Greg Freemyer said the following on 01/04/2013 08:31 AM:
Often malware is tracked and cataloged based on it's hash (md5, sha1, etc.)
From the command line "md5sum suspect_file" will give the the md5 hash of that file. It should be a fairly long seemingly useless number, but every copy of that file in the world should have the same hash.
Now take that number and google it. If it is a known malicious file, malware investigative professionals will have reported the hash in any reports they published about it, so you may find a description of the malware on the internet this way.
I always do this with md5, sha1, and sha256.
The above assumes the malware is known, the exact malicious file you found was used before. Often a simple recompile can change the hash, so bad guys will often recompile their malware and re-release it.
Thus the above is just a first step in identifying malware, but it is the standard first step.
Greg is correct, and there is an industry behind this, and it is, like so many things, keyed more to Windows and the problems with Windows than to UNIX/Linux and the more sensible designs we have. My point here is that Greg is describing blacklisting. It is an 'everything that is not prohibited is allowed' approach to security, and you need to check to see if the file was on the prohibited list (malware). That list is long and, like AV signatures, always out of date. The converse approach, whitelisting, is the stance whereby "everything that is not explicitly allowed is prohibited". What is allowed is a much smaller list. The "tripwire" approach follows this; you keep a checksum of the systems when it was first installed, of the known-to-be-good programs. There are many variations on this latter approach. One not very common approach is to have all the installed programs cryptographically signed, and the OS checks the signature before running them. That was more suited to mainframes than the UNIX/Linux model since they tend to have fewer and longer running programs. -- "I don't do defense; I do security. When you talk defense, you talk containment and mutually assured destruction. When you talk security, you talk collaboration and networking. This is the future." -Tom Barnett -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org