hashing - Identify Known Malware By Hash (MD5) Across Network

08
2014-07
  • Matt

    I need to design a solution that will allow me to submit a series of MD5 hashes and then be alerted if these hashes are found on any machine (Windows) on the network. I'm open to existing solutions (probably preferred).

    I frequently use tools such as EnCase or FTK in conjuction with file hashes to do several things (identify known bad files, exclude known good files, etc.). However, neither of these tools is ideal for a large network scan although there is some capability there.

    For example, it would be ideal if A/V like SEP could be configured to do this. It's already installed and it's already reading the files dureing scans or other events. Whatever the solution, it seems like it should involve an agent on the target of the scan. We can't pull each file and hash it. It should happen on the client with just the results reported.

    Any/all help is appreciated. Thanks!

    • Answers
  • Executifs

    I don't know of any automatic solution that does this, but here are two ideas from the top of my head:

    • ClamAV is open-source: there's likely a way to modify (or maybe even to use it out of the box) so it does just what you want by. Maybe by setting up a local signature update repository?
    • Yara seems like a good candidate as well, although it can't fetch signatures by itself. You'll need to do some scripting.

    Basically, you have two signature matching engines here that will take care of the tedious system-wide scanning process. What you have to do from here is to take care of the automation. Depending on your network configuration, it can go from a couple of python lines and a cron-job to GPOs, I guess.

  • Matt

    Maybe the open source project md5deep could be of help for you (http://md5deep.sourceforge.net/). It supports both recursive calculation of various hash digest (including MD5) of content within a path. The program also supports the possibility for you to supply a (black)list of MD5s to match against.

    You need to get it to the various machines on the network and work out some communication solution between the machines.


    • Related Question

    hashing - md5: Why is my command-line hash different from online md5 hash results?
  • pellea72

    On Mac OSX Leopard PowerPC, if I do: 

    echo "hello" | md5
    on the command line, the result is: 
    b1946ac92492d2347c6235b4d2611184
    But if I enter hello into one of the online md5 hash sites like http://md5online.net/, I get: 
    5d41402abc4b2a76b9719d911017c592
    Am I doing something wrong? If I want to use md5 on the go, how can I make sure what I'm getting on the command line will agree with the online md5 tools? Thanks.


    • Related Answers
  • Rudedog

    When you echo from the command line, md5 is calculating the sum of 6 characters - h,e,l,l,o plus newline. The text you enter in a website doesn't have a newline.

    Try doing 

    echo -n hello | md5

    and it'll give you what you expect. The -n tells echo not to output a newline.

  • user1863

    b1946ac92492d2347c6235b4d2611184 ist the md5 of just the string 

    hello

    5d41402abc4b2a76b9719d911017c592 ist the md5 of

    hello

    CR+LF

    CR+LF is the Windows newline.

  • radvan72

    you can also use printf instead of echo, which automatically suppresses the newline character.

    printf hello | md5

    or even

    printf "hello" | md5

    I know I am two years late, but still ... could be a useful information for someone (like me) coming here via Google search :)