one use-case showcasing the combined capabilities and benefits of integration plugin built by the DNIF Team in collaboration with VirusTotal. Would love to hear if you’ve created any use cases around VirusTotal and DNIF. Please share in comments below.