Hashes Are Insufficient for Blacklisting

You may be familiar with hashing tools like md5deep which allow you to generate a hash, or unique identifier, of a file. This is very useful for whitelisting files (only allowing your employees to install and run programs from a defined list). This is also very useful in validating that the file you currently posses is the exact same file that the author originally created.

Hashing is also commonly used in blacklisting programs (preventing employees from running specific programs). Hashing definitely has value and plays a good role in blacklisting. For example, if there is a common public commodity malware that all the script kiddies are just grabbing off the internet and using to infect victims, you can hash that malware, toss the value into your AntiVirus tool, and it'll quarantine/detect that file and prevent it. So hashing is great for blacklisting those well known, seen before, popular variations of malware. It's also good for example if a specific malware has just attacked your network, and it's now spreading and you need to find our where is is, where it has been, etc. You'd hash the file and search your network for that hash value on shared drives, workstations, etc.

But you should know that hashing should not be trusted as your only method of blacklisting. Why? Because hashing gives a unique identifier for a specific variation/version of a file. But if any little thing in that file changes, such as a version number, a comment, the order of the code, the amount of white space, or the actual code itself, they will all generate a brand new totally different hash. Why does that matter? I'd like to show you a very simple example.

Let's say I'm a bad guy and just wrote some malware that I send out in phishing emails and if opened, drops a batch file on your c drive, messes with your notepad.exe , and executes the batch file.





Now if I were the AntiVirus signature writer, I found this malware in the wild, I'd hash the batch file ( 1b0679be72ad976ad5d491ad57a5eec0 ) , and every time any other victim executed this malware, the hash would be found, detected and quarantined. Great!




But if I were any sort of experienced malware write, I'd add at least 1 additional step. Instead of just messing with notepad.exe , I'd also make sure that my batch file is dynamic and looks different every time. How would I do that? One simple way would be to just add a random number in a comment to each batch file.





By doing so I have just guaranteed that every time my malware executes it generates a brand new unique Hash. Now adding the hash of the malware to the AntiVirus signature is no longer useful, because the hash will change every time it executes. Oops.



Now my example was written in C# and batch files, but please realize this concept could be applied to anything, including Powershell scripts, VBA Macros, executables, etc. It could also be applied to phishing email attachments (perhaps send out each attachment as a slightly modified versions, maybe linking the modification to the user's email address).

That's where Behavior Based detection, Hueristic Based detection, IoCs, etc. have started to come into play, because Hashes cannot be your only method of blacklisting.

Happy hunting.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Search for files by MD5 Hash

If you're not familiar with an MD5 hash, how to find one, or it's uses I suggest you first read this prior blog.

Let's say you want to check if there is a particular malicious file on your computer. You know the MD5 Hash, but you have no idea where it might be located or what the name of the file might be. The attacker has done a good job obfuscating it. The good news is there is the perfect tool for this. It's the free md5deep tool. It support recursive traversal, which you can then combine with a quick Powershell trick to find only the specific MD5 hash you're looking for.

> .\md5deep.exe -r c:\ | Select-String "77b5b1c8b3f7b8a183f55737d9a392234"


Just replace your hash with my hash and you're good to go! As a sample below, i searched for this MD5 hash just against my temp folder and in a matter of seconds it found it! There are 2 parts to this command. The first half is just the md5deep tool recursively searching the c:\ drive as it should. But default behavior is for it to spit out the MD5 hash of EVERY file. So use the powershell Select-String command to only display the file you wanted. If it returns nothing, then it didn't find it.



Happy hunting!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Find the MD5 Hash of a File

One common way that virus scanners and security experts can track down malware is by hashing it. This gives you a unique value for that particular executable or malicious file. How do they get that hash? One example is using the free md5deep tool. Run from the command line, it can quickly give you the MD5 has of the file. Note: There are other tools to give you similar SHA1 and SHA2 hashes.

> .\md5deep.exe c:\windows\temp\AdbeRdr110009_en_US.exe




Another use that general internet users can have for these MD5 hashes is to provide confirmation that the file they just downloaded is truly the file the author intended you to download. In between you clicking and downloading, many malicious things can happen to a file to the point where you're no longer downloading what you thought you were. Therefore if the author publishes an MD5 hash of his file on his website, then you can download the file, run md5deep like above, and confirm that the MD5 hash you got matches the one on the author's website. It's a good best practice to stay safe out on the dirty internet.

Trust but verify!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

McAfee Artemis Alerts and the MD5 Hash

I thought it was interesting to learn from this McAfee KB about Artemis the following

Artemis!1234567890AB

The bold text above equals the first 12 hexadecimal characters of an MD5 hash of the file it found.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.