On Sat, 25 Jan 2003, Simson L. Garfinkel wrote: > Matt, > > Thanks for responding to this. Do you think that I should go ahead with the > MD5 collection project? It doesn't seem like anything else is doing quite > this thing, and I think that it would be useful. > > Do you think that I shoudl collect both SHA-1 and MD5 codes? Simson, Known good files can help weed out things to look at, but what is left is still difficult to characterize. I don't know of anyone doing a database of known hashes of malware artifacts, but I have been party to more than one conversation about the benefits of one. While it wouldn't be 100% reliable, by any means, it would help to id some known components of common rootkits. The drawbacks to using just cryptographic hashes is that the change of 1 single bit results in a new hash, so every new compile, edit, change in default IP address embedded in a DDoS program, etc., will result in a different hash. This means other attributes (weighted strings, ELF header field values, file type ala "file", etc.) would also need to be compared. -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE97 0C57 0843 F3EB 49A1 0CD0 8E0C D0BE C838 CCB5 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 06:40:26 PST