Don't rely on Hash matching

Discussion in 'malware problems & news' started by CloneRanger, Mar 5, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I found this aspect of the analysis rather disturbing/enlightening :eek: How they managed to Exactly match 2 different files ? But it proves it can be done, so i don't expect it'll be the last time we see this technique used from now on :(

    Also i'm wondering what potential implications it "might" have for non malware hashed files that are compared, and presumed legit ?

     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Why not rely on hash matching? WinMHR is all about hashes. :rolleyes: :D ;)
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    As the article Clearly shows :p just because they match, does NOT mean they are the same. And in the TDL4 example = nasty = BEWARE

    Yes i know that, thanks ;)
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yeah, I was just trying to see your reaction towards my comment. lol

    Thanks for sharing the article, by the way. ;)
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I'll remember that in future ;) Don't be surprised if i reciprocate sometime too :p

    :)
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    :thumb:

    I still haven't read the full article, and I'm about to go to bed, so I'll be reading the rest sometime after I wake up, but I wonder what tools (humble humans can make use of :D) that could reveal the real hash value of the "fake" hash value?

    I hope my question makes sense. lol
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Sweet dreams ;)

    Dunno right now ? Sleep on it, and let us know if you think of anything.

    Sort of :p
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Isn't this part of the 'normal' cloaking technique of rootkits? Through the normal windows file system drivers it shows the clean file, but when one uses direct hard disk access you can see the infected file.
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Possibly ? The point is though, 2 completely different files had Exactly the same hash. One good the other Very bad :eek: Even if something wasn't malware, i would say it's a big concern from now on that this has been accomplished. And as the baddies have done it once, i'm sure it won't be the last time either :(

    I'm surprised that this hasn't been picked up by more people in the "security" world ?

    By the way, hope you had a nice sleep :D
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I did have a nice sleep. I can't say the same about you, though. You quoted the wrong user! :D

    But, yes, it's concerning that we may no longer trust the hash values the developer of xyz application provides. The bad guy/girl doesn't even have to change the provided hash value, and unless the developer(s) actually check on a daily-basis whether or not their servers or their files got compromised...
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I did have a nice sleep. I can't say the same about you, though. You quoted the wrong user! :D

    But, yes, it's concerning that we may no longer trust the hash values the developer of xyz application provides. The bad guy/girl doesn't even have to change the provided hash value, and unless the developer(s) actually check on a daily-basis whether or not their servers or their files got compromised... Then again, if all they do is also compare hash values... :D
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    As I read it, the WinHMR tool detected the real infected file in memory because of it's hash in the malware database, but the version on disk was not detected as the rootkit showed the clean copy and thus WinHRM calculated the hash of the clean copy. So it's not two files with the same hash if I'm correct.
     
  13. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    That's one possible scenario. Another typical malware method is to have say an executable of some sort load at boot. Malware executable allocates memory in target process. It can then write executable code into memory and CreateRemoteThread(...) to send it on its merry way.
    It can also allocate memory into target process, map a dll into memory space, build the import table - essentially replicate the job of windows loader. The dll will not show in any of the module linked lists and can do whatever it's programmed to do.
    After infecting target memory, the malware executable terminates. So on disk image is never altered.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Oops :D

    If that's the case ? then his analysis of that is wrong :(

    @ stackz

    Thanks for your explanatation :)
     
  15. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I don't have time to read the article, but what hash was being used to check? MD5? If so, it has been known for years now that it has collisions and has been broken and should not be used. If they were checking with SHA-1, then this would be huge news that the cryptographic community would love to see.

    Bottom line: I am doubting SHA-1/256/512 has been broken, so I am highly skeptical of this whole thing. If it was MD5, I suspect it's possible.
     
  16. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Nothing to see here. If it uses MD5 then hash spoofing is defintely possible and has been for sometime now. This goes to show how using broken hashes as the sole criteria for determining malware is a retarded approach for a security app.

    CR please do your hw on encryption before posting such seemingly fearful news phew! :ouch:
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    WinMHR also checks for SHA-1, as you may see from this image -http://krebsonsecurity.com/wp-content/uploads/2010/08/winmhr2.jpg

    Only now I took the time to read a bit of the article's first page, and I can't tell what hash that person checked for, to be honest.

    As noted by you and chronomatic it has already been spoofed, so no news there.
     
Thread Status:
Not open for further replies.