Deepviz Endpoint Client

This week is a very exciting week for us at Deepviz. We have been hard at work developing our Endpoint Client that runs on top of our analysis engine. We have been looking at various ways how we can allow everyone out there to benefit from our powerful analysis capabilities and have been looking at the best ways of doing that.

We have come to the realization that in order for enterprises to use our technology effectively we need to provide them with an optimal way of consuming it. Not everyone has sophisticated tapping infrastructure deployed and the ability to extract thousands of binaries out of a TCP stream in realtime to pump into an analysis tool.

Secondly, looking at the wider market and the way the threat landscape is evolving, we feel that it is essential to provide next generation capabilities to a wide audience and make it accessible to use at a price point that doesn’t leave you with an eye watering bill to deploy network appliances at all your egress points.

So, we sat down, thought long and hard about how we best leverage our technology to provide a cost effective way to solve this problem.

Enter the Deepviz Endpoint Client.

The agent is designed to be installed on Windows 7, 8, 8.1 both x86/x64 – Windows 10 x86 /x64 will be added very soon – machine and will do the following:

  1. Do an initial inventory scan of the host and verify all running processes and loaded modules with our cloud service. Any malicious items will be flagged up in the console
  2. Once the initial scan is complete we will monitor the filesystem for any changes. If we detect a new file written to disk, we will verify that object against our database. If we have a determination for that object, we will either allow it to run or block the execution.
  3. If the object is unknown to us, we will detonate the object in our cloud based sandbox and based on the results of that it will be logged in the console as clean or malicious.

What are the advantages of this approach ? Well the clear advantage is that you can deploy the agent on any laptop or desktop and you will have full detonation capabilities wherever that host goes. As we all know, the perimeter is wherever the Endpoint is, now your Endpoints have coverage, wherever they are.

This slideshow requires JavaScript.

This is simply the start of our beta and we need your help in testing all this stuff out. We will be adding enforcement, remediation and more features as we go, but we would like to get the basics solid first.

All feedback are greatly appreciated. You can register an account HERE and use your API key available HERE which will allow you to install the client on 3 machines to test out the console. The management console is available at endpoint.deepviz.com

Note: this is our first public beta of the client, which means we’re aware of several issues we need to address yet. Do not install it on a production environment unless you know what you are doing.

Click here to download the Deepviz Endpoint Client v.0.1.0 BETA

Happy Testing

The Deepviz Team

 

New pay as you go pricing model

Hello,

This post comes shortly after the retirement of our Deepviz free plan, as written in the last blog post: Retirement of free subscription plan.

We have spent quite few days thinking of a way to make Deepviz usable for freelance researchers at an affordable price point without the need for a monthly subscription.

Starting today we have launched a pay-as-you-go pricing model for researchers and small  companies who want to use Deepviz without a subscription plan to access the base Deepviz functionality.

From today you can buy one of the 3 pay-as-you-go plans which will provide you with a number of credits you can use to download samples, read full analysis reports and make searches through our Threat Search Engine and Threat Intelligence Portal.

No obligation, no subscription plan, you get the credits. If you want more credits you can easily buy more to refuel your account.

To have a look at the new plans and pricing, click here: Pricing 

Retirement of free subscription plan

Hello,

in the past months if you signed up for a free account at Deepviz, you had a free tier of 5 samples downloads, 50 samples submissions without captcha, 5 threat intel search queries per month as well as getting access to our set of APIs and your submission history.

It has been a really hard decision, but starting effectively from yesterday we decided to retire this plan as it is being abused by people registering multiple fake accounts to obtain as many credits as possible without paying anything for the service.

While we are excited and happy that so much people is using our services and we’re costantly receiving very positive feedback, we cannot offer all what we are offering for free. It would be wonderful if we could provide everything for free, however we have R&D expenses as well maintaining the infrastructure up and running at its best while improving our technology everyday.

Since yesterday newly registered free accounts will not be able to download samples anymore, nor they will be able to use our APIs. Free accounts will have same samples submit limits with captcha as guest users and they will not be able to keep trace of their submissions. All existing free plans will be converted to the new free plan starting on June 13, 2016.

