Author Topic: Can checksum match & still that file turns out infected?  (Read 5156 times)

0 Members and 1 Guest are viewing this topic.

srpgmt

  • Guest
Can checksum match & still that file turns out infected?
« on: September 02, 2010, 02:50:52 PM »
Can a checksum match & still that file turn out to be infected...
Or is it that once checksum matches it can be said that a file is not infected by virus?

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Can checksum match & still that file turns out infected?
« Reply #1 on: September 02, 2010, 03:35:41 PM »
it depends on the strength of chosen checksum.. crc32 e.g. is quite weak and can be fooled with a simple modification of 4 bytes..

srpgmt

  • Guest
Re: Can checksum match & still that file turns out infected?
« Reply #2 on: September 02, 2010, 03:46:00 PM »
SHA-1 or MD5?

srpgmt

  • Guest
Re: Can checksum match & still that file turns out infected?
« Reply #3 on: September 02, 2010, 03:50:54 PM »
SHA-1 & MD5 checksums rather than crc32

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Can checksum match & still that file turns out infected?
« Reply #5 on: September 02, 2010, 11:41:39 PM »
SHA-1 and MD5 are much stronger than CRC32, but even these hashes aren't unbreakable.. fortunately, there are no critical collisions yet (many digital signatures rely on SHA-1 hashes)..

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Can checksum match & still that file turns out infected?
« Reply #6 on: September 03, 2010, 12:52:15 PM »
Sure, the checksum may match and the file still may be infected - if the checksum was generated after the file got infected (possibly because the file author didn't know his machine is infected).
Remember Win32:Induc? Quite a few infected and signed files out there...

srpgmt

  • Guest
Re: Can checksum match & still that file turns out infected?
« Reply #7 on: September 05, 2010, 03:35:16 PM »
@Pondus
@Max_original
@igor

An Apology From Me To You All
First of all kindly accept my personal apology.Right after I raised this query a  crisis developed due to which I had to rush off. I was therefore unable to respond to your kind, helpful, knowledgeable & prompt reply.I feel sorry for that  :(

A Sad Learning
Yes you are right all 3 checksum algorithms can & have been broken.Wikipedia also mentions that  :(

Why I Asked That Question
1) I understand different AV use different algorithms & consequently it can happen (& does happen) that some AV fail to catch some virus which possibly some other AV might catch
2) I learnt from this forum that Artemis algorithm is chosen not to be used by Avast since Avast believes that Artemis has a proneness to throw up a lot of False Positives
3) I continue to trust Avast & respect that viewpoint & consequently I accept that it must be so regarding Artemis
4) That said; in terms of probability Artemis throwing up a False Positive might not be 100%
5) Hence I reasoned (& if I am wrong kindly correct my reasoning) I wondered if a large checksum algorithm like SHA-1 can be relied upon for a user to conclude if Artemis detection can be accepted or rejected with certainty.

My hypothesis was if SHA-1 matches then despite Artemis there is no virus & if SHA-1 does not match then Artemis can be taken to definitely indicate a virus

Practical Real Life Current Example Of ImgBurn 2.5.2.0 in Virus Total Where McAfee Shows Artemis & SHA-1 (& MD5) matches
1) Despite SHA-1 matching it might indicate virus simply because SHA-1 is neither foolproof nor crackproof
2) ImgBurn 2.5.2.0 is the leading burning software for a host of storage medium including CD & DVD. I use ImgBurn 2.5.1 which is the penultimate version & have not yet upgraded because SHA-1 as you say is not foolproof or crackproof  :(
3) The ImgBurn 2.5.2.0 exe is infected by Artemis says McAfee whether downloaded from ImgBurn own website, Softpedia or cnet  :(

@Igor
Your post was scary & correct.I hope the developer did not upload his exe from his machine when it was infected.But my friend, perhaps the developer did not do that. Why did I say that? Virus Total indicated that the first upload was about 12 hours before my upload.Virus Total showed a clean report for that first download. At the time of the first download only cnet & ImgBurn website had hosted the exe.So then how did this infection happen?

Unfortunately I had not screenshot the earlier VirusTotal screen to show you this in a pictorially conclusive manner

Anyway I am enclosing 3 jpgs.Both McAfee show Artemis. There are 3 jpgs because one relates to ImgBurn website, one to Softpedia & one to Cnet.

What would you advise? What is the best course of action?

srpgmt

  • Guest
Re: Can checksum match & still that file turns out infected?
« Reply #8 on: September 05, 2010, 03:40:40 PM »
Due to filesize constraint I could only enclose the 1 jpg.Therefore the other 2 jpgs are not enclosed. Please bear with me