A Deep Dive into VirusTotal: Characterizing and Clustering a Massive File Feed

TL;DR

This paper analyzes 328 million VirusTotal reports to characterize the file feed, compare it with other telemetry, and develop scalable clustering methods for threat hunting, revealing insights into malware diversity and detection.

Contribution

It provides an in-depth analysis of VirusTotal's file feed and introduces scalable clustering approaches for large-scale threat hunting.

Findings

HAC-T and FVG produce high precision clusters

FVG scales to 235 million samples in 15 hours

Clusters help identify potentially malicious samples labeled as benign

Abstract

Online scanners analyze user-submitted files with a large number of security tools and provide access to the analysis results. As the most popular online scanner, VirusTotal (VT) is often used for determining if samples are malicious, labeling samples with their family, hunting for new threats, and collecting malware samples. We analyze 328M VT reports for 235M samples collected for one year through the VT file feed. We use the reports to characterize the VT file feed in depth and compare it with the telemetry of a large security vendor. We answer questions such as How diverse is the feed? Does it allow building malware datasets for different filetypes? How fresh are the samples it provides? What is the distribution of malware families it sees? Does that distribution really represent malware on user devices? We then explore how to perform threat hunting at scale by investigating scalable approaches that can produce high purity clusters on the 235M feed samples. We investigate three clustering approaches: hierarchical agglomerative clustering (HAC), a more scalable HAC variant for TLSH digests (HAC-T), and a simple feature value grouping (FVG). Our results show that HAC-T and FVG using selected features produce high precision clusters on ground truth datasets. However, only FVG scales to the daily influx of samples in the feed. Moreover, FVG takes 15 hours to cluster the whole dataset of 235M samples. Finally, we use the produced clusters for threat hunting, namely for detecting 190K samples thought to be benign (i.e., with zero detections) that may really be malicious because they belong to 29K clusters where most samples are detected as malicious.