However we don’t want to make our service too expensive for private customers and single researchers as we firmly think Deepviz must be something fully accessible to everyone. This is the reason why we decided to launch our new Basic subscription plan, designed to be more affordable with a monthly price of 35$/29€, giving you every month 50 samples downloads, access to our APIs and 50 threat intelligence searches.
plans
We regret for removing the free tier but we are firmly convinced that abusing a free service is not respectful of the effort, the research, the time spent on building up a competitive infrastructure. Also we are firmly convinced that people who appreciate our services will support us and this basic subscription plan is for them.

Thanks for your understanding

Dynamic PDF/OLE analysis and new subscription plan

Hello folks!

Since few weeks we have added to our Malware Code Analysis engine the static analysis of PDF and OLE document files.

Our engine can thus analyze documents, extract relevant metadata, identify potential dangerous javascripts and macro, heuristically analyze them and provide a final feedback whether the document is malicious or not. We had very good feedback from our customers waiting for such feature, yet we wanted to push it even more.

As promised some days ago in our last blog post, we have now updated our Malware Code Analysis Engine to support dynamic document analysis. We can now execute documents in our monitored environment and detect whether there are suspicious behaviors that identify a malicious activity.

 

malicious_doc

 

Here you can find an example of a malicious PDF file downloading additional malware.

In addition to this new feature,  you might have probably found out we have changed our malware analysis report page.

Indeed we have rolled out a major change in our backend, completely rewriting our detection engine and deploying more than 500 new behavioral rules which our engine can now use to better identify malicious activities. We also grouped all the rules per categories, to give you a quick overview of the impact the sample has on the infected operating system – e.g. compromised passwords, infostealing capabilities, administrative tools compromised and so on…

overall_impact

Last but not least, we have just launched our subscription plan dedicated to private users and single researchers!

If you are not interested in our threat intelligence technology, you don’t care about our threat intelligence search engine, you’re just a private person or a single researcher who wants to integrate our technology into your internal infrastructure to scan for malicious files, our Sandbox plan is perfect for you! At 99$ per year you can scan up to 15.000 files, either using our web interface or by scripting our engine through our set of powerful open source libraries.

It’s the perfect plan for those private users and researchers who want to improve and speed up their daily research activities or have a second-opinion threat detection engine.

 

sandbox_plan

 

Have a look at our subscription plans at the following page: Deepviz Subscription Plans

Deepviz adds on-the-fly TLS/SSL decryption

We have been quite silent in the past month as we didn’t have much free time to update our blog, so let me apologize on behalf of whole team, but being silent doesn’t really mean we haven’t worked hard on the backend to improve our technology.

During this month we have doubled the number of daily unique IPs, from ~500 daily unique IPs to around ~1.100 daily unique IPs, which is fantastic even because we’re getting more and more users with very positive feedback. Also number of hits per day went up to ~100.000 requests/day – excluding API requests.

Among the new features we are going to release during this month, we’re going to update our Splunk App which will turn into a very strong interface between Splunk and Deepviz platform, with full threat intelligence embedded into Splunk pages.

splunk-app1

 

Anyway, one of the very exciting things we have silently released during the past week is closely related to our malware analysis engine and this is something we’ve been recently asked for.

If you are familiar with Deepviz Malware Analysis platform you already know we can sniff network traffic leaving our environment and simulate network activities, then using such captured packets to isolate what data is being transmitted by the malware and to identify malware families by fingerprinting packet data structure. Clearly this is possible only if the traffic is in plain-text, e.g. classic HTTP connection. That said, many samples switched their communication protocol to a more robust HTTPS, thus leaving only the domain address visible but completely hiding whole interesting data behind a strong SSL/TSL encrypted channel. This is bad as it can easily evade from network IDS/IPS controls and mix itself up with legit HTTPS traffic.

With Deepviz we had the same problem while analyzing malware, as you can see from the screenshot below, we were able to identify the destination but we couldn’t see any of the interesting data.

 

 

Our team worked hard during the past 3 weeks and the past week we have silently rolled out a major update to our engine, by implementing on-the-fly TLS/SSL network decryption, emulating a valid root CA and forging on the fly the needed public/private key pair to trigger malware into establishing connection and thus logging the hidden data. We now also show complete URL as well as used user agent, which is often a good indicator for specific malware families.

