Wordfence Intelligence Launches New Malware Hash Feed!

Today, the Wordfence team is launching a Malware Hash Feed as part of our Wordfence Intelligence API. This gives our Enterprise users another way to rapidly and definitively identify malware targeting web applications.

As the world’s foremost WordPress security provider, Wordfence has an expertly curated database of nearly three and a half million unique malicious files. Most of the malware in our database is PHP, but we also have a selection of malicious JavaScript, ASP.NET, Python, and other languages used for web applications.

About the Malware Hash Feed

The Malware Hash feed contains the following information for each malicious file in our data set:

• SHA-256 hash – For applications and appliances where SHA-256 hashes are the default method of ingestion, or where hash collisions are a concern, we offer SHA-256 hashes. We recommend using this hash by default if possible.
• Normalized SHA-256 hash – For files containing variable amounts of whitespace, we offer a SHA-256 hash of each file after whitespace normalization (with spaces, tabs, carriage returns, and newline characters removed).
• SHA-1 hash – The SHA-1 algorithm remains popular with many platforms. While it is now trivial to generate both MD5 and SHA-1 collisions, these techniques are not commonly used with malware targeting web applications.
• MD5 hash – MD5 hashing is extremely performant and some platforms still make use of it.
• Number of sightings – The number of times the malicious file has been seen by our intelligence platform.
• First seen – The date we first encountered the malicious file.
• Last seen – The most recent date we encountered the malicious file.

Wordfence Intelligence subscribers can download the entire feed or use its built-in sorting and filtering functionality to grab the most relevant data, making ingestion easy.

A Complement to the Malware Signature Feed

While the YARA rules that comprise our Malware Signatures feed detect 99.99% of the malicious files in our collection and are flexible enough to detect currently uncatalogued variants, hash-based detection is more practical, compatible, or performant for some applications. Additionally, access to our malware hashes can allow for detection of novel malware as soon as we identify and classify it, even before a production-ready signature can be released. The Malware Hash feed is updated every 15 minutes.

Potential Use Cases for Enterprise and Hosting Providers

Threat Intelligence data feeds serve an important role in any organization with a Security Operations Center, Threat Intelligence team, or security-conscious IT department with a mandate to make their network more secure. Adding more data and context to the network traffic being analyzed is crucial to attaining and maintaining readiness.

Malware Hashes can be ingested into a number of platforms including as System Information and Events Monitors (SIEM), Security Orchestration, Automation, and Response platforms (SOAR), or even Extended Detection And Response platforms (XDR). This data can be used to determine if a host on a network has been compromised or if any traffic into or out of a network contains malicious files.

In addition malware hashes can be fed into threat intelligence platforms to add context around specific threats so your organization can better understand and attribute the techniques being deployed against it.

Wordfence Threat Intelligence feeds can also be integrated into custom solutions to effectively detect, block, and remediate malicious files at rest, or even on their way into the network.  Web hosting providers can work with us to integrate a “powered by Wordfence Intelligence” product into their offerings, with all the efficiency of running on the whole server platform.

As a reminder, Wordfence tracks malware and blocks exploits targeting multiple web services, including non-WordPress services, across our network of four million protected WordPress sites. This gives us a unique level of visibility compared to other Threat Intelligence feeds on the market. All Wordfence Intelligence customers receive access to our IP Threat data feed, our Malware Signatures feed, our Malware Hash feed, and our WordPress Vulnerability Data feed.

What does this mean for Wordfence users?

If you are a Wordfence Free, Premium, Care, or Response customer and your host subscribes to Wordfence Intelligence, they can use it to protect not only your website but the websites of any other sites on the same server, which greatly improves the security of your own website. They can also use it to detect and shut down abuse originating from within their own network, making the entire internet safer.

Get in touch with us today for more information or to try out the feeds!

Inquire Now

This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.