Automated Malware Detection and Response with VirusTotal API Integration [DL Series-4]

What is VirusTotal ?

VirusTotal is an online tool that scans files and URLs for viruses, worms, trojans, and other types of malware using multiple antivirus engines and website scanners to identify threats. It allows users to submit file hashes for analysis and report viewing, and provides APIs for seamless integration with other tools and workflows.

VirusTotal offers both free (Public API) and paid (Private API) services. The free version comes with restrictions like 500 requests per day and a limit of 4 requests per minute, which is sufficient for our Detection Lab. The paid version (Private API) provides higher request limits, priority access, and additional features suitable for enterprise use.

Detecting and Removing Malware Using VirusTotal Integration

Overview

Wazuh uses the integrator module to connect to external APIs and alerting tools such as VirusTotal. This integration allows the Wazuh File Integrity Monitoring (FIM) module to monitor a directory for changes and the VirusTotal API to scan the files in the directory. Once VirusTotal flags a file as malicious, Wazuh triggers an active response script to remove it.

How it works?

File Monitoring by Wazuh FIM

Wazuh FIM (File Integrity Monitoring) is configured to monitor specific directories for changes, such as when a file is added, modified, or deleted and stores the file’s hash.

Change Detection and Alert Trigger

When Wazuh detects that a file has been added or modified, it triggers an alert that includes the file hash.

Sending the File Hash to VirusTotal

After the alert is triggered, Wazuh sends the file hash to VirusTotal via an HTTP POST request, asking VirusTotal to check its database for the file using the provided hash.

VirusTotal Database Check

VirusTotal then checks its database and analyzes the hash to see if it has any previous information on this file (whether it’s been analyzed by any antivirus engines).

VirusTotal responds with a JSON response containing the reputation of the file:

• Whether the file is clean.
• Whether it has been flagged as malicious by any antivirus engines.

Wazuh Processes the VirusTotal Response

Wazuh processes the response from VirusTotal and triggers a corresponding alert. These alerts could be:

• No records found (i.e., VirusTotal has never seen the file before).
• No positives found (the file is clean).
• X engines flagged the file (i.e., the file is flagged as malicious by X number of antivirus engines).

Active Response — Delete Malicious Files

• If the file is flagged as malicious by VirusTotal (e.g., X engines flagged itas malicious), Wazuh can take immediate action through its Active Response feature.
• Wazuh calls the remove-threat.sh script, which is configured to delete the malicious file from the system before it can execute or cause harm.
• This prevents the file from running or spreading any further on the system, acting as a proactive defense measure.

Steps for Integration

Step I: Create a VirusTotal Account

1. Go to VirusTotal and sign up for an account.
2. Retrieve your API key from your account dashboard.

Step II: Configure Wazuh FIM on Ubuntu Endpoint

1. Open the Wazuh configuration file.

vi /var/ossec/etc/ossec.conf        

2. Locate the <syscheck> block and ensure <disabled> is set to no. Add the following to monitor the /root directory in real time.

<directories realtime="yes">/root</directories>        

3. Install jq for processing JSON inputs

sudo apt update
sudo apt -y install jq        

4. Save the following script as /var/ossec/active-response/bin/remove-threat.sh to remove malicious files:

#!/bin/bash

LOCAL=`dirname $0`;
cd $LOCAL
cd ../

PWD=`pwd`

read INPUT_JSON
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.data.virustotal.source.file)
COMMAND=$(echo $INPUT_JSON | jq -r .command)
LOG_FILE="${PWD}/../logs/active-responses.log"

#------------------------ Analyze command -------------------------#
if [ ${COMMAND} = "add" ]
then
 # Send control message to execd
 printf '{"version":1,"origin":{"name":"remove-threat","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'

 read RESPONSE
 COMMAND2=$(echo $RESPONSE | jq -r .command)
 if [ ${COMMAND2} != "continue" ]
 then
  echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Remove threat active response aborted" >> ${LOG_FILE}
  exit 0;
 fi
fi

