Home
×

About AFIT

Mission & Vision
Leadership
Organizational Structure
Institutional Data
News
Videos
History
Icarus Memorial Statue
Accreditation
×

Graduate Education

Civilian Institution Programs Graduate School of Engineering & Management
×

Continuing Education

The Civil Engineer School School of Strategic Force Studies
School of Systems & Logistics
×

Featured Topics

Artificial Intelligence Technology Research and Education Consortium Cyber Education Digital Literacy Hypersonics Education
×

Research

Research Resources

Office of Research & Outreach
Research Reports

Centers of Excellence

Air Force Cyberspace Technical Center of Excellence (CyTCoE)
Digital Innovation & Integration Center of Excellence (DIICE)
Scientific Test & Analysis Techniques Center of Excellence (STAT CoE)

Research Centers

Autonomy & Navigation Technology (ANT) Center
Applied Research Center for Hypersonics (ARCH)
Center for Cyberspace Research (CCR)
Center for Directed Energy (CDE)
Center for Space Research and Assurance (CSRA)
Center for Technical Intelligence Studies and Research (CTISR)
Nuclear Expertise for Advancing Technologies Center (NEAT) Homeland Security Community of Best Practices (HS COBP)
×

Consulting

The Civil Engineer School Consulting Services
School of Systems & Logistics Consulting Services
Expertise & Faculty Search
×

Students

Prospective Students
Current Students International Students
×

Alumni

Alumni
×

Search

×

Resources

Contact AFIT
Canvas
Leadership, Faculty, & Staff Directory
Military & Civilian Personnel
D'Azzo Research Library
AFIT News
AFIT Videos
eInvitations Facilities Reservations
Officer Education Record Updates/Corrections
WIFI Registration
AFIT Webmail
Related Links
Center for Cyberspace Research (CCR)

Malware Detection Analysis with ThreatScraper

Posted Wednesday, February 21, 2024

 

By Capt. Aaron Morath
AFIT Graduate Student
Department of Electrical & Computer Engineering

The digital landscape of today is in a state of constant flux, with the rapid evolution of malware and computer viruses continually challenging the proficiency of anti-virus programs. One method of combating these threats lies in the proactive detection of malicious files, which pivots on the timely updating of virus signatures by these programs. Given the myriad of anti-virus tools on the market, ranging from Microsoft Defender and Symantec to McAfee, it becomes pertinent to examine their detection speed and the potential collaboration in signature sharing.

While typical organizations rely on Anti-Virus (AV) programs such as Microsoft Defender for their endpoints, some stand-alone networks and systems utilize other AV programs such as Clam AV, McAfee HBSS, and Symantec. Each of these programs come with their own virus definitions, but do not typically share the same definitions as other programs. Therefore, it is important to understand how quickly these programs identify potential malicious files and which groups suggest that signature sharing occurs between AV providers. To assist our ongoing research, we developed and utilized a program called ThreatScraper to track individual anti-virus program detections over a specified period determined by the user. This program serves as a front-end interface to submit suspicious files to www.virustotal.com and pull reports that are saved locally for further investigation.

ThreatScraper
ThreatScraper was developed in Python and utilizes VirusTotal’s version 3 of its API interface to submit files, pull reports, and rescan submitted files. The data pulled from VirusTotal’s website is saved into an Excel document specified by the user, and each new report is saved on a new line in the document. To help visualize the data, the number of detections over time are displayed on a line graph that will display after pulling a report. Along with this is a pie chart showing the total number of positive detections, contrasted by the percentage of negative detections amongst anti-virus programs hosted on VirusTotal. Finally, a table is displayed with the results of the most recent scan, containing names, versions, and dates of each anti-virus program hosted on the website. This program has been accepted at both Black Hat and DEFCON 2023 conferences in Las Vegas for their tool presentation segments.

Preliminary Results
A sample set of 10 obfuscated viruses were submitted to VirusTotal to test the ThreatScraper program. Each of these viruses are the same trojan component of the Empire penetration testing platform, named “Sharpire,” and obfuscated utilizing the ConfuserEX C# obfuscation tool to generate individual hash values for each virus. Each of the 10 samples submitted to the site averaged 21 positive detections beginning on May 11 at 2013 hours and quickly rose to a maximum of 49 average positive detections at its height on May 16 at 0046 hours. All samples were consistently within 1 to 2 positive detections of each other, with variations emerging due to assumed heuristically positive results from a few AV providers. The largest increase in positive detections occurred on May 12 at 1250 hours, rising from 27 detections to 39 detections, with minor jumps in detections moving forward. Each new detection by an AV provider correlate to a fresh definition version update, which suggests that the signature for the files had been added to their own capabilities.

The images above show evidence of the largest increase in positive detections which occurred on May 12.

 

Benefits of Our Research
The results of our research will aid the Air Force in determining which AV programs consistently display the ability to detect malware reliably and as early as possible. ThreatScraper can enable organizations to submit malicious files for analysis and track the progression of those files over all available AV platforms. This will allow an organization to become informed on the effectiveness of their AV platform being utilized on their networks and help them explore their options in possibly moving to a more capable and responsive AV program that will fulfill their cyber defense requirements.

A screenshot of ThreatScraper is shown above. To help visualize the data, the number of detections over time are displayed on a line graph that will display after pulling a report. Along with this is a pie chart showing the total number of positive detections, contrasted by the percentage of negative detections amongst anti-virus programs hosted on VirusTotal. Finally, a table is displayed with the results of the most recent scan, containing names, versions, and dates of each anti-virus program hosted on the website.

 

More news...

Return to the top of the page
AETC
AFIT
Air University

Air Force Institute of Technology
2950 Hobson Way
Wright-Patterson Air Force Base, OH 45433-7765
Commercial: 937-255-6565 | DSN: 785-6565
AFIT on Facebook
AFIT on YouTube
AFIT on LinkedIn

Connect with AFIT