Skip to content

Instantly share code, notes, and snippets.

@emory
Created December 3, 2023 19:17
Show Gist options
  • Save emory/38ab874bf36589fc5a55650568592bca to your computer and use it in GitHub Desktop.
Save emory/38ab874bf36589fc5a55650568592bca to your computer and use it in GitHub Desktop.
using virustotal API via `vt` to analyze homebrew macOS binaries
# cached packages
homebrew for macOS caches in `~/Library/Caches/Homeberw` and i figure the pkcs11 tooling i use being compromised would be a huge problem for me and everyone else using it?
```
~/Library/Caches/Homebrew
% ls -la p11-kit*
lrwxr-xr-x 1 rlundb811 staff 118 Nov 20 11:23 p11-kit--0.25.3 -> downloads/1f29fbea9391e33f2bcc01c320d960dc11721363dd6fe42aafcef6dd194f2e05--p11-kit--0.25.3.arm64_sonoma.bottle.tar.gz
lrwxr-xr-x 1 rlundb811 staff 111 Oct 30 13:22 p11-kit_bottle_manifest--0.25.1 -> downloads/ad55f3d64397404e6a67b1f9518d6863ab14da4b812a227ba3cce37449c7c90c--p11-kit-0.25.1.bottle_manifest.json
lrwxr-xr-x 1 rlundb811 staff 111 Nov 20 11:23 p11-kit_bottle_manifest--0.25.3 -> downloads/cc547bf2f72da03680090015f5b720aff280ce33de9c33783a69c24fe97a4246--p11-kit-0.25.3.bottle_manifest.json
~/Library/Caches/Homebrew
% vt scan file p11-kit--0.25.3
p11-kit--0.25.3 OGUzOTBjZjdlYmFmOWQxNTJkNzUyZGE0ODg4YjU3MTI6MTcwMTYzMDU0OQ==
```
## analysis
after a few minutes i pull the analysis output:
```
~/Library/Caches/Homebrew
% vt analysis OGUzOTBjZjdlYmFmOWQxNTJkNzUyZGE0ODg4YjU3MTI6MTcwMTYzMDU0OQ==
- _id: "OGUzOTBjZjdlYmFmOWQxNTJkNzUyZGE0ODg4YjU3MTI6MTcwMTYzMDU0OQ=="
_type: "analysis"
date: 1701630549 # 2023-12-03 13:09:09 -0600 CST
results:
ALYac:
category: "undetected"
engine_name: "ALYac"
engine_update: "20231203"
engine_version: "1.1.3.1"
method: "blacklist"
result: null
APEX:
category: "type-unsupported"
engine_name: "APEX"
engine_update: "20231128"
engine_version: "6.478"
method: "blacklist"
result: null
AVG:
category: "undetected"
engine_name: "AVG"
engine_update: "20231203"
engine_version: "23.9.8494.0"
method: "blacklist"
result: null
Acronis:
category: "undetected"
engine_name: "Acronis"
engine_update: "20230828"
engine_version: "1.2.0.121"
method: "blacklist"
result: null
AhnLab-V3:
category: "undetected"
engine_name: "AhnLab-V3"
engine_update: "20231203"
engine_version: "3.24.0.10447"
method: "blacklist"
result: null
Alibaba:
category: "type-unsupported"
engine_name: "Alibaba"
engine_update: "20190527"
engine_version: "0.3.0.5"
method: "blacklist"
result: null
Antiy-AVL:
category: "undetected"
engine_name: "Antiy-AVL"
engine_update: "20231203"
engine_version: "3.0"
method: "blacklist"
result: null
Arcabit:
category: "undetected"
engine_name: "Arcabit"
engine_update: "20231203"
engine_version: "2022.0.0.18"
method: "blacklist"
result: null
Avast:
category: "undetected"
engine_name: "Avast"
engine_update: "20231203"
engine_version: "23.9.8494.0"
method: "blacklist"
result: null
Avast-Mobile:
category: "type-unsupported"
engine_name: "Avast-Mobile"
engine_update: "20231201"
engine_version: "231201-00"
method: "blacklist"
result: null
Avira:
category: "undetected"
engine_name: "Avira"
engine_update: "20231203"
engine_version: "8.3.3.16"
method: "blacklist"
result: null
Baidu:
category: "undetected"
engine_name: "Baidu"
engine_update: "20190318"
engine_version: "1.0.0.2"
