Wednesday, October 8, 2014

Accessing VirusTotal API from R

Sending and scanning URLs

When I read this post Geolocate IP addresses in R, I remembered that when I was playing with httr package I wrote some API calls to VirusTotal.

With these R functions you can access the VirusTotal Public API v2.0 (You need a public API Key) and send files to scan with the funcion VTfile_scan.

Furthermore, there are other functions that returns a data.frame with reports from URLs, IPs, Domains and files hashes.

Sending and scanning URLs

head(VTurl_report("http://www.google.com",key))
##                                                                                                                          permalink
## CLEAN MX      https://www.virustotal.com/url/dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf/analysis/1412794945/
## MalwarePatrol https://www.virustotal.com/url/dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf/analysis/1412794945/
## ZDB Zeus      https://www.virustotal.com/url/dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf/analysis/1412794945/
## Tencent       https://www.virustotal.com/url/dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf/analysis/1412794945/
## AutoShun      https://www.virustotal.com/url/dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf/analysis/1412794945/
## ZCloudsec     https://www.virustotal.com/url/dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf/analysis/1412794945/
##                            resource                    url response_code
## CLEAN MX      http://www.google.com http://www.google.com/             1
## MalwarePatrol http://www.google.com http://www.google.com/             1
## ZDB Zeus      http://www.google.com http://www.google.com/             1
## Tencent       http://www.google.com http://www.google.com/             1
## AutoShun      http://www.google.com http://www.google.com/             1
## ZCloudsec     http://www.google.com http://www.google.com/             1
##                         scan_date
## CLEAN MX      2014-10-08 19:02:25
## MalwarePatrol 2014-10-08 19:02:25
## ZDB Zeus      2014-10-08 19:02:25
## Tencent       2014-10-08 19:02:25
## AutoShun      2014-10-08 19:02:25
## ZCloudsec     2014-10-08 19:02:25
##                                                                                   scan_id
## CLEAN MX      dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf-1412794945
## MalwarePatrol dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf-1412794945
## ZDB Zeus      dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf-1412794945
## Tencent       dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf-1412794945
## AutoShun      dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf-1412794945
## ZCloudsec     dd014af5ed6b38d9130e3f466f850e46d21b951199d53a18ef29ee9341614eaf-1412794945
##                                                           verbose_msg
## CLEAN MX      Scan finished, scan information embedded in this object
## MalwarePatrol Scan finished, scan information embedded in this object
## ZDB Zeus      Scan finished, scan information embedded in this object
## Tencent       Scan finished, scan information embedded in this object
## AutoShun      Scan finished, scan information embedded in this object
## ZCloudsec     Scan finished, scan information embedded in this object
##               positives total               scans
## CLEAN MX              1    59   FALSE, clean site
## MalwarePatrol         1    59   FALSE, clean site
## ZDB Zeus              1    59   FALSE, clean site
## Tencent               1    59   FALSE, clean site
## AutoShun              1    59 FALSE, unrated site
## ZCloudsec             1    59   FALSE, clean site

Retrieving IP Reports

head(VTip_report("90.156.201.27",key))
##                        as_owner   asn country response_code
## 1 .masterhost autonomous system 25532      RU             1
## 2 .masterhost autonomous system 25532      RU             1
## 3 .masterhost autonomous system 25532      RU             1
## 4 .masterhost autonomous system 25532      RU             1
## 5 .masterhost autonomous system 25532      RU             1
## 6 .masterhost autonomous system 25532      RU             1
##                                         detected_urls
## 1 http://shop.albione.ru/, 2, 52, 2014-04-06 11:18:17
## 2    http://www.orlov.ru/, 3, 52, 2014-03-05 09:13:31
## 3 http://shop.albione.ru/, 2, 52, 2014-04-06 11:18:17
## 4    http://www.orlov.ru/, 3, 52, 2014-03-05 09:13:31
## 5 http://shop.albione.ru/, 2, 52, 2014-04-06 11:18:17
## 6    http://www.orlov.ru/, 3, 52, 2014-03-05 09:13:31
##                           resolutions                 verbose_msg
## 1                              027.ru IP address found in dataset
## 2        2014-03-11 00:00:00, a-bg.ru IP address found in dataset
## 3   2013-10-30 00:00:00, academyun.ru IP address found in dataset
## 4     2014-09-15 00:00:00, albione.ru IP address found in dataset
## 5  2014-07-09 00:00:00, arielmetal.ru IP address found in dataset
## 6 2014-03-11 00:00:00, arsceramics.ru IP address found in dataset

