Synopsis:

Team Cymru’s Malware Hash Registry (MHR) is a useful tool for scanning suspicious files. It is free for private use and provides an excellent addition to a comprehensive security plan. It scans the hash of a file against a number of anti-virus packages and then lets you know if the file has previously been detected as malware.

Who Are Team Cymru?

Team Cymru is an internet security research group that operate out of Illinois as a non-profit organization. Cymru is pronounced Kum-ree, which is a Welsh word for Wales, a tribute to the heritage of some of the founders. The organization is passionate about making the internet more secure by researching malicious internet activity and providing resources to help combat threats.

The group was started by Rob Thomas as a think tank in 1998. It became an official legal entity in 2004, and a non-profit organization in 2009. The main office is in Orlando, Florida, but their team is spread throughout the US, the UK, Europe and even New Zealand. The organization has servers and hardware all over the world.

Team Cymru offers a range of other free tools, software and information in addition to the MHR. These projects are financially supported through commercial security services. Team Cymru also receives donations of bandwidth, hosting, hardware and other resources from a variety of partners as well as the community. Combined with the lean structure of the organization, these donations and commercial services allow Team Cymru to offer their free projects and continue on their mission of making the internet safer.

What Is the Malware Hash Registry?

The MHR is a service that allows users to search the MD5 or SHA-1 hash of suspicious or unknown files to see if they have previously been identified as malware. It uses more than 30 anti-virus packages, however Team Cymru do not disclose which ones. The service is free for non-commercial use, although you can contact them if you wish to use it for business purposes. You should also notify them if you plan on implementing or automating the registry into an open source project. This allows them to plan for any additional strain on their resources.

Team Cymru’s MHR is not a replacement for anti-virus packages, but an extra tool that should be used as part of a complete security plan. Anti-virus packages often have problems identifying malware the first time they encounter it, which makes the MHR a great additional resource for checking suspicious files. It helps administrators identify threats so that they can act on them.

Team Cymru receive their data through web crawlers, honey pots and data sharing agreements, and the database is updated daily. It excludes entries from the NIST database, anything with less than a 5% detection rate (to minimize false positives) and tries to exclude copies of polymorphic malware.

Queries will return two values, the last time a piece of malware was discovered and the detection rate. The timestamp is the number of seconds since 12:00 am UTC, 1970-1-1. You can turn this into a more readable time with a bash shell in Unix. Use the command:

date --date="1970-01-01 <unix timestamp> secs UTC"

The detection rate is given as an average percentage of all the anti-virus packages that the malware was run against.

There are several interface options:

  • Whois (TCP 43)
  • HTTP (TCP 80)
  • HTTPS (TCP 443)

Team Cymru offer a dashboard widget for OS X with drop and drag functionality. The MHR is also compatible with Linux. Team Cymru formerly offered an interface for DNS, as well as an add-on for Firefox and a program for Windows, but all of these links are dead and there are no updates on their site regarding their functionality.

How to Use the Malware Hash Registry

Whois

You can use the whois interface to make either single or bulk hash submissions. Bulk submissions are combined with GNU’s netcat. Team Cymru suggest that you use bulk submissions for any queries of two or more hashes, because it reduces their costs. Networks that abuse the whois server with many individual queries may be null routed.

To scan a single hash of : 66fdd0199653d42bae7f8e73ffe423cd

Enter the following into the above link:

$ whois -h hash.cymru.com 66fdd0199653d42bae7f8e73ffe423cd

If the MHR does not recognize it as malware, it will return:

66fdd0199653d42bae7f8e73ffe423cd 1485410767 NO_DATA

The 10 digit number is the number of seconds, while NO_DATA indicates that the MHR does not recognize it as malware.If the hash does match up with malware, the percentage will show up instead of NO_DATA.

For bulk queries, write out your list of hashes with begin and end in their respective places.

Then, run the list through GNU netcat:

$ netcat hash.cymru.com 43 < list01 > list02

List 2 will return each hash followed by the timestamp and the detection percentage.

HTTP/HTTPS

The HTTP/HTTPS interface to WebMHR works as a web proxy to the whois service. To submit your hashes, just follow the instructions at the previously mentioned link.

More Reading and Other Resources