MD5 Checksum

I have noticed on programs the MD5 Checksum on Hijack This and other downloaded programs . While I have started doing some digging on this subject. What is the purpose of this and how is it used to verify the program. Any suggestions on where to find info. is appreciated. (R)

Melih

Melih,
what about detecting ADS(Alternate Data Streams) attached to a file, unless I am incorrect, this will not change the file size nor the MD5 check sum. I know the file modified date will change with the attachment of an ADS. Does CFP use a combination of date and MD5.

(S) (:CLP)

OD

can u pls expand on what you mean by ADS as far as a file is concerned.
thanks
Melih

“The attacker now puts the executable ipeye.exe into an alternate data stream associated with the existing file test_file The syntax to do this is as follows:
type ipeye.exe > test_file:ipeye.exe”

http://www.securityfocus.com/infocus/1822

Yes I am aware that there are several ADS discovery tools including the one in HJT

I was just wondering if CFP 3 was only relying on MD5 checksum for it’s system integrity verification

proir to CFP3 I was using
Sentinal 2.0 anti-Virus/Trojan Integrity Checker developed by RuntimeWare.
Sentinel works by analyzing exploits in both your Registry and your system folders; integrating with ANY(except Symantec 10.0 Corp) Anti-Virus program to quarantine these threats. Sentinel’s Integrity Checker will notify your anti-virus/trojan application(s) if any file has been modified or added in any way whatsoever (using either a heavily optimized CRC32, SHA-1, MD5 or MD4 algorithm–for those of you who don’t speak geek: Sentinel is fast, and very secure). Note: this is not an AV program however it will integrate with most very nicely

I don´t think this could program catch ADS(Alternate Data Streams) attached to a file
And it does not work With Symantec 10.0 Corp AV either But it does a fair job of idetifying file changes

Thanks for the quick reply Melih
OD

PS
I hav done minimal plating with these such attaching an exe to a text file and then launcing the hidden EXE from the registrty and as I said “this will not change the file size nor the MD5 check sum. I know the file modified date will change with the attachment of an ADS.”
if the are meanings to ADS(Alternate Data Streams) please let me know but from my research ADS is unique to the NTFS File system.

Any good pointers to other reference sources, refering to other types of Alternate Data Streams, would be appreciated

we do have few different tricks afaik. the dev guys can answer it better than i can.

thanks
Melih

Yet another good reason for using FAT32. ADS and other data forking methods rely on journalling or extended directory recording capability in the OS. FAT32, for example, is too simple. LOL

Ewen :slight_smile:

Thank you for the extra info . That has led to more questions . What would be the best way to use ADS to determine if something is legit or not or is it just a piece of the puzzle?

The latter, I’m afraid, just another piece in the puzzle.