Tuesday, February 24, 2015

What to do with MD5 checksums of files provided as an Indicator of Compromise?

As I have researched malware and the indicators of compromise an MD5 checksum of the files are provided so that you can detect them in your environment.  I am not sure about your anti-virus but I am not able to plug-in an MD5 and have it search for them across the enterprise as it does it's scan.  Though the company I work with states that is a feature request that they have.

Let's say I am researching the Dyre Banking Trojan and I pull up SecureWorks report about it located at http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/.  As I scan through the report I come to the following section listing the MD5 checksums of the files I should look for on my enterprise network.



This is where Clam-AV can assist.  You can create a custom database with these MD5 hashes.  The format for a custom database with MD5's is hash:file size:malware name.  So I then create the file as follows:

md5hash:?:Dyre_Trojan

However, I quickly notice that I do not have the file size.  I started to research to see if I could add a wildcard for the file size and came across this in the ClamAV documentation.




The above information allows a wild card for the file size.  So then I create my custom database with the extension of .hsb as follows.


Then to utilize the database that I created I use the following command of 'clamscan -i -r -d test.hsb'.  With the -i it only shows the infected files, -r is recursive, -d is the directory or file where my databases exist.  If it finds a file that matches the custom dictionary that I came up with then it will have .UNOFFICIAL next to it as shown below in the picture.


With being able to customize the database you could on a linux host where clamav is installed mount a remote windows share or administrative share and scan for the hashes that are of interest.  Thus adding one more tool in your toolset...

2 comments:

  1. Thanks for the info!

    ReplyDelete
  2. Even with the exact file size, ClamAV will detect other file sizes with the same hash as long as the files are close to each other in size. I do not know the exact limit as far as size difference, but I suspect it is no larger than about 10 or so bytes. I noticed this on some of the HDB signatures I made for Clam AV as sigmaker Guitar.

    ReplyDelete

Docker - Quick Notes and How To

For an ethical hacking class that I will be teaching coming up in the near future I wanted to identify a way where I could provide students ...