In essence what is needed is sone kind of reliable signature as used by Virus scanners to ID viral malware, which may often mutate slightly, but still retains an identifyable bit pattern. Maybe some infpor on the guys in AV labs on how to best look for this? Failing that, it shouldnt be too difficult to concoct a tool that can look at some of the following charataristics and provide a weighted rating of possible malware: - Filesize ( +- X number of bytes) - Magic values ( often these will just be ELF I'm sure) - Possibly look at the ELF structure of the file, count number of program, headers, and Datasegments. The DS should be the one that changes when people rebuild with new IP's etc. I've got code somewhere that works out checksums for each elf object - possibly match on the elf program segment checksum? - The good old strings match? Barry -- Barry Irwin bviat_private Tel: +27214875178 Systems Administrator: Networks And Security iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 ----- Original Message ----- From: "Dave Dittrich" <dittrichat_private> To: "Simson L. Garfinkel" <slgat_private> Cc: "Matt Scarborough" <vexversaat_private>; "Simson L. Garfinkel" <simsongat_private>; "Chris Reining" <creiningat_private>; "Mark G. Spencer" <mspencerat_private>; <forensicsat_private> Sent: Sunday, February 02, 2003 4:39 AM Subject: Re: MD5 Exploit Database? > On Sat, 25 Jan 2003, Simson L. Garfinkel wrote: > > > Matt, > > > > Thanks for responding to this. Do you think that I should go ahead with the > > MD5 collection project? It doesn't seem like anything else is doing quite > > this thing, and I think that it would be useful. > > > > Do you think that I shoudl collect both SHA-1 and MD5 codes? > > Simson, > > Known good files can help weed out things to look at, but what is left > is still difficult to characterize. > > I don't know of anyone doing a database of known hashes of malware > artifacts, but I have been party to more than one conversation about > the benefits of one. While it wouldn't be 100% reliable, by any means, > it would help to id some known components of common rootkits. The > drawbacks to using just cryptographic hashes is that the change of 1 > single bit results in a new hash, so every new compile, edit, > change in default IP address embedded in a DDoS program, etc., will > result in a different hash. This means other attributes (weighted > strings, ELF header field values, file type ala "file", etc.) > would also need to be compared. > > -- > Dave Dittrich Computing & Communications > dittrichat_private University Computing Services > http://staff.washington.edu/dittrich University of Washington > > PGP key http://staff.washington.edu/dittrich/pgpkey.txt > Fingerprint FE97 0C57 0843 F3EB 49A1 0CD0 8E0C D0BE C838 CCB5 > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 05:19:51 PST