A non-profit group that tracks malicious activity online has just started a new free service that enables users to check executable files against a database of known good applications and to help determine whether a given file is malicious.
The service, offered by the Shadowserver Foundation, is a Web-based offering that allows remote users to submit the MD5 or SHA-1 hash of a particular file. The service then checks that hash against a large database of known legitimate software applications to see whether it’s a recognized executable. The database is based on information gathered by NIST’s National Software Reference Library, which comprises a massive set of hashes of known software, including some malicious tools such as steganography kits and common attack scripts.
This kind of whitelisting approach to determine which files may be malicious–or at least potentially unwanted–has become more and more common in recent years as the volume of malware and other malicious files has continued to increase exponentially. That huge increase has made it increasingly difficult for anti-malware applications to keep pace, leading to the rise of whitelisting as a supplementary technology.
If the hash that’s submitted is found in the Shadowserver database, the output from the file-checking service, called Bin Checking, is a simple text response that lists the known attributes of the file. For example:
0E53C14A3E48D94FF596A2824307B492 {“source”: “NIST”, “filename”: “00br2026.gif”, “crc32”: “AA6A7B16”, “product_name”: “Gallery”, “mfg_name”: “Corel Corporation”, “os_name”: “Windows NT”, “language”: “English”, “product_version”: “750,000”, “os_version”: “Generic”, “application_type”: “Graphic/Drawing”, “filesize”: “2226”, “os_mfg”: “Microsoft”}
If the hash isn’t in the database, the service will simply return the hash. Users also can submit large bulk queries to the database in the form of multipart MIME messages using the POST interface.
