Developers from Salesforce have open-sourced their in-house security scanner

JARM fingerprinting tool helps identify malicious servers, malware C2 infrastructure

CRM software and cloud services provider Salesforce has made its JARM fingerprinting tool open source, allowing users to identify and group malicious servers.

The Transport Layer Security (TLS) server fingerprinting tool can, says the team, quickly verify that all servers in a group have the same TLS configuration.

It can also group disparate servers on the internet by configuration – identifying that a server may belong to Google, for example, or Apple.

JARM can also identify default applications or infrastructure, along with malware command and control (C2) infrastructure and other malicious servers on the internet.

“We released these tools to not only increase our own security posture, but hopefully those of other organizations as well,” John Althouse, director, threat detection at Salesforce, tells The Daily Swig.

“JARM is a technology that is not only valuable for security analysts and threat hunters, to help identify potentially malicious servers, but also network and systems engineers, to verify infrastructure TLS configurations.”

Call and response

JARM works by actively sending 10 TLS ‘client hello’ packets to a target TLS server. These packets have been picked to prompt unique responses in TLS servers, with different TLS versions, ciphers, and extensions in varying orders to gather unique responses.

It captures specific attributes of the TLS ‘server hello’ responses that depend on how the application or server was built – the operating system used, libraries used, the order in which the libraries were called, and custom configuration, for example.

“All of these factors lead to each TLS Server responding in a unique way. The combinations of factors make it unlikely that servers deployed by different organizations will have the same response,” says the team.

YOU MIGHT ALSO LIKE Browser fingerprinting ‘more prevalent on the web now than ever before’

The aggregated TLS server responses are then hashed using a combination of a reversible and non-reversible hash algorithm, to produce a 62-character fingerprint.

The first 30 characters are made up of the cipher and TLS version chosen by the server for each of the 10 client hellos sent – a ‘000’ denotes that the server refused to negotiate with that client hello.

The remaining 32 characters are a truncated SHA256 hash of the cumulative extensions sent by the server, ignoring x509 certificate data.

Identifying malicious servers

“When comparing JARM fingerprints, if the first 30 characters are the same but the last 32 are different, this would mean that the servers have very similar configurations, accepting the same versions and ciphers, though not exactly the same given the extensions are different,” says the team.

These fingerprints can be used to identify malicious C2 servers configured for malware such as Trickbot, AsyncRAT, Metasploit, Cobalt Strike, and Merlin.

When scanning Trickbot Malware C2s from a list compiled by, for example, 80% of the live IPs on the list produced the same JARM fingerprint.

Read more of the latest hacking news

When comparing this JARM fingerprint against the Alexa Top One Million websites, there was no overlap, says the team.

“Initial feedback has been very positive. JARM has already been integrated into several security vendor products to improve correlation capabilities,” says Althouse.

“We’ve also received feedback from several organizations that this has made it a lot easier for them to track particular botnets of interest.”

READ MORE ImageMagick flaw allowed attacker to execute shell commands via maliciously crafted image