Matt, Thanks for responding to this. Do you think that I should go ahead with the MD5 collection project? It doesn't seem like anything else is doing quite this thing, and I think that it would be useful. Do you think that I shoudl collect both SHA-1 and MD5 codes? ----- Original Message ----- From: "Matt Scarborough" <vexversaat_private> To: "Simson L. Garfinkel" <simsongat_private> Cc: "Chris Reining" <creiningat_private>; "Mark G. Spencer" <mspencerat_private>; <forensicsat_private> Sent: Saturday, January 25, 2003 2:46 AM Subject: Re: MD5 Exploit Database? > On Mon, 20 Jan 2003 07:25:02 -0500, "Simson L. Garfinkel" wrote > <330A2916-2C72-11D7-B00F-00039303C716at_private> > > > Thanks for the pointer to www.knowngoods.org. Last year I was thinking > > of starting up an "MD5 collection project" where people could register > > MD5 codes (and I guess you have to do SHA-1 codes now) from different > > operating systems or forensics investigations. The theory was that on a > > first-pass study of a hard drive, the interesting files are files that > > have never been seen anywhere else. I had stared on an agent that > > people could run to report MD5s and so on, but for some reason I never > > finished the project. > > As to known goods, an "MD5 collection project," and to the original > poster, it may be helpful to know Microsoft provides MD5s for its OS > files, Service Packs, Hotfixes, etc., in the ANSI text file(s) > UPDATE.VER accompanying each. > > Examples follow for Windows 2000, but Windows XP, and Windows 2003 > Server, have the same format. > > \UPDATE\UPDATE.VER from Q328310_W2K_SP4_X86_EN.EXE > ======== > [SourceFileInfo] > <snip> > winlogon.exe=CE8EA42D39C0EB42F064BE762925CA0C,00050000089317DC,179472 > |----------- MD5 -------------| |-- Version --| |bytes| > ======== > > \I386\UPDATE\UPDATE.VER from W2ksp3.EXE > ======== > [SourceFileInfo] > <snip> > winlogon.exe=96A7495C924CF3FB1D0F857093B6F61F,000500000893150A,178960 > |----------- MD5 -------------| |-- Version --| |bytes| > ======== > > The SP3 version is 5.0.2195.5386, as in > > 0x0005 - 5 > 0x0000 - 0 > 0x0893 - 2195 > 0x150A - 5386 > > and bytes we know how. > > Matt Scarborough 2003-01-25 > > > On Fri, Jan 17, 2003 at 03:01:19PM -0800, Mark G. Spencer wrote: > > >> I'm working on a server that has been "owned" for over a year. > > >> Needless to > > >> say, there are a significant number of what I would call > > >> "questionable" > > >> files on the box. Some of them I can quickly identify, albeit not > > >> authoritatively at this point, (e.g. httpodbc.dll), but others I > > >> cannot. > > >> > > >> If I MD5 the collection of questionable files, is there a database I > > >> can > > >> cross-reference my MD5's against to authoritatively identify what > > >> these > > >> things are? I understand I may end up with some unknowns depending > > >> on how > > >> the executables were compressed and/or wrapped. > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 10:13:57 PST