Some researchers rely on MD5 hashes to identify malware. An exploit developer provides a tool that always packs shellcode with the same hash.
The IT security researcher and exploit developer David Buchanan has developed the Monomorph tool, which converts any compressed shell code up to four kbytes in size into a 4 MByte file. And it always has the same MD5 hash. Buchanan explains his motivation: “Some people still insist on using MD5 to reference file samples. For various reasons that don’t make sense to me.” If any of these people ended up analyzing code packaged with Monomorph, they would eventually become very confused.
MD5-Monomorph is available as an open source project on GitHub. While previous examples used a single MD5 collision to produce the same hash for a “good” and a “bad” application, the “MD5-Monomorphic Shellcode Packer” takes the concept to the next level.
Buchanan explains how the python script works as follows: For each bit to be coded, he precalculated a colliding MD5 block with the FastColl tool. Each collision creates a pair of blocks that can be swapped without changing the overall MD5 hash. The loader checks which block was chosen at runtime to decode the bit. Therefore, Monomorph needs 4*1024*8 collisions for 4 kbytes of data, adding up to 4 Mbytes in the output file.
Due to the precalculated MD5 blocks, Monomorph is very fast when encoding shellcode into an executable file. The software that has so far only run under 64-bit x86 Linux always delivers the MD5 value
3cebbe60d91ce760409bbe513593e401 return. Porting to other platforms should be easy, but generate a different (but always the same) MD5 checksum there.