Microsoft Windows users seeking more certainty about the security and integrity of downloaded files should take a look at a free new offering from Internet security research firm Team Cymru (pronounced kum-ree) that provides a solid backup to anti-virus scans.

The tool, called “WinMHR,” is an extension of the “Malware Hash Registry” (MHR), an anti-malware service that Team Cymru has offered for several years. The MHR is a large repository of the unique fingerprints or “hashes” that correspond to millions of files that have been identified as malicious by dozens of anti-virus firms and other security experts over the years.

The MHR has been a valuable tool for malware analysts, but until now its Web-based and command-line interface has placed it just outside the reach of most average computers users. WinMHR, on the other hand, is essentially a more user-friendly, point-and-click interface for the traditional MHR service, which Team Cyrmu described this way:

“While your AV posture helps you perform detection based on signatures, heuristics and polymorphism, the MHR provides you additional layer of detection, for known badness. Based on our research, AV packages have trouble detecting every possible piece of malware when it first appears. The MHR leverages multiple AV packages and our own malware analysis sandbox to help aid your detection rate. Coupled with AV, the MHR helps identify known problems so you can take action.”

WinMHR queries the MHR in real time when the user tells it to scan downloaded files (to cut down on resource consumption, the program does not automatically scan downloaded files). If it finds any malicious files, it includes precise information about where the malware is hiding on the PC. The tool also includes a component that runs at Windows startup and scans Windows processes for malware (this feature can be disabled at installation or in the program’s “Preferences” panel).

It is important to understand the limitations of this tool. First, it is designed to supplement — not replace — anti-virus software. Second, the tool doesn’t include the capability to remove bad files that it finds (as readers can see in the screen shot above, the WinMHR detected several malicious files when run on a test machine that I abuse quite a bit).

Finally, while the tool displays the unique cryptographic hashes of any malware threats found on the user’s system, it does not try to classify or name them. If a scan with WinMHR manages to flag a file that fails to generate an alert when the user scans the same file with his or her anti-virus program, the user can find more information about the nature of the file by exporting that hash to a text file and submitting it to a scanning site like VirusTotal.com, which allows visitors to search for malware based on MD5 or SHA1 hashes. Few but the most geeky users are likely to bother with that step, which is why an application like this could be more useful with a simple right-click option to submit a hash lookup at Virustotal. Team Cymru’s Steve Santorelli told me his firm likes that idea for a future version, and that it plans to soon release a Firefox add-on version of the tool.

Despite its limitations, WinMHR can be a useful addition to the security toolbox for Windows users, experts and novices alike.

The graphic above is from a report out today by Team Cymru, a group that monitors studies online attacks and other badness in the underground economy. It suggests an increasing divergence in the way criminals are managing botnets, those large amalgamations of hacked PCs that are used for everything from snarfing up passwords to relaying spam and anonymizing traffic for the bad guys, to knocking the targeted host or Web site offline.

The bottom line in the graphic shows the prevalence of botnets that are managed using Internet relay chat (IRC) control channels (think really basic text-based instant message communications). The blue line trending upward depicts the number of Web-based botnets, those that the botmaster can control with point-and-click ease using a regular Web browser.

According to Team Cymru, the number of Web-based botnets has continued to climb, doubling in number over the last six months. “This trend could be explained by the low cost of entry into the HTTP based botnet field: the kits are becoming more accessible and the easier user interface for HTTP botnets means that they are generally favored over more traditional control mechanisms.”

Read more of the Team Cymru report here (.PDF).

Last month, I profiled Virtest and AV-Check, a couple of services being marketed to malware writers who want to quickly scan their creations to see how widely they are detected by commercial anti-virus tools.  The graphic above is another great example of the democratization of espionage, and what I’ve called Web Fraud 2.0: Web-based services and tools that make it simple for virtually anyone to profit from online crime.

Here are a few examples of Web Fraud 2.0 I’ve written about:

Franchising Cybercrime
Data Search Tools for ID Thