VirusTotal now analyses network traffic
The popular VirusTotal service, which can run more than 20 anti-virus scanners over a sample in one pass, can now also look for signs of malware infections in captured network traffic. To perform a check, users upload network packets that are captured in the common PCAP format instead of sending VirusTotal the more traditional suspicious EXE, PDF or HTML file.
Such network traffic dumps can be created with sniffers like Wireshark or tcpdump. VirusTotal will extract all transmitted files and present them to the familiar virus scanners; registered users will also receive copies of the extracted files. The scan service also looks at the network traffic data with the Snort and Suricata intrusion detection systems. These services can, for instance, detect the communication between a botnet client and its command & control server, as well as other typical attack patterns.
However, this type of analysis will produce numerous "Potentially Bad Traffic" messages and users will need to decide for themselves whether they are dealing with a false alarm. Another interesting aspect is the extra information that is generated during analysis, which can provide insights into the activities within a network. For example, VirusTotal lists all found DNS queries and web page (HTTP) requests.
The analysis that VirusTotal performs can, in theory, also be performed by manually running each scanner one by one. On the whole, the new analysis feature is not aimed at non-professional users – who will likely not make much of messages such as "NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)" – but for administrators and security specialists, it provides a very quick way of extracting useful information.