sheep-wolf – Exploit MD5 Collisions For Malware Detection


sheep-wolf is a tool to help you Exploit MD5 Collisions in software, specially malware samples which are commonly detected using MD5 hash signatures.

sheep-wolf - Exploit MD5 Collisions For Malware Detectionand then a malicious one (Wolf) that have the same MD5 hash. Please use this code to test if the security products in your reach use MD5 internally to fingerprint binaries and share your results by issuing a pull request updating the contents of results/!

Dependencies

  • 32-bit Windows (virtual) machine (64-bit breaks stuff)
  • Visual Studio 2012 to compile the projects (Express will do)
  • Fastcoll for collisions
  • Optional: Cygwin+MinGW to compile Evilize

How does it work?

  • shepherd.bat executes shepherd.exe with the user supplied command line arguments
    • shepher.exe generates a header file (sc.h) that contains the encrypted shellcode, the password and the CRC of the plain shellcode
  • shepherd.bat executes the build process of sheep.exe
    • sheep.exe is built with sc.hincluded by Visual Studio
  • shepherd.bat executes evilize.exe
    • evilize.exe calculates a special IV for the chunk of sheep.exe right before the block where the collision will happen
    • evilize.exe executes fastcoll.exe with the IV as a parameter
      • fastcoll.exe generates two 128 byte colliding blocks: a and b
    • evilize.exe replaces the original string buffers of sheep.exe so that they contain combinations a and b
    • The resulting files (evilize/wolf.exe and evilize/sheep.exe ) have the same MD5 hashes but behave differently. The real code to be executed only appears in the memory of evilize/wolf.exe.

You can download sheep-wolf here:

sheep-wolf-master.zip

Or read more here.

Posted in: Cryptography, Forensics, Malware

,


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


Comments are closed.