Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label VirusTotal. Show all posts

Google's Magika: Revolutionizing File-Type Identification for Enhanced Cybersecurity

 

In a continuous effort to fortify cybersecurity measures, Google has introduced Magika, an AI-powered file-type identification system designed to swiftly detect both binary and textual file formats. This innovative tool, equipped with a unique deep-learning model, marks a significant leap forward in file identification capabilities, contributing to the overall safety of Google users. 

Magika's implementation is integral to Google's internal processes, particularly in routing files through Gmail, Drive, and Safe Browsing to the appropriate security and content policy scanners. The tool's ability to operate seamlessly on a CPU, with file identification occurring in a matter of milliseconds, sets it apart in terms of efficiency and responsiveness. 

Under the hood, Magika leverages a custom, highly optimized deep-learning model developed and trained using Keras, weighing in at a mere 1MB. During inference, Magika utilizes the Open Neural Network Exchange (ONNX) as an inference engine, ensuring rapid file identification, almost as fast as non-AI tools, even on the CPU. Magika's prowess was tested in a benchmark involving one million files encompassing over a hundred file types. 

The AI model, coupled with a robust training dataset, outperformed rival solutions by approximately 20% in performance. This heightened performance translated into enhanced detection quality, especially for textual files such as code and configuration files. The increase in accuracy enabled Magika to scan 11% more files with specialized malicious AI document scanners, significantly reducing the number of unidentified files to a mere 3%. 

Magika showcased a remarkable 50% improvement in file type detection accuracy compared to the prior system relying on handcrafted rules. For users keen on exploring Magika, the tool is available through the Magika command line tool, enabling the identification of various file types. 

Interested individuals can also access the Magika web demo or install it as a Python library and standalone command line tool using the standard command 'pip install Magika.' The code and model for Magika are freely available on GitHub under the Apache2 License, fostering an environment of collaboration and transparency. 

The journey doesn't end here for Magika, as Google envisions an integration with VirusTotal. This integration aims to bolster the platform's existing Code Insight feature, which employs generative AI to analyze and identify malicious code. Magika's role in pre-filtering files before they undergo analysis by Code Insight enhances the accuracy and efficiency of the platform, ultimately contributing to a safer digital environment. 

In the collaborative spirit of cybersecurity, this integration with VirusTotal underscores Google's commitment to contributing to the global cybersecurity ecosystem. As Magika continues to evolve and integrate seamlessly into existing security frameworks, it stands as a testament to the relentless pursuit of innovation in safeguarding user data and digital interactions.

Phishing Scam Blank Image Masks Code in SVG Files

 

Researchers from Avanan have seen the worldwide spread of a new threat known as 'Blank Image,' where hackers attach blank images to HTML messages. The user is instantly sent to a malicious URL once they open the attachment.

Blank Image attack 

Based on the bogus emails, you need to sign a DocuSign document. It is cryptically called "Scanned Remittance Advice.htm". An SVG picture encoded with Base64 is in the HTML file, these SVG vector pictures encoded in HTML attachments are used by scammers to get around the security features that are often turned on automatically in email inboxes. 

SVGs, are based on XML and are vector images, that can contain HTML script elements, in contrast to raster images like JPG and PNG. An SVG image is displayed and the JavaScript embedded in it is executed when an HTML document uses a <embed> or <iframe> tag to display the image.

Although the message's body seems fairly safe, opening the HTML attachment lets its malicious payload loose on your device. This file contains the attack's script rather than the XML information that a typical SVG would include.

As per researchers, this is a creative approach to mask the message's genuine intention. It avoids being scanned by conventional Click-Time Protection and VirusTotal, most security services are defenseless against these assaults because of the piling of obfuscation upon obfuscation.

Therefore, users should keep away from any emails that have HTML or.htm attachments. Administrators should consider preventing HTML attachments and treating them the same as executables (.exe, .cab).

This attack can be linked to a prior 'MetaMorph' assault initially discovered by Avanan a few years ago, wherein phishing actors employ meta refresh to drive users away from a locally hosted HTML attachment and onto a phishing website on the open internet. A meta refresh is a feature that tells a web browser to automatically reload the current web page after a specified amount of time.

HTML-containing emails and .HTM attachments should be handled carefully by users. Avanan also advises admins to think about blocking them.







VirusTotal Hacking: Hackers can Access Trove of Stolen Credentials on VirusTotal

 

By conducting searches on VirusTotal, an online service that analyses suspicious files and URLs, security researchers have discovered a technique to gather large volumes of stolen user credentials. 

The SafeBreach research team used this technique to acquire over a million credentials using a €600 (about $679) VirusTotal licence and a few tools. The purpose was to determine what information a criminal could obtain with a licence for VirusTotal, a Google-owned service that allows users to submit and verify suspected files and links using multiple antivirus engines for free. 

A VirusTotal licenced user can use a mixture of questions to search the service's dataset for file type, file name, submitted data, country, and file content, among other things. Many data thieves gather credentials from various forums, mail accounts, browsers, and other sites, write them to a specific hard-coded file name — for example, "all credentials.txt," and then exfiltrate the file from the victim's device to the attackers' command-and-control server. 

Researchers used VirusTotal tools and APIs like search, VirusTotal Graph, and Retrohunt to locate files containing stolen data using this strategy. 

Tomer Bar, director of security research at SafeBreach stated, "It is quite a straightforward technique, which doesn't require strong understanding in malware. All you need is to choose one of the most common info stealers and read about it online." 

