JARM: A Solid Fingerprinting Tool for Detecting Malicious Servers
JARM is an active Transport Layer Security (TLS) server fingerprinting tool.
JARM fingerprints can be used to:
Quickly verify that all servers in a group have the same TLS configuration.
Group disparate servers on the internet by configuration, identifying that a server may belong to Google vs. Salesforce vs. Apple, for example.
Identify default applications or infrastructure.
Identify malware command and control infrastructure and other malicious servers on the Internet.
Getting JARM onto your machine is as easy as cloning the repository using:
JARM works by actively sending 10 TLS Client Hello packets to a target TLS server and capturing specific attributes of the TLS Server Hello responses. The aggregated TLS server responses are then hashed in a specific way to produce the JARM fingerprint.
The 10 TLS Client Hello packets in JARM have been specially crafted to pull out unique responses in TLS servers. JARM sends different TLS versions, ciphers, and extensions in varying orders to gather unique responses. Does the server support TLS 1.3? Will it negotiate TLS 1.3 with 1.2 ciphers? If we order ciphers from weakest to strongest, which cipher will it pick? These are the types of unusual questions JARM is essentially asking the server to draw out the most unique responses. The 10 responses are then hashed to produce the JARM fingerprint.
The JARM fingerprint hash is a hybrid fuzzy hash, it uses the combination of a reversible and non-reversible hash algorithm to produce a 62 character fingerprint. The first 30 characters are made up of the cipher and TLS version chosen by the server for each of the 10 client hello's sent. A "000" denotes that the server refused to negotiate with that client hello. The remaining 32 characters are a truncated SHA256 hash of the cumulative extensions sent by the server, ignoring x509 certificate data. When comparing JARM fingerprints, if the first 30 characters are the same but the last 32 are different, this would mean that the servers have very similar configurations, accepting the same versions and ciphers, though not exactly the same given the extensions are different.
After receiving each TLS server hello message, JARM closes the connection gracefully with a FIN as to not leave the sockets open.
It is important to note that JARM is a high-performance fingerprint function and should not be considered, or confused with, a secure crypto function.
✔ 29d29d15d29d29d00042d42d00000049d8801e4f5e9656b954b3b1ca4a680b == 62 characters => Fingerprint;
✔ 29d29d15d29d29d00042d42d000000 == 30 characters => Cipher and TLS version;
✔ 49d8801e4f5e9656b954b3b1ca4a680b == 32 characters => SHA256 hash.
How JARM Can Be Used to Identify Malicious Servers:
Malware command and control (C2) and malicious servers are configured by their creators like any other server and then deployed across their fleet. These therefore tend to produce unique JARM fingerprints. For example, when scanning Trickbot Malware C2s from a list compiled by abuse.ch, 80% of the live IPs on the list produced the same JARM fingerprint. When comparing this JARM fingerprint against the Alexa Top 1 Million websites, there was no overlap.
Finally, let’s examine the use of jarm.sh by running it against Alexa’s top 500 sites. As per the documentation, the two required arguments are:
#1) a file (alexa500.txt) containing the list of IPs or domains to be checked;
#2) the name of the output file that will hold any resulting JARM fingerprints.
The results.csv file contains the domain name, resolved IP address (or fail message) and the corresponding JARM fingerprint of each site included in the input file.
JARM offers a unique perspective into the detection, categorization, and potential correlation of TLS activity tracing back to malicious servers or even entire campaigns associated with the use of some of the most popular attack frameworks. These closing thoughts, however, come with a word of advice: never use JARM as a sole indicator or proof of nefarious origin. Always complement your analysis with the proper amount of metadata and other techniques to adequately classify your traffic and build your case.