Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > forensics > 03 > 020215.html (Request Expert securityfocus.com Support)

Re: MD5 Exploit Database?

From: Dave Dittrich <dittrich(at)cac.washington.edu>
Date: Sat Feb 01 2003 - 21:39:16 EST

On Sat, 25 Jan 2003, Simson L. Garfinkel wrote:

> Matt,

Simson,

Known good files can help weed out things to look at, but what is left is still difficult to characterize.

I don't know of anyone doing a database of known hashes of malware artifacts, but I have been party to more than one conversation about the benefits of one. While it wouldn't be 100% reliable, by any means, it would help to id some known components of common rootkits. The drawbacks to using just cryptographic hashes is that the change of 1 single bit results in a new hash, so every new compile, edit, change in default IP address embedded in a DDoS program, etc., will result in a different hash. This means other attributes (weighted strings, ELF header field values, file type ala "file", etc.) would also need to be compared. 

--
Dave Dittrich                           Computing & Communications
dittrich@cac.washington.edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      
http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com
Received on Sun Feb 2 09:40:31 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library