Retrieving Domain Reports

head(VTdomain_report("027.ru",key))
##                                                                                                                                                                                                                                                                                                                                                                                     whois
## 1 domain:        027.RU\nnserver:       ns1.masterhost.ru.\nnserver:       ns2.masterhost.ru.\nnserver:       ns.masterhost.ru.\nstate:         REGISTERED, DELEGATED, VERIFIED\nperson:        Private Person\nregistrar:     RU-CENTER-RU\nadmin-contact: https://www.nic.ru/whois\ncreated:       2005.12.09\npaid-till:     2014.12.09\nfree-date:     2015.01.09\nsource:        TCI
## 2 domain:        027.RU\nnserver:       ns1.masterhost.ru.\nnserver:       ns2.masterhost.ru.\nnserver:       ns.masterhost.ru.\nstate:         REGISTERED, DELEGATED, VERIFIED\nperson:        Private Person\nregistrar:     RU-CENTER-RU\nadmin-contact: https://www.nic.ru/whois\ncreated:       2005.12.09\npaid-till:     2014.12.09\nfree-date:     2015.01.09\nsource:        TCI
## 3 domain:        027.RU\nnserver:       ns1.masterhost.ru.\nnserver:       ns2.masterhost.ru.\nnserver:       ns.masterhost.ru.\nstate:         REGISTERED, DELEGATED, VERIFIED\nperson:        Private Person\nregistrar:     RU-CENTER-RU\nadmin-contact: https://www.nic.ru/whois\ncreated:       2005.12.09\npaid-till:     2014.12.09\nfree-date:     2015.01.09\nsource:        TCI
## 4 domain:        027.RU\nnserver:       ns1.masterhost.ru.\nnserver:       ns2.masterhost.ru.\nnserver:       ns.masterhost.ru.\nstate:         REGISTERED, DELEGATED, VERIFIED\nperson:        Private Person\nregistrar:     RU-CENTER-RU\nadmin-contact: https://www.nic.ru/whois\ncreated:       2005.12.09\npaid-till:     2014.12.09\nfree-date:     2015.01.09\nsource:        TCI
## 5 domain:        027.RU\nnserver:       ns1.masterhost.ru.\nnserver:       ns2.masterhost.ru.\nnserver:       ns.masterhost.ru.\nstate:         REGISTERED, DELEGATED, VERIFIED\nperson:        Private Person\nregistrar:     RU-CENTER-RU\nadmin-contact: https://www.nic.ru/whois\ncreated:       2005.12.09\npaid-till:     2014.12.09\nfree-date:     2015.01.09\nsource:        TCI
##   whois_timestamp
## 1       1.412e+09
## 2       1.412e+09
## 3       1.412e+09
## 4       1.412e+09
## 5       1.412e+09
##                                                                    detected_downloaded_samples
## 1 2013-06-20 18:51:30, 2, 46, cd8553d9b24574467f381d13c7e0e1eb1e58d677b9484bd05b9c690377813e54
## 2 2013-06-20 18:51:30, 2, 46, cd8553d9b24574467f381d13c7e0e1eb1e58d677b9484bd05b9c690377813e54
## 3 2013-06-20 18:51:30, 2, 46, cd8553d9b24574467f381d13c7e0e1eb1e58d677b9484bd05b9c690377813e54
## 4 2013-06-20 18:51:30, 2, 46, cd8553d9b24574467f381d13c7e0e1eb1e58d677b9484bd05b9c690377813e54
## 5 2013-06-20 18:51:30, 2, 46, cd8553d9b24574467f381d13c7e0e1eb1e58d677b9484bd05b9c690377813e54
##   response_code                              detected_urls
## 1             1 http://027.ru/, 4, 38, 2013-06-20 18:51:14
## 2             1 http://027.ru/, 4, 38, 2013-06-20 18:51:14
## 3             1 http://027.ru/, 4, 38, 2013-06-20 18:51:14
## 4             1 http://027.ru/, 4, 38, 2013-06-20 18:51:14
## 5             1 http://027.ru/, 4, 38, 2013-06-20 18:51:14
##                          resolutions             verbose_msg
## 1 2013-05-03 00:00:00, 90.156.201.11 Domain found in dataset
## 2 2013-05-07 00:00:00, 90.156.201.14 Domain found in dataset
## 3                      90.156.201.27 Domain found in dataset
## 4 2013-05-01 00:00:00, 90.156.201.71 Domain found in dataset
## 5 2013-06-20 00:00:00, 90.156.201.97 Domain found in dataset

