Official VirusTotal Plugin for IDA Pro 7

[harlan4096]

ATTENTION: In order to use the content search functionality you will need to have access to VT Intelligence. If you want to jump straight ahead and install the plugin, please refer to its GitHub repository.

VirusTotal is very excited to announce a beta release of a new plugin for IDA Pro v7 which integrates VT Intelligence’s content search directly into IDA.

This plugin adds a new "VirusTotal" entry to the IDA Pro context menu (disassembly and strings windows), enabling you to search for similar or exact data on VirusTotal. It translates the user selection into a query that VTGrep understands. The current beta release provides the following search options:

• Search for bytes: it searches for the bytes contained in the selected area.
  
• Search for string: it searches for the same string as the one selected in the Strings Window.
  
• Search for similar code: identifies memory offsets or addresses in the currently selected area and ignores them when searching.
  
• Search for similar code (strict): same as above but it also ignores all the constants in the currently selected area.
  
• Search for similar functions: same as "similar code" but you don’t need to select all the instructions that belong to a function. Just right-click on one instruction, and it will automatically detect the function boundaries, selecting all the instructions of the current function.
  

Using VTGrep content search to trace DTrack samples

As an example of how this plugin can speed up the analysis process, we have conducted a preliminary analysis of the DTrack sample that appeared last October 2019. As a reminder, this malware was used in an attack against the Kudankulam Nuclear Power Plant (KKNPP - India) on September 4, 2019, but was not publicly acknowledged by India’s Nuclear Power Corporation of India Limited (NPCIL) until nearly the end of October.

It's not the first time that a DTrack sample reuses code from previous attacks. Indeed, if we search for the string dkwero38oerA^t@# (VT Intelligence query: content:"dkwero38oerA^t@#") we can find 79 samples in VirusTotal that contain this string, and some of them are DTrack samples.

This string is used as a key to compress a "C.TMP" file containing files and directories of "C:\" (one zip file per connected device). There's another interesting string (abcd@123) that's used to encrypt a zip file containing all the evidence collected. There are a total of nine occurrences of this second string in the VirusTotal database.

These results can serve as a starting point to dive into previous versions of this sample. Additionally, we can look for similar code in the VirusTotal database. If we select the WinMain function's code, one sample shows up that looks promising.

Comparing both WinMain functions, we can see that they are almost identical; they only differ in the values of memory addresses and offsets. Therefore, we can argue that we've just found another version of the current sample because this match points to another file that starts with the same code.

Thus, just one click ahead of the WinMain function, we are driven to another sample that looks interesting.

There’s another approach we can take to find related samples. We can search for identical sequences of strings. Although generated code usually changes between compilations, strings are placed in the same order inside the file. Taking a look at the strings used for gathering information about the current IP addresses, running processes, and open ports, we can jump to another sample that looks similar.

Continue Reading