Camouflaged code threatens security apps

Antivirus firms are concerned about the emergence of techniques that could render meaningless the use of checksums to mark applications as safe.

The issue concerns hash functions - one way mathematical functions that produce a small fixed length checksum or message digest from a much longer batch of code or email message. When two different input values produce the same output value this is called a collision.

Weaknesses in hashing algorithms, such as MD5, that allowed the discovery of collisions much more quickly than would be possible using brute-force attacks have been known about by cryptographic researchers for more than three years.

Previous techniques meant one type of junk message might be mistaken for another junk message, a weakness of interest to cryptographers but that carried little sting in practice. In addition, high speed computers were needed to discover collisions.

But a recent post on a full disclosure list explains a method to append a few thousand bytes to two arbitrary files such that both files have the same MD5 value. One of the arbitrary files might be malicious. Not only that but the researchers - Marc Stevens, Arjen K. Lenstra, and Benne de Weger - produced their proof-of-concept files using a single PC in less than two days.