method: "blacklist"
result: null
BitDefender:
category: "undetected"
engine_name: "BitDefender"
engine_update: "20231203"
engine_version: "7.2"
method: "blacklist"
result: null
BitDefenderFalx:
category: "type-unsupported"
engine_name: "BitDefenderFalx"
engine_update: "20231121"
engine_version: "2.0.936"
method: "blacklist"
result: null
BitDefenderTheta:
category: "undetected"
engine_name: "BitDefenderTheta"
engine_update: "20231127"
engine_version: "7.2.37796.0"
method: "blacklist"
result: null
Bkav:
category: "undetected"
engine_name: "Bkav"
engine_update: "20231203"
engine_version: "2.0.0.1"
method: "blacklist"
result: null
CAT-QuickHeal:
category: "undetected"
engine_name: "CAT-QuickHeal"
engine_update: "20231202"
engine_version: "22.00"
method: "blacklist"
result: null
CMC:
category: "undetected"
engine_name: "CMC"
engine_update: "20230822"
engine_version: "2.4.2022.1"
method: "blacklist"
result: null
ClamAV:
category: "undetected"
engine_name: "ClamAV"
engine_update: "20231203"
engine_version: "1.2.1.0"
method: "blacklist"
result: null
CrowdStrike:
category: "type-unsupported"
engine_name: "CrowdStrike"
engine_update: null
engine_version: "1.0"
method: "blacklist"
result: null
Cybereason:
category: "type-unsupported"
engine_name: "Cybereason"
engine_update: "20231102"
engine_version: "1.2.449"
method: "blacklist"
result: null
Cylance:
category: "type-unsupported"
engine_name: "Cylance"
engine_update: "20231108"
engine_version: "2.0.0.0"
method: "blacklist"
result: null
Cynet:
category: "undetected"
engine_name: "Cynet"
engine_update: "20231203"
engine_version: "4.0.0.28"
method: "blacklist"
result: null
DeepInstinct:
category: "type-unsupported"
engine_name: "DeepInstinct"
engine_update: "20231203"
engine_version: "3.1.0.15"
method: "blacklist"
result: null
DrWeb:
category: "undetected"
engine_name: "DrWeb"
engine_update: "20231203"
engine_version: "7.0.61.8090"
method: "blacklist"
result: null
ESET-NOD32:
category: "undetected"
engine_name: "ESET-NOD32"
engine_update: "20231203"
engine_version: "28341"
method: "blacklist"
result: null
Elastic:
category: "type-unsupported"
engine_name: "Elastic"
engine_update: "20231129"
engine_version: "4.0.119"
method: "blacklist"
result: null
Emsisoft:
category: "undetected"
engine_name: "Emsisoft"
engine_update: "20231203"
engine_version: "2022.6.0.32461"
method: "blacklist"
result: null
F-Secure:
category: "undetected"
engine_name: "F-Secure"
engine_update: "20231203"
engine_version: "18.10.1547.307"
method: "blacklist"
result: null
FireEye:
category: "undetected"
engine_name: "FireEye"
engine_update: "20231203"
engine_version: "35.24.1.0"
method: "blacklist"
result: null
Fortinet:
category: "undetected"
engine_name: "Fortinet"
engine_update: "20231203"
engine_version: "None"
method: "blacklist"
result: null
GData:
category: "undetected"
engine_name: "GData"
engine_update: "20231203"
engine_version: "A:25.36918B:27.34083"
method: "blacklist"
result: null
Google:
category: "undetected"
engine_name: "Google"
engine_update: "20231203"
engine_version: "1700731866"
method: "blacklist"
result: null
Gridinsoft:
category: "undetected"
engine_name: "Gridinsoft"
engine_update: "20231203"
engine_version: "1.0.150.174"
method: "blacklist"
result: null
Ikarus:
category: "undetected"
engine_name: "Ikarus"
