• Virustotal Actors: Hypertotal output

    by  • February 12, 2014 • Uncategorized

    Earlier today I presented at the Kaspersky SAS 2014 conference hosted in the Dominican Republic. While I’ve have the Hypertotal engine and results for a number of years, I have never wanted to talk about it publicly to avoid major changes in actor behavior. I chose this specific conference to share some of my findings because I knew most of the material would not make it online and the researchers here are some of the best.

    Based on Twitter postings, I have already gotten a several requests to share my slides and I would like to do so, but more in a controlled manner. I have password-protected the zip archive containing my slides and would ask anyone interested to email me directly for the password. If I don’t respond right away, please don’t take it personally! Oh, and if you already have the slides, don’t be a jerk and share them all over the place.

    Download the ZIP archive with the slides!

    I have compiled a list of FAQ questions about the data if certain aspects of the research aren’t clear.

    1. How did you get this data? Virustotal and their MIS service.
    2. How can I get this data? You will need to hack around with some of the Virustotal APIs and then some to construct the data I was collecting.
    3. Will you look up submitter IDs or hashes? Sure, but would like some context if you are going to send something
    4. How many actors do you track? Around 200 or so.
    5. Do you plan to open source your code at some point? Ideally, this would be shared amongst those doing the same research I do, so we could all work off the same database, but I am not sure how to do that yet.
    6. Do you know how to reverse the hash algorithm? I wish I did.
    7. How many accounts do you have activity for? A few million.
    8. Are you ever 100% sure your actor/target/security classifications are correct? In some cases, yes, but in other cases I lack the data to fully understand the role of a given account. Using additional data points (attack information, file data, etc.) helps me achieve a greater confidence about the account.
    9. Can I help out with this project? This depends more on what you would be willing to work on, but I would say, yes. One of the most helpful things anyone could do is just share hashes of “interesting” or weird files.
    10. Is the system web scale? Yes. Yes it is.