sheep-wolf – Exploit MD5 Collisions For Malware Detection

The New Acunetix V12 Engine


sheep-wolf is a tool to help you Exploit MD5 Collisions in software, specially malware samples which are commonly detected using MD5 hash signatures.

sheep-wolf - Exploit MD5 Collisions For Malware Detectionand then a malicious one (Wolf) that have the same MD5 hash. Please use this code to test if the security products in your reach use MD5 internally to fingerprint binaries and share your results by issuing a pull request updating the contents of results/!

Dependencies

  • 32-bit Windows (virtual) machine (64-bit breaks stuff)
  • Visual Studio 2012 to compile the projects (Express will do)
  • Fastcoll for collisions
  • Optional: Cygwin+MinGW to compile Evilize

How does it work?

  • shepherd.bat executes shepherd.exe with the user supplied command line arguments
    • shepher.exe generates a header file (sc.h) that contains the encrypted shellcode, the password and the CRC of the plain shellcode
  • shepherd.bat executes the build process of sheep.exe
    • sheep.exe is built with sc.hincluded by Visual Studio
  • shepherd.bat executes evilize.exe
    • evilize.exe calculates a special IV for the chunk of sheep.exe right before the block where the collision will happen
    • evilize.exe executes fastcoll.exe with the IV as a parameter
      • fastcoll.exe generates two 128 byte colliding blocks: a and b
    • evilize.exe replaces the original string buffers of sheep.exe so that they contain combinations a and b
    • The resulting files (evilize/wolf.exe and evilize/sheep.exe ) have the same MD5 hashes but behave differently. The real code to be executed only appears in the memory of evilize/wolf.exe.

You can download sheep-wolf here:

sheep-wolf-master.zip

Or read more here.

Posted in: Cryptography, Forensics, Malware

,


Latest Posts:


BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.


Comments are closed.