{"id":12887,"date":"2020-01-29T23:33:00","date_gmt":"2020-01-29T22:33:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12887"},"modified":"2023-02-14T15:37:41","modified_gmt":"2023-02-14T14:37:41","slug":"virustotal-gets-bitdam-scanner-sandbox","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/01\/29\/virustotal-gets-bitdam-scanner-sandbox\/","title":{"rendered":"VirusTotal gets Bitdam Scanner\/Sandbox"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" height=\"47\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/01\/29\/virustotal-bekommt-bitdam-scanner-sandbox\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]A small hint for people who upload from time to time suspicious files to VirusTotal and have them checked for malware. VirusTotal has now been extended with the Bitdam Sandbox.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg05.met.vgwort.de\/na\/7d93a8ea68fa48318e2b0ef182fdd9a6\" alt=\"\" width=\"1\" height=\"1\" \/>The VirusTotal website allows you to upload examples of ominous files in which malware is suspected. The files are then checked in various virus scanners &#8211; a fine thing. Over the following Tweet I just found an extension.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">VirusTotal expands with BitDam sandbox\/scanner<a href=\"https:\/\/t.co\/LV2QmVfFHS\">https:\/\/t.co\/LV2QmVfFHS<\/a> <a href=\"https:\/\/t.co\/WaOABKx40y\">pic.twitter.com\/WaOABKx40y<\/a><\/p>\n<p>\u2014 Catalin Cimpanu (@campuscodi) <a href=\"https:\/\/twitter.com\/campuscodi\/status\/1222392427161563137?ref_src=twsrc%5Etfw\">January 29, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserveb9871fa2d57d4173a4831b44ba43ef30\" class=\"wlWriterPreserve\"><script src=\"https:\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/span><\/p>\n<p>This is now something of a turbo for suspicious file analysis, as BitDam runs the example in a sandbox and scans for malware activity. In the VirusTotal blog you can read about this:<\/p>\n<blockquote><p><i><a href=\"https:\/\/web.archive.org\/web\/20210307122118\/https:\/\/bitdam.com\/solution\/\" target=\"_blank\" rel=\"noopener noreferrer\">BitDam Advanced Threat Protection<\/a> (ATP) is a cloud-based engine that proactively detects threats, pre-delivery, preventing hardware and logical exploits, ransomware, spear-phishing and zero-day attacks contained in files and URLs. BitDam's patented attack-agnostic technology shows remarkably higher protection rates compared to engines that are based on knowledge of previous threats. It learns the normal code-level executions of business applications such as MS-Word and Acrobat Reader, creating a whitelist knowledge-base. Based on this knowledge, the detection engine determines whether a given file or weblink is malicious or not, regardless of the specific malware it may contain.<\/i><\/p><\/blockquote>\n<p>The blog post discusses an example of uploading an Excel XLS table with a macro in a hidden worksheet. This macro accesses specific cells in a hidden sheet to retrieve the payload. It then runs a power shell script with a hidden command line. The power shell script creates a .NET-related process to compile the payload.<\/p>\n<p><a href=\"https:\/\/lh5.googleusercontent.com\/3F_W10KK-wnpn3e6aL1iruWuZxBwcwH1_La-TDxS4Y8sTEmJgc4Ryg5c-ky4LgiA9pKFSNVtNARXGhim5D8hpUn_fazAgTksIH8ypHntOBwhAgCbEWVDuK3g0Y0LMyHW3NlFE3mi\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" title=\"VirusTotal mit BitDam ATP\" src=\"https:\/\/lh5.googleusercontent.com\/3F_W10KK-wnpn3e6aL1iruWuZxBwcwH1_La-TDxS4Y8sTEmJgc4Ryg5c-ky4LgiA9pKFSNVtNARXGhim5D8hpUn_fazAgTksIH8ypHntOBwhAgCbEWVDuK3g0Y0LMyHW3NlFE3mi\" alt=\"VirusTotal mit BitDam ATP\" width=\"643\" height=\"305\" \/><\/a><br \/>\n(VirusTotal with BitDam ATP, Source: VirusTotal)<\/p>\n<p>BitDam does not only scan the file (see image above) and generate execution reports that show what the uploaded file does. The scanner uses behavior-based detection decisions. Therefore BitDam reports that the file has been detected as malware.<\/p>\n<p><a href=\"https:\/\/lh6.googleusercontent.com\/ACkvqKQsq-lUZEI3QX47q5Vuqw4tJQolXPXRabBUFXfqV8_pIjy7CGDVrswyCSg7SCfAegLs0aAv6o6MRY6e9LIv_-_6VpwJtkJ3x8K5FvwzunSHwO16xWkFSBr_5Yh6jJlWvxo5\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" title=\"VirusTortal BitDam Malware-Erkennung\" src=\"https:\/\/lh6.googleusercontent.com\/ACkvqKQsq-lUZEI3QX47q5Vuqw4tJQolXPXRabBUFXfqV8_pIjy7CGDVrswyCSg7SCfAegLs0aAv6o6MRY6e9LIv_-_6VpwJtkJ3x8K5FvwzunSHwO16xWkFSBr_5Yh6jJlWvxo5\" alt=\"VirusTortal BitDam Malware-Erkennung\" width=\"625\" height=\"273\" \/><\/a><br \/>\n(VirusTortal BitDam Malware detection, Source: VirusTotal)<\/p>\n<p>Exciting story, I think. You can read more details in the <a href=\"https:\/\/blog.virustotal.com\/2020\/01\/virustotal-multi-sandbox-bitdam-atp.html\" target=\"_blank\" rel=\"noopener noreferrer\">VirusTotal blog post<\/a>. Also take a look at the BitDam blog post <a href=\"https:\/\/web.archive.org\/web\/20210305161428\/https:\/\/www.bitdam.com\/2018\/04\/30\/sandboxes-are-not-foolproof\/\" target=\"_blank\" rel=\"noopener noreferrer\">Sandboxes Are Not Foolproof<\/a>. And please note: Before you upload sensitive files, read their terms and conditions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A small hint for people who upload from time to time suspicious files to VirusTotal and have them checked for malware. VirusTotal has now been extended with the Bitdam Sandbox.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-12887","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12887","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=12887"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12887\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=12887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=12887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=12887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}