Topic: Malware Hash Registry
The Malware Hash Registry (MHR) project is a look-up service similar to the Team Cymru IP address to ASN mapping project. This project differs however, in that you can query our service for a computed MD5 or SHA-1 hash of a file and, if it is malware and we know about it, we return the last time we've seen it along with an approximate anti-virus detection percentage.
The Team Cymru Malware Hash Registry (MHR) compliments an anti-virus (AV) strategy by helping to identify unknown or suspicious files. While your AV posture helps you perform detection based on signatures, heuristics and polymorphism, the MHR provides you additional layer of detection, for known badness. Based on our research, AV packages have trouble detecting every possible piece of malware when it first appears. The MHR leverages multiple AV packages and our own malware analysis sandbox to help aid your detection rate. Coupled with AV, the MHR helps identify known problems so you can take action. In order to decrease the false positive rate, we do not list items with less than 5% detection rate, we exclude all entries present in the NIST database, and we attempt to exclude multiple copies of polymorphic malware.
The whois daemon acts like a standard whois server would, but a MD5 or SHA-1 hash value instead of a name or address is passed as an argument. It accepts arguments on the command-line for single whois queries and it also supports BULK hash submissions when combined with GNU's netcat for those who wish to optimize their queries. When issuing requests for two or more hashes we strongly suggest you use netcat for BULK submissions since there is less overhead.
There is presently one whois server available with round robin IP addresses:
hash.cymru.com
An example use of the command-line arguments on a single malware hash query:
$ whois -h hash.cymru.com e1112134b6dcc8bed54e0e34d8ac272795e73d74
e1112134b6dcc8bed54e0e34d8ac272795e73d74 1221154281 53
The output above includes the hash that was queried for, along with the last known GMT timestamp associated with that hash in unix epoch, and the detection percentage across a mix of AV packages. If the malware hash is NOT in the database, the results will look something like this:
$ whois -h hash.cymru.com 1250ac278944a0737707cf40a0fbecd4b5a17c9d
1250ac278944a0737707cf40a0fbecd4b5a17c9d NO_DATA
More: [Register or log in to view the URL]