To collect critical data, the researchers used well-known malware such as RedLine Stealer, Azorult, Raccoon Stealer, and Hawkeye, as well as well-known forums like DrDark and Snatch Cloud. They discovered that their strategy worked on a large scale.

RedLine Stealer is a type of malware that may be purchased individually or as part of a subscription on underground forums. It collects information such as saved credentials, autocomplete data, and credit card information across browsers. When malware is installed on a target machine, it creates a system inventory that contains usernames, location data, hardware settings, and security software details. RedLine Stealer can upload and download files as well as run commands.

To begin, the researchers utilized VirusTotal Query to look for binaries that had been classified as RedLine by at least one antivirus engine, which yielded 800 matches. They also looked for files with the name DomainDetects.txt, which is one of the file names used by the malware. Hundreds of files had been exfiltrated as a result of this. 

They then resorted to VirusTotal Graph, a visual exploration tool for licenced VirusTotal customers. The researchers discovered a file from their search results in a RAR file containing exfiltrated data from 500 individuals, including 22,715 passwords to a variety of websites. There were also larger files with more passwords in the other results. 

According to the researchers, several of the URLs were for government-related websites. While there are many different types of data thieves, the researchers chose five of the most popular ones because they had a higher chance of being found in the VirusTotal dataset. 

Researchers wrote in their blog post, "A criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach. We called it the perfect cybercrime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity." 

The researchers informed Google of their discoveries and asked VirusTotal for the files containing personal information. They also suggested screening for and erasing files containing sensitive user data regularly, as well as prohibiting API keys from uploading those files.

Protect your phone from malicious apps by malware scanner VirusTotal Mobile


Google last year removed 85 apps from play store after security researchers found that these apps were adwares in disguise.
These were all sorts of applications from Gaming, TV to remote control simulator apps on the Android Play Store. It goes on to show that even the apps from Google play store are not safe and could be running codes and scripts on your phone.


Some of these apps even had API key certificates and apart from these 85 apps, there are other apps that could be malicious and roaming undetected. It is very imperative to protect our phones and machines from such harmful apps and other files that could have been downloaded from "unknown sources". It is always good to carefully grant permissions to applications but still some apps could be running in the background, duplicating virus or downloading malware files into your phone.

 One way to protect your phone from such attacks is by using a malware scanner. A virus/malware scan is the process where software scans and identifies viruses in a computing devise. Through a scan, you can review and identify threatening viruses and programs. Anti-virus software will also do the work but scanning through a scanner adds an extra cushion of security as they usually have more virus and malware codes and scanned by multiple anti-viruses than lone anti-virus software.

Virustotal Mobile, an android application available on play store is a virus scanner app that scans the application installed on your phone for any malicious file like malware, virus, trojans or worms and notifies you if any such malware exists. Scanning your phone for viruses and running this application to remove any malware on your device is a critical process of maintaining your mobile device. If a virus does get onto your phone and is not removed, then it could result in numerous problems like losing important data, your personal data may be leaked or your device could be compromised.

 The app, Virustotal Mobile scans your application by more than 50 anti-virus flagging suspicious content and even files and Url's can be checked, not only apps. It is developed by VirusTotal.com, a trusted virus, malware, and Url scanner. Its good to remember that the app only tells you the malicious content and not removes the malware.

 Simple, effective and fast (without those annoying adds or pings) Virustotal Mobile is a must-have a tool to protect your phone from dubious apps that could be running pre-installed codes.

Winja (VirusTotal Uploader)- The Malware Detector!


Cyber-security is an important concern for everyone working from these days, amid the lock-down due to the current Coronavirus pandemic. There are several security measures one can employ to stay on top of all the cyber-hazards that hackers could be brewing.

Winja is one such free application and passive analysis tool that is designed for Microsoft Windows that helps the user find any potential malware on their system. By way of using the scanning engine of the anti-virus products, the application gives forth very specific details as to which file is hazardous in which way.

Whenever we download something from the internet our first step is to ensure that it’s safe for our device. With Winja, all you have to do is to drag the file in question on the mal window and Voila! The results apparently will show on the desktop.

In case you have a sneaking suspicion about your device being infected, you could scan all services and processes for malware and the application will help you.

Reportedly, Winja initially uses the “VirusTotal” public API to insert the fingerprint of a file. If the fingerprint is present, Winja sends the current analysis report and if it is not then Winja sends the “unknown file” to the VirusTotal servers for scanning. You can also analyze files any time you want to enhance the chances of detection.

As has been recognized by researchers over these years, hackers tend to have their places of choice in their victim’s devices to first sneak in and then hide the malware. With Winja it becomes extremely easy to locate any suspicious files in those places. Per sources, Services, Task Scheduler, Active Processes, Applications beginning with Windows and Actions that require network resources and internet are few to be mentioned.

All you need to do to scan any file that you have a suspicion on is to drag it and drop in onto the main window of the Winja application.

Plus, you can make use of an extension for the Windows Explorer that would aid you to request a scan by means of a right-click on any file of your choice from the file browser.

Per sources, all the subsequent versions after the sixth one are available in French making it a huge hit in the French-versed population. VirusTotal, which is an arm of Google, strongly suggests Winja as a substitute for their Windows desktop application.

This application goes hand in hand with the anti-virus software that you love to use for your devices. It is not a substitute for anti-virus software but it fits with them like a puzzle piece and does not intend to endanger their publicity in any way.