engine_update: "20231203"
engine_version: "6.2.4.0"
method: "blacklist"
result: null
Jiangmin:
category: "undetected"
engine_name: "Jiangmin"
engine_update: "20231202"
engine_version: "16.0.100"
method: "blacklist"
result: null
K7AntiVirus:
category: "undetected"
engine_name: "K7AntiVirus"
engine_update: "20231203"
engine_version: "12.129.50380"
method: "blacklist"
result: null
K7GW:
category: "undetected"
engine_name: "K7GW"
engine_update: "20231203"
engine_version: "12.129.50380"
method: "blacklist"
result: null
Kaspersky:
category: "undetected"
engine_name: "Kaspersky"
engine_update: "20231203"
engine_version: "22.0.1.28"
method: "blacklist"
result: null
Kingsoft:
category: "undetected"
engine_name: "Kingsoft"
engine_update: "20230906"
engine_version: "None"
method: "blacklist"
result: null
Lionic:
category: "undetected"
engine_name: "Lionic"
engine_update: "20231203"
engine_version: "7.5"
method: "blacklist"
result: null
MAX:
category: "undetected"
engine_name: "MAX"
engine_update: "20231203"
engine_version: "2023.1.4.1"
method: "blacklist"
result: null
Malwarebytes:
category: "undetected"
engine_name: "Malwarebytes"
engine_update: "20231203"
engine_version: "4.5.5.54"
method: "blacklist"
result: null
MaxSecure:
category: "undetected"
engine_name: "MaxSecure"
engine_update: "20231202"
engine_version: "1.0.0.1"
method: "blacklist"
result: null
McAfee:
category: "undetected"
engine_name: "McAfee"
engine_update: "20231203"
engine_version: "6.0.6.653"
method: "blacklist"
result: null
MicroWorld-eScan:
category: "undetected"
engine_name: "MicroWorld-eScan"
engine_update: "20231203"
engine_version: "14.0.409.0"
method: "blacklist"
result: null
Microsoft:
category: "undetected"
engine_name: "Microsoft"
engine_update: "20231203"
engine_version: "1.1.23100.2009"
method: "blacklist"
result: null
NANO-Antivirus:
category: "undetected"
engine_name: "NANO-Antivirus"
engine_update: "20231203"
engine_version: "1.0.146.25796"
method: "blacklist"
result: null
Paloalto:
category: "type-unsupported"
engine_name: "Paloalto"
engine_update: "20231203"
engine_version: "0.9.0.1003"
method: "blacklist"
result: null
Panda:
category: "undetected"
engine_name: "Panda"
engine_update: "20231203"
engine_version: "4.6.4.2"
method: "blacklist"
result: null
Rising:
category: "undetected"
engine_name: "Rising"
engine_update: "20231203"
engine_version: "25.0.0.27"
method: "blacklist"
result: null
SUPERAntiSpyware:
category: "undetected"
engine_name: "SUPERAntiSpyware"
engine_update: "20231203"
engine_version: "5.6.0.1032"
method: "blacklist"
result: null
Sangfor:
category: "undetected"
engine_name: "Sangfor"
engine_update: "20231122"
engine_version: "2.23.0.0"
method: "blacklist"
result: null
SentinelOne:
category: "type-unsupported"
engine_name: "SentinelOne"
engine_update: "20231119"
engine_version: "23.4.2.3"
method: "blacklist"
result: null
Skyhigh:
category: "undetected"
engine_name: "Skyhigh"
engine_update: "20231203"
engine_version: "v2021.2.0+4045"
method: "blacklist"
result: null
Sophos:
category: "undetected"
engine_name: "Sophos"
engine_update: "20231203"
engine_version: "2.4.3.0"
method: "blacklist"
result: null
Symantec:
category: "undetected"
engine_name: "Symantec"
engine_update: "20231203"
engine_version: "1.21.0.0"
method: "blacklist"