 

Just one more thing: no, we don’t look for TCP connections to port 443 to identify TLS/SSL connections, we deeply analyze every packet going out from our network and deep inspect for TLS/SSL handshake, then we simulate the handshake and log the transmitted data, no matter whether it’s HTTP or plain socket connection, no matter whether it’s on TCP/443 or e.g. TCP/58457. If it’s TLS/SSL, it’s for us.

Last, but not least: we have recently added static analysis of PDF/OLE files, but we’re going to roll-out dynamic analysis for them as well as full analysis of .JS files.

Stay tuned!

Past, present and future of Deepviz

More than two months have passed since our last blog post and many exciting things happened during that time. In two months that Deepviz is officially live and publicly available our statistics are really impressive. Let me share some numbers with you:

  • Deepviz is seeing daily traffic of more than 500 unique IPs/day,  +300% since February 2016;
  • around 75.000 hits/day (we had to filter out many unauthorized crawlers. Guys, seriously, don’t do it or at least don’t do it so explicitly, it’s harmful to everybody and can cause slowdown and/or downtime to the online services);
  • more than 700 registered users;

Impressive numbers for a brand-new service, built up from scratch in so few months, without big budgets, funding or anything else. Just a couple of guys in a small office in the middle of Italy! We don’t have the revenue, nor the resources of bigger companies, anyway many registered users are enjoying our services so much they decided to integrate our intelligence into their SIEM solutions to use our threat intelligence capabilities. Thanks everybody for all your support and help!

When we started our project, the idea was to build up from scratch a brand new malware analysis engine, available online, in the cloud, through a set of flexible APIs – and we tried to do it at our best. Today, our Deepviz Malware Analysis Engine is at the core of our Threat Intelligence Platform, and thanks to it we have populated our threat intelligence database with static data, network traffic, string patterns, behavioral data extracted from ~11 millions of samples already analyzed so far.

 

Deepviz Statistics

 

When we started our malware analysis engine, we were able to succesfully process 32 bit PE files only. Today, we can process 32/64 bit PE files (EXE/DLL)  as well as PDF and OLE files, and we’re planning support for OOXML, JAR, ELF, APK file types. Support for PDF and OLE is still in beta testing, however we already received many positive feedback and we can see an increasing number of users using us to double check the safety of their e-mail attachments and documents.

 

pdf_shellcode

 

Today Deepviz is not just the malware analysis engine at the core of the website.  Today Deepviz is a full-featured Threat Intelligence Platform, available for integration in almost every programming language – and easily pluggable in every not-yet-implemented language thanks to our set of RESTful APIs – ready to enrich your existing threat intelligence by processing and providing you with fresh data everyday.

The biggest addition Deepviz can provide you with is the fact that our threat intelligence data – IPs, domains, data correlation, malware clusters, and much more – is not taken from any third party sources or feeds, all what we have is extracted stright from malware, from the source. 

Feel free to play around with our APIs thanks to our live demo console , where you can try and see what our data looks like.

api-demo
During the last two months we also released our first add-on for Splunk, to make Deepviz Threat Intelligence integration into your existing dashboards as straightforward as possible. The add-on is already available on SplunkBase , please get in touch with us at splunk@deepviz.com for live demo and licensing requests.

Furthermore, in the next weeks our add-on will be compatible with Splunk Enterprise Security as well, providing you with a complete experience within Splunk, adding to your dashboards the possiblity to further investigate domains, IPs and file hashes through workflow actions and exported commands available from the Splunk Search App.

splunk-deepviz

 

While the real-time interaction with our threat intelligence platform through our set of APIs would be the perfect way for you to take the best out of Deepviz, we also wanted to provide a more easily parsable threat intelligence daily feed with a list of domains and IPs  isolated during our daily malware analysis, along with their WHOIS data, MD5 samples connecting to them, common antivirus tags. Everything packed up in an easy-to-parse JSON flat file, updated on a daily basis and available through our SFTP servers. During the past week, among all the domains contacted by malicious samples, we have isolated ~3/4% of newly registered domains – domains registered in the last 30 days.

Please contact us from our Subscription page and feel free to ask for a 7-days trial of our Feeds subscription plan to evaluate our data.

json-feeds

 

We are really interested in your feedback, either positive and negative, and we’re trying to listen to all your requests. Many of you asked the option to upload samples in a password-protected ZIP archive.

