{"id":4536,"date":"2017-05-26T19:46:20","date_gmt":"2017-05-26T11:46:20","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4536"},"modified":"2017-05-26T19:46:31","modified_gmt":"2017-05-26T11:46:31","slug":"sheep-wolf-exploit-md5-collisions-for-malware-detection","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2017\/05\/sheep-wolf-exploit-md5-collisions-for-malware-detection\/","title":{"rendered":"sheep-wolf &#8211; Exploit MD5 Collisions For Malware Detection"},"content":{"rendered":"<p>sheep-wolf is a tool to help you Exploit MD5 Collisions in software, specially malware samples which are commonly detected using MD5 hash signatures.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/05\/sheep-wolf-Exploit-MD5-Collisions-For-Malware-Detection.png\" alt=\"sheep-wolf - Exploit MD5 Collisions For Malware Detection\" width=\"541\" height=\"519\" class=\"aligncenter size-full wp-image-4546\" \/>and then a malicious one (Wolf) that have the same MD5 hash. Please use this code to test if the security products in your reach use MD5 internally to fingerprint binaries and share your results by issuing a pull request updating the contents of <code>results\/<\/code>!<\/p>\n<h3>Dependencies<\/h3>\n<ul>\n<li>32-bit Windows (virtual) machine (64-bit breaks stuff)<\/li>\n<li>Visual Studio 2012 to compile the projects (Express will do)<\/li>\n<li>Fastcoll for collisions<\/li>\n<li>Optional: Cygwin+MinGW to compile Evilize<\/li>\n<\/ul>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<h3>How does it work?<\/h3>\n<ul>\n<li><code>shepherd.bat<\/code> executes <code>shepherd.exe<\/code> with the user supplied command line arguments\n<ul>\n<li><code>shepher.exe<\/code> generates a header file (<code>sc.h<\/code>) that contains the encrypted shellcode, the password and the CRC of the plain shellcode<\/li>\n<\/ul>\n<\/li>\n<li><code>shepherd.bat<\/code> executes the build process of <code>sheep.exe<\/code>\n<ul>\n<li><code>sheep.exe<\/code> is built with <code>sc.h<\/code>included by Visual Studio<\/li>\n<\/ul>\n<\/li>\n<li><code>shepherd.bat<\/code> executes <code>evilize.exe<\/code>\n<ul>\n<li><code>evilize.exe<\/code> calculates a special IV for the chunk of <code>sheep.exe<\/code> right before the block where the collision will happen<\/li>\n<li><code>evilize.exe<\/code> executes <code>fastcoll.exe<\/code> with the IV as a parameter\n<ul>\n<li><code>fastcoll.exe<\/code> generates two 128 byte colliding blocks: <code>a<\/code> and <code>b<\/code><\/li>\n<\/ul>\n<\/li>\n<li><code>evilize.exe<\/code> replaces the original string buffers of <code>sheep.exe<\/code> so that they contain combinations <code>a<\/code> and <code>b<\/code><\/li>\n<li>The resulting files (<code>evilize\/wolf.exe<\/code> and <code>evilize\/sheep.exe<\/code> ) have the same MD5 hashes but behave differently. The real code to be executed only appears in the memory of <code>evilize\/wolf.exe<\/code>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>You can download sheep-wolf here:<\/p>\n<p><a href=\"https:\/\/github.com\/silentsignal\/sheep-wolf\/archive\/master.zip\">sheep-wolf-master.zip<\/a><\/p>\n<p>Or read more <a href=\"https:\/\/github.com\/silentsignal\/sheep-wolf\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>sheep-wolf is a tool to help you Exploit MD5 Collisions in software, specially malware samples which are commonly detected using MD5 hash signatures. and then a malicious one (Wolf) that have the same MD5 hash. Please use this code to test if the security products in your reach use MD5 internally to fingerprint binaries and [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"sheep-wolf is a tool to help you Exploit MD5 Collisions in software, specially malware samples which are commonly detected using MD5 hash signatures.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[26,28,7],"tags":[142,5627],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4536"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=4536"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4536\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=4536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=4536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=4536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}