Detecting Malicious URLs with DNIF and VirusTotal

Greeting readers! We’re excited to share a world of possibilities that open to you, when you have a validation service like VirusTotal working in collaboration with a Real-time Data Analytics platform, DNIF (this blog shows how you can integrate VirusTotal with DNIF).

Detecting Malicious URLs

We’re going to show you how DNIF fetches URLs from log events and uses VirusTotal to validate those URLs. If found to be malicious, a module as well as an alert notification email is sent to all stakeholders, and yes, this whole process is automated. VirusTotal not only tells you whether a given antivirus solution detected a submitted URL as malicious, but also displays each engine’s detection label (e.g., I-Worm.Allaple.gen). URL scanners will discriminate between malware sites, phishing sites, suspicious sites, etc. Some engines will provide additional information, stating explicitly whether a given URL belongs to a particular botnet, which brand is targeted by a given phishing site, and so on.

The below mentioned query fetches URLs from log events and validates them with VirusTotal. If their VT Positive is more than 1, which means it is malicious, a module is raised and a notification email is sent to a group of people or a specific individual. Using VirusTotal, DNIF validates whether a particular URL is malicious or not using the below mentioned query . Once again, this is assuming that you have a working setup of DNIF as well as access to the VirusTotal API. If not, please refer to the blog about “Using the VirusTotal API with DNIF”.

How to Get Started

_fetch * from event where $Duration=1h group count_unique $URL limit 4
>>_lookup virustotal get_url_report $URL
>>_checkif int_compare $VTPositives > 1 include
>>_raise module virustotal malicious_url_detected $URL 3 10m
>>_trigger template_group virustotal malicious_url_detected_alert notify_group groupname

What does this query do?

_fetch * from event where $Duration=1h group count_unique $URL limit 4

In the above mentioned query, we run a workbook query every one hour (Depends on the duration we choose) and we are grouping all the unique URLs.

>>_lookup virustotal get_url_report $URL

In the pipelined query, we are now running a lookup on VirusTotal to get the URL Report

>>_checkif int_compare $VTPositives > 1 include

The next pipeline query is to check if the resulting response for the lookup run against the URL has been flagged by VirusTotal as positive.

>>_raise module virustotal malicious_url_detected $URL 3 10m

In the following pipelined query, in case the URL is flagged as malicious, a Module within DNIF is raised as the next steps (A module is basically a description telling the SecOps personnel why a particular alert was raised, as in the next query the alert will be raised)

>>_trigger template_group virustotal malicious_url_detected_alert notify_group groupname

Here we are also triggering a templated message via DNIF to any integrated messaging system through the messaging services API informing the concerned groups members of what has been detected via VirusTotal and DNIF.

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
DNIF

The “Open” Big Data Analytics platform that offers solutions to the world’s most challenging cyber security problems with real-time data analytics.