how reliable are md5 scanners?

Discussion in 'other anti-malware software' started by chris2busy, Jun 26, 2008.

Thread Status:
Not open for further replies.
  1. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    hello..i recently read that there are malware that can sneak in you files without changing the md5 checksum of them..or in case someone sends you a file and its packed with such a malware the md5 sum might match and despite that,the file to be infected...anyone can shed some light on this?if so,there is no point for me to keep using such scanners..
     
  2. ola nordmann

    ola nordmann Registered Member

    Joined:
    May 6, 2007
    Posts:
    89
    Flaws have been found in the MD5 algorithm, but I'm not sure how common it is in the "real world".

    If you want a stronger hash algorithm you can replace md5 with e.g. SHA-256 or SHA-512.
     
  3. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    What's SHA-256 and SHA-512?

    Thanks
     
  4. Pseudo

    Pseudo Registered Member

    Joined:
    May 4, 2008
    Posts:
    193
    They're both hashes created for the same purpose as MD5. (from Wikipedia)
     
  5. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    i see...so are you aware if those flaws are/could be exploited by malware ?
     
  6. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    What virus are you talking about and how do you mean sneak in and not change md5?
     
  7. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    as in infecting a legitimate file and use it to start processes,connections e.t.c..im just asking if that is possible..i read somewhere for example that firewalls that use md5 can be fooled like that...might not be very clear,so please feel free to reply in w/e you understood.
     
  8. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    If a file is changed, the md5 will change. This is because it is a 1 way function. This means that you can hash the file down to a md5 but you can never get a file from a md5. If a virus changes a file, it has no way to make sure the md5 of the changed file remains the same.

    Malware may do other things to try in connect out but this is in the realm of leaktesting with proof of concept malware that almost never exist in the wild.
     
  9. ola nordmann

    ola nordmann Registered Member

    Joined:
    May 6, 2007
    Posts:
    89
    A weak hash algorithm with many collisions can potentially be fooled in this way, so that a cracker can replace a file with a modified one with the same MD5 checksum. As you probably know, there are an infinite number of potential files that has the exact same MD5 ;)

    But I am not aware of malware that does anything like this, and I think it would be difficult and very computationally expensive compared to using other techniques.

    The only reason I mentioned SHA-256 / SHA-512 is because those are newer and more secure hash algorithms. There are no known flaws in them, unlike MD5 :)
     
  10. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Yes but unlikely. I think you have to have a very good understanding of crypto to do it.
     
  11. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Not that bad. It is impossible with any given file, it is only possible in case a file has a special 8-bytes-length sequence. Then it is possible to swap the two bytes (not any two bytes, but only one pair) and md5 will be the same.
     
Loading...
Thread Status:
Not open for further replies.