Retrieving File Scan Reports

head(VTfile_report("99017f6eebbac24f351415dd410d522d",key))
##                                                                      scans
## Bkav                                           FALSE, 1.3.0.4959, 20141008
## MicroWorld-eScan  TRUE, 12.0.250.0, Generic.Malware.V!w.7232B058, 20141008
## nProtect         TRUE, 2014-10-08.01, Trojan/W32.Small.28672.BJA, 20141008
## CMC                           TRUE, 1.1.0.977, Trojan.Win32.VB!O, 20141008
## CAT-QuickHeal                                       FALSE, 14.00, 20141008
## McAfee                     TRUE, 6.0.5.614, Artemis!99017F6EEBBA, 20141008
##                                                                                      scan_id
## Bkav             52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c-1412790588
## MicroWorld-eScan 52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c-1412790588
## nProtect         52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c-1412790588
## CMC              52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c-1412790588
## CAT-QuickHeal    52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c-1412790588
## McAfee           52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c-1412790588
##                                                      sha1
## Bkav             4d1740485713a2ab3a4f5822a01f645fe8387f92
## MicroWorld-eScan 4d1740485713a2ab3a4f5822a01f645fe8387f92
## nProtect         4d1740485713a2ab3a4f5822a01f645fe8387f92
## CMC              4d1740485713a2ab3a4f5822a01f645fe8387f92
## CAT-QuickHeal    4d1740485713a2ab3a4f5822a01f645fe8387f92
## McAfee           4d1740485713a2ab3a4f5822a01f645fe8387f92
##                                          resource response_code
## Bkav             99017f6eebbac24f351415dd410d522d             1
## MicroWorld-eScan 99017f6eebbac24f351415dd410d522d             1
## nProtect         99017f6eebbac24f351415dd410d522d             1
## CMC              99017f6eebbac24f351415dd410d522d             1
## CAT-QuickHeal    99017f6eebbac24f351415dd410d522d             1
## McAfee           99017f6eebbac24f351415dd410d522d             1
##                            scan_date
## Bkav             2014-10-08 17:49:48
## MicroWorld-eScan 2014-10-08 17:49:48
## nProtect         2014-10-08 17:49:48
## CMC              2014-10-08 17:49:48
## CAT-QuickHeal    2014-10-08 17:49:48
## McAfee           2014-10-08 17:49:48
##                                                                                                                              permalink
## Bkav             https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1412790588/
## MicroWorld-eScan https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1412790588/
## nProtect         https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1412790588/
## CMC              https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1412790588/
## CAT-QuickHeal    https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1412790588/
## McAfee           https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1412790588/
##                                          verbose_msg total positives
## Bkav             Scan finished, information embedded    55        48
## MicroWorld-eScan Scan finished, information embedded    55        48
## nProtect         Scan finished, information embedded    55        48
## CMC              Scan finished, information embedded    55        48
## CAT-QuickHeal    Scan finished, information embedded    55        48
## McAfee           Scan finished, information embedded    55        48
##                                                                            sha256
## Bkav             52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c
## MicroWorld-eScan 52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c
## nProtect         52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c
## CMC              52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c
## CAT-QuickHeal    52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c
## McAfee           52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c
##                                               md5
## Bkav             99017f6eebbac24f351415dd410d522d
## MicroWorld-eScan 99017f6eebbac24f351415dd410d522d
## nProtect         99017f6eebbac24f351415dd410d522d
## CMC              99017f6eebbac24f351415dd410d522d
## CAT-QuickHeal    99017f6eebbac24f351415dd410d522d
## McAfee           99017f6eebbac24f351415dd410d522d

You can find the code in my GitHub repository.