# Removing file
rm -f $FILENAME
if [ $? -eq 0 ]; then
 echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Successfully removed threat" >> ${LOG_FILE}
else
 echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Error removing threat" >> ${LOG_FILE}
fi

exit 0;        

5. Set Permissions for the Script:

sudo chmod 750 /var/ossec/active-response/bin/remove-threat.sh
sudo chown root:wazuh /var/ossec/active-response/bin/remove-threat.sh        

6. Restart Wazuh Agent:

sudo systemctl restart wazuh-agent        

Step III: Configuration for Wazuh Server

1. Add the following cutom rules to /var/ossec/etc/rules/local_rules.xml to alert on file addition/modification in the root directory:

<group name="syscheck,pci_dss_11.5,nist_800_53_SI.7,">
    <rule id="100200" level="7">
        <if_sid>550</if_sid>
        <field name="file">/root</field>
        <description>File modified in /root directory.</description>
    </rule>
    <rule id="100201" level="7">
        <if_sid>554</if_sid>
        <field name="file">/root</field>
        <description>File added to /root directory.</description>
    </rule>
</group>        

2. Open the Wazuh configuration file.

vi /var/ossec/etc/ossec.conf        

3. Add the following configuration

VirusTotal Integration

    <integration>
        <name>virustotal</name>
        <api_key><YOUR_VIRUS_TOTAL_API_KEY></api_key>
        <rule_id>100200,100201</rule_id>
        <alert_format>json</alert_format>
    </integration>        

Enable Active Response

<ossec_config>
    <command>
        <name>remove-threat</name>
        <executable>remove-threat.sh</executable>
        <timeout_allowed>no</timeout_allowed>
    </command>

    <active-response>
        <disabled>no</disabled>
        <command>remove-threat</command>
        <location>local</location>
        <rules_id>87105</rules_id>
    </active-response>
</ossec_config>        

4. Add the following custom active response rules to /var/ossec/etc/rules/local_rules.xml

<group name="virustotal,">
    <rule id="100092" level="12">
        <if_sid>657</if_sid>
        <match>Successfully removed threat</match>
        <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
    </rule>

    <rule id="100093" level="12">
        <if_sid>657</if_sid>
        <match>Error removing threat</match>
        <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
    </rule>
</group>        

5. Restart Wazuh Manager:

sudo systemctl restart wazuh-manager        

Test the Setup — Attack Emulation

1. Download an EICAR test file to the /root directory on the Ubuntu endpoint:

sudo curl -Lo /root/eicar.com https://secure.eicar.org/eicar.com && sudo ls -lah /root/eicar.com        

2. Go to the Wazuh dashboard and type “eicar.com” in the search file. You should see results similar to the following example.

By following these steps, you can successfully integrate VirusTotal with Wazuh, improving your ability to detect and respond to potential malware threats.

Acknowledgments

I would like to express my sincere gratitude to Santiago Bassett & Wazuh community for their continuous support and valuable contributions. Their knowledge and resources have been immensely helpful in shaping this article.

A special thanks to Taylor Walton from SOCFortress for the exceptional and well-explained videos on YouTube. His tutorials have provided invaluable insights that greatly enhanced my understanding of Wazuh and its integration with other tools.

Upcoming

In our next article, we will take a deep dive into integrating Sysmon on a Linux machine, where we’ll walk through creating custom decoder and custom rules to trigger sysmon alerts.

Check out the next article here: SysmonForLinux: Custom Decoders and Rules [DL Series-5]

Feel free to ask questions or share your feedback in the comments section — I’d love to hear from you! You can also connect with me on Gibin John to to clarify any doubts or continue the conversation.

Follow my Medium profile to stay updated on the full series: Gibin John.

#wazuh #WazuhSecurity #CyberDetectionLab #WazuhSIEM #ThreatHunting #CybersecurityLab #Wazuh #SecurityMonitoring #SIEM #IncidentResponse #ThreatDetection #SecurityOps #WazuhDetection #SOCLab #CyberThreatIntel #WazuhAlerting #LogAnalysis #CyberDefense #MalwareDetection #Sysmon #SOCAnalysis