IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> What does Tdsskiller mean by this?, Forged file, fake MD5
Nozza
post 7.07.2011 20:24
Post #1


Newbie
*

Group: Members
Posts: 1
Joined: 7.07.2011




When Tdsskiller produces an output like this:

Suspicious file (Forged): C:\windows\system32\drivers\filename5.sys. Real md5: f0269e9f841c4e39ebbb366531b8290f, Fake md5: 63c0be20a6db9824951e5c2d4116503c
filename - detected ForgedFile.Multi.Generic (1)

What does it mean exactly? Does it mean that the MD5 hash is cryptographically forged? If so how can tdsskiller detect this? Or does it just mean the hash doesn't match the file?

What is tdsskiller actually doing with regards to MD5 hashes and what is it doing in general to detect infected drivers?

Some people are implying that virus writers can now forge MD5 hashes to make fake but passable signing certificates. Is that actually the case?

Thanks.

N
Go to the top of the page
 
+Quote Post
Yury.Parshin
post 8.07.2011 07:00
Post #2


Virus Analyst
******

Group: KL Russia
Posts: 744
Joined: 21.10.2008




Hello.

"ForgedFile.Multi.Generic" detect means that file contents readen through WinAPI differs from the contents readen through low-level disk access (Real md5 - hash calculated through low-level access, Fake md - WinAPI).

But in this case it's probably false alarm (both are Hitman Pro 3.5 drivers).
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 24.04.2014 19:00