Full disclousure deep technical analisys below. Beware !!!

Aug 31, 2010

A Good Malware Decoy vs VirusTotal based on MD5 Collision

MD5 Collision tool (http://www.mscs.dal.ca/~selinger/md5collision/) let everybody create malicious executables that has the same MD5 of another legitimate file.

Suppose the legitimate (hello.exe) has been  already analyzed on VirusTotal (like http://www.virustotal.com/file-scan/reanalysis.html?id=1316543942a8c6cd754855500cd37068edbbd8b31c4979d2825a4e799fed6102-1283241840).

The “Already Analyzed” check is based JUST on MD5: so future check of “same MD5-different SHA” malicious exec will propose the “old legitimate result report” unless you explicitly ask for recheck!!

But how many will ask for recheck and wait the submission queue?

Update: VirusTotal “Already Analyzed” is based on same sha-256 too. See comments.


  1. hi,

    have you seen the result? even tough virustotal is show md5sum on the page, but actually the result are different.

    and according to virustotal author, 'already checked' result at virustotal is based on sha256, not md5 ==> http://twitter.com/jcanto/status/22603559764

  2. I've made a new check todays submitting same MD5 file and got two different answers.
    1- http://www.virustotal.com/file-scan/reanalysis.html?id=1c4ff4e490b15b2b214f26c5654decccbcbea9eb900f88649dc7b1e42341be56-1285832735
    2- http://www.virustotal.com/file-scan/reanalysis.html?id=fad878bd261840a4ea4a8277c546d4f46e79bbeb60b059cee41f8b50e28d0e88-1285832757)
    So I'm wrong about that...but I'm quite sure made the same test before. Tks for your comments