result: null
SymantecMobileInsight:
category: "type-unsupported"
engine_name: "SymantecMobileInsight"
engine_update: "20230119"
engine_version: "2.0"
method: "blacklist"
result: null
TACHYON:
category: "undetected"
engine_name: "TACHYON"
engine_update: "20231203"
engine_version: "2023-12-03.02"
method: "blacklist"
result: null
Tencent:
category: "undetected"
engine_name: "Tencent"
engine_update: "20231203"
engine_version: "1.0.0.1"
method: "blacklist"
result: null
Trapmine:
category: "type-unsupported"
engine_name: "Trapmine"
engine_update: "20231106"
engine_version: "4.0.14.97"
method: "blacklist"
result: null
TrendMicro:
category: "undetected"
engine_name: "TrendMicro"
engine_update: "20231203"
engine_version: "11.0.0.1006"
method: "blacklist"
result: null
TrendMicro-HouseCall:
category: "undetected"
engine_name: "TrendMicro-HouseCall"
engine_update: "20231203"
engine_version: "10.0.0.1040"
method: "blacklist"
result: null
Trustlook:
category: "type-unsupported"
engine_name: "Trustlook"
engine_update: "20231203"
engine_version: "1.0"
method: "blacklist"
result: null
VBA32:
category: "undetected"
engine_name: "VBA32"
engine_update: "20231201"
engine_version: "5.0.0"
method: "blacklist"
result: null
VIPRE:
category: "undetected"
engine_name: "VIPRE"
engine_update: "20231203"
engine_version: "6.0.0.35"
method: "blacklist"
result: null
Varist:
category: "undetected"
engine_name: "Varist"
engine_update: "20231203"
engine_version: "6.5.1.2"
method: "blacklist"
result: null
ViRobot:
category: "undetected"
engine_name: "ViRobot"
engine_update: "20231203"
engine_version: "2014.3.20.0"
method: "blacklist"
result: null
VirIT:
category: "undetected"
engine_name: "VirIT"
engine_update: "20231201"
engine_version: "9.5.591"
method: "blacklist"
result: null
Webroot:
category: "type-unsupported"
engine_name: "Webroot"
engine_update: "20231203"
engine_version: "1.0.0.403"
method: "blacklist"
result: null
Xcitium:
category: "undetected"
engine_name: "Xcitium"
engine_update: "20231203"
engine_version: "36228"
method: "blacklist"
result: null
Yandex:
category: "undetected"
engine_name: "Yandex"
engine_update: "20231203"
engine_version: "5.5.2.24"
method: "blacklist"
result: null
Zillya:
category: "undetected"
engine_name: "Zillya"
engine_update: "20231201"
engine_version: "2.0.0.5006"
method: "blacklist"
result: null
ZoneAlarm:
category: "undetected"
engine_name: "ZoneAlarm"
engine_update: "20231203"
engine_version: "1.0"
method: "blacklist"
result: null
Zoner:
category: "undetected"
engine_name: "Zoner"
engine_update: "20231203"
engine_version: "2.2.2.0"
method: "blacklist"
result: null
tehtris:
category: "type-unsupported"
engine_name: "tehtris"
engine_update: "20231203"
engine_version: null
method: "blacklist"
result: null
stats:
confirmed-timeout: 0
failure: 0
harmless: 0
malicious: 0
suspicious: 0
timeout: 0
type-unsupported: 16
undetected: 60
status: "completed"
~/Library/Caches/Homebrew
```
tada
so if you ran incoming packages through a pipeline to `vt scan file <path>` and were also pulling results in a timely fashion and alerting on possible malicious packages you would be pretty close a product you could sell people or end up geting case and desisted from google for blowing up the vt API 😂
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment