Full disclousure deep technical analisys below. Beware !!!

Aug 31, 2010

A Good Malware Decoy vs VirusTotal based on MD5 Collision

MD5 Collision tool (http://www.mscs.dal.ca/~selinger/md5collision/) let everybody create malicious executables that has the same MD5 of another legitimate file.

Suppose the legitimate (hello.exe) has been  already analyzed on VirusTotal (like http://www.virustotal.com/file-scan/reanalysis.html?id=1316543942a8c6cd754855500cd37068edbbd8b31c4979d2825a4e799fed6102-1283241840).

The “Already Analyzed” check is based JUST on MD5: so future check of “same MD5-different SHA” malicious exec will propose the “old legitimate result report” unless you explicitly ask for recheck!!

But how many will ask for recheck and wait the submission queue?

Update: VirusTotal “Already Analyzed” is based on same sha-256 too. See comments.