Wednesday, February 25, 2015

What to do with MD5 checksums of files provided as an Indicator of Compromise?

As I have researched malware and the indicators of compromise an MD5 checksum of the files are provided so that you can detect them in your environment.  I am not sure about your anti-virus but I am not able to plug-in an MD5 and have it search for them across the enterprise as it does it's scan.  Though the company I work with states that is a feature request that they have.

Let's say I am researching the Dyre Banking Trojan and I pull up SecureWorks report about it located at http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/.  As I scan through the report I come to the following section listing the MD5 checksums of the files I should look for on my enterprise network.



This is where Clam-AV can assist.  You can create a custom database with these MD5 hashes.  The format for a custom database with MD5's is hash:file size:malware name.  So I then create the file as follows:

md5hash:?:Dyre_Trojan

However, I quickly notice that I do not have the file size.  I started to research to see if I could add a wildcard for the file size and came across this in the ClamAV documentation.




The above information allows a wild card for the file size.  So then I create my custom database with the extension of .hsb as follows.


Then to utilize the database that I created I use the following command of 'clamscan -i -r -d test.hsb'.  With the -i it only shows the infected files, -r is recursive, -d is the directory or file where my databases exist.  If it finds a file that matches the custom dictionary that I came up with then it will have .UNOFFICIAL next to it as shown below in the picture.


With being able to customize the database you could on a linux host where clamav is installed mount a remote windows share or administrative share and scan for the hashes that are of interest.  Thus adding one more tool in your toolset...

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...