Starting from April, we succesfully accept password-protected ZIP files with the industry-standard “infected” and “malware” passwords. Please note that this kind of submission is accepted only from registered users and the ZIP file must contain only one sample at a time.

Also some researchers asked whether it was possible to download PCAP files of the dumped network traffic from the analyzed malware. Not only we will allow this very soon, but another exciting feature will be deployed during the next weeks: on-the-fly SSL/TLS decryption, allowing us to dump malicious traffic hidden under a SSL/TLS encrypted channel.

However, to provide you with the best service possible and to handle the massive number of requests we received, we had to redesign our subscription plans. Starting from the 1st of May, 2016 the following changes will be applied:

FREE PLAN

  • From 20 sample downloads to 5 sample downloads
  • From 100 report downloads to 25 report downloads
  • From 500 submissions to 100 sample submissions

BRONZE PLAN

  • From 300 sample downloads to 100 sample downloads
  • From 5000 report downloads to 200 report downloads
  • From 1000 submissions to 500 sample submissions
  • From 5000 intel queries to 200 intel queries

SILVER PLAN

  • From 600 sample downloads to 250 sample downloads
  • From 15000 report downloads to 500 report downloads
  • From 2500 submissions to 1000 sample submissions
  • From 15000 intel queries to 500 intel queries

While the changes to the Free subscription will be applied to all registered users starting from the 1st of May 2016, already existing and active customers of the Bronze / Silver  /Gold Plans and who will subscribe within 30th of April 2016 will keep existing subscription’s quota lifetime until the subscription is active. In addition to this, for this month, you can subscribe one of our plans with a 10% discount by entering the coupon code APRIL-10-OFF during the order procedure.

Don’t miss the opportunity to subscribe now with current quota and a 10% price discount lifetime, or get in touch with us at info@deepviz.com if you want a customized plan for your company (we allow customized plans for teams of researchers, perfect for your SecOps team and you want to give them full access to our platform for research and incident investigations) or if you’re interested in the Threat Feed subscription or Splunk Add-On licensing).

 

Getting ready for mainstream launch

Since we started our public beta in early November 2015, we received many e-mails from end users, SMB and enterprise companies contacting us to better understand our technology and how it could be integrated into their existing IT security infrastructure.

We sincerely weren’t expecting so much interest in such a small period of time. Thanks to everybody who supported us, to each one of our registered users for the valuable feedback you have provided. 

During these months we made many changes on the backend, we made it more stable and more scalable. We also improved our Threat Intelligence platform, released 64-bit PE files support and our python library to integrate Deepviz into your existing projects. We will also release a cross-platform (Linux/Windows) C library next month as well as a Java library.

Since we started Deepviz we have successfully analyzed over 8 millions of samples, of which 6 million are malicious samples. This month we’ve already processed over 2.5 million samples, with a daily rate of around 130.000 samples/day, 22% of them undetected or badly detected by AV vendors – most of them weren’t fresh new samples, just variants of already known families.

stats

These numbers are exciting if viewed from a researcher’s perspective, but worrying if viewed from the perspective of companies who need to protect their perimeter. This is the main reason why we’re constantly working hard to make our technology available to be integrated in existing systems in an easy manner.

That said, we are excited to announce we are now ready to go to the market with our business offer.

Our beta period will be over on 15/02/2016. Since then, you will be able to subscribe to our free and paid plans. Here below our plans:

Deepviz Packages

 

Those who will subscribe to our services between 15/02/2016 and 29/02/2016 at 00:00 (GMT) will get a 20% lifetime discount, till the initial subscription is renewed. All our beta users and people who registered an account before the 15/02/2016 will receive a 1-month subscription to our Bronze plan for free, then on the following month they can get in touch with us to receive a 20% lifetime discount to be used within March 2016. Discount will apply to the Bronze, Silver, Gold plans only.

Deepviz technology will also be available with OEM and white-labeling plans to be customized and integrated into appliances and other devices or software packages . Please get in touch with us at oem@deepviz.com for further details. We will be at the RSA Conference in San Francisco if you would like to discuss the options in person.

Last but not least, in the coming two weeks we will also release our PDF/OLE code analyzer. Stay tuned!