Team CYMRU's Malware Hash Registry

Published: 2008-12-17. Last Updated: 2008-12-18 18:07:51 UTC
by donald smith (Version: 1)
1 comment(s)

Team Cymru has a new look-up service that launched recently.
The Malware Hash Registry (MHR) service allows you to
query their database of many millions of unique malware samples
for a computed MD5 or SHA-1 hash of a file. If it is malware
and they know about, they return the last time they have seen
it along with an approximate anti-virus detection percentage.

THERE IS NO COST FOR NON-COMMERCIAL USE OF THIS TOOL. ACCESS IS
PUBLICLY AVAILABLE TO ANYONE.

Upon submission of a malware hash, the output of the command will return
a date the sample was first seen as well as the detection rate they've
seen using up to 30 AV packages. The detection rate is based on the
first time they scanned the sample.

Queries, including reasonable bulk queries, may be made using the
command line only.

The MHR compliments an anti-virus (AV) strategy by helping to identify
unknown or suspicious files that they have already identified as
malicious. This enables you to take action earlier than you would
otherwise be able to.


Full details including command syntax and procedures can be found at
<http://www.team-cymru.org/Services/MHR/>.

This is one of several new (free) data sets and services they are
currently providing to the community; if you haven't visited their
(recently revamped) site recently please do so for details of the
extensive work they do for the security community as well as further
advice, data and tips to help you make your networks more secure:
<http://www.team-cymru.org/Services>

If you want to use this as an IDS like tool Seth Hall from osu.edu
released this bro script into the public.
http://github.com/sethhall/bro_scripts/tree/e9bdb2f6afce6c809e3434de33723639d3d43ca3/md5_hash_malware/http-cymru-malware-hash.bro

If you need to know which virus is being detected, you could use a
service like virustotal with an md5 hash lookup. Just go to this url
http://www.virustotal.com/buscaHash.html and enter the checksum
(md5,sha1 or sha256) into the search bar.

Virustotal.com and cymru.com are not related. So they won't have
all the same hashes. But there should be pretty good cross service hash matching.

UPDATE

Seth Hall wrote in and advised us that he has put a short wiki up about installing the necessary support for using his changes. http://github.com/sethhall/bro_scripts/wikis/the-malware-hash-registry-and-bro-ids

1 comment(s)

Comments

The BIN (Bank Identification Number) feed is also very interesting for those of us in the financial institution industry. It provides a /\"near-real-time list of bank accounts and credit cards that have been identified by Team Cymru as potentially compromised/\" for vetted financial institutions. I plan to sign up for this ASAP.

Diary Archives