By now, the security industry must recognize that the future of Message-Digest algorithm 5 is hopelessly jeopardized. The rogue CA certificate presentation at 25C3 might as well have been the nail in the coffin. A little over a year ago, NIST opened up its Cryptographic Hash Algorithm Competition for the creation of SHA-3. In response, Ron Rivest (The ‘R’ in “RSA”) developed MD6 at MIT. Security Objectives’ has been tirelessly working on a little hashing project of its own–Pass The Hash.
The security industry is currently in the process of reluctantly accepting that the current signature-based approach to anti-virus and malware identification is futile. Therefore, our Pass The Hash solution utilizes a whitelist approach in conjunction with a custom hash tree data structure to wholly single out malware variants piece by piece. Moreover, non-disclosure agreements are a besetting factor in digital forensics investigations because the analyst cannot inquire about a malware specimen by sending it out verbatim; our solution solves that problem too.
Here’s how it works: you compute Tiger hashes of files on your system, query our central database, and we tell you what they belong to. If it doesn’t match one of our hashes, you know you’ve got a problem. Once you’ve identified a piece of malware, you can coordinate specifics with our community such as fixes, research, opinions, etc. All of this is in a really sleek WPF GUI because here at Security Objectives, we strive to make hacking look like the movies!
The hash computations that our software performs identify polymorphous variations similar to Context-Triggered Piecewise Hashes and Bloom Filters. There will also be an off-line mode where hashes can be compared against a local client-side database that deals with hash trees similar to our centralized database. Directories, drives, and even processes whose hashes need to be calculated are inserted into a dynamically managed queue; with the click of a button the queue can be re-prioritized, saved, elements can be removed, etc. Meta-data is associated with each hash object that describes attributes such as operating system, platform, user-specified information, etc.
When we first started working on this we were thinking “napster for malware” but it’s turned into so much more. More recently the description was “MRBL” (Malware Real-time Blackhole List,) similar to the MAPS SPAM countermeasure except that it actually utilizes whitelist technology. “malster” sounds cool, but we decided to name it Pass The Hash, indicative of the hash value computation and transmission taking place. This venture is clearly distinguishable from GNU Pth (Portable threads) because our acronym (PTH) is written in all caps.
I can’t provide an exact release date right now–all I can say is very soon. Once it’s released you’ll be able to download it from our products page. The long-term plan is to slap an open source license on the client code, thereby exposing the XML API for the central database and LINQ for the local one. Organizations that require the achievement of total malware sovereignty can deploy a dedicated appliance that acts as a counterpart to the centralized hash database hosted by Security Objectives. So keep your eyes peeled for the upcoming release of Pass The Hash. In the meantime, sneek a peek at a screenshot.
- Stealth Malware–Towards Verifiable Systems by Joanna Rutkowska of COSEINC’s Advanced Malware Labs
- Automated Structural Classification of Malware by Ero Carrera and Halvar Flake of zynamics GmbH
- National Software Reference Library (NSRL) by NIST
P.S. After a long hiatus, we plan to be hitting the conference circuit once again to present on the specifics of this new reactive malware eradication technology. We’ve been submitting CFP’s left and right, but you’re most likely to catch up with us at CanSecWest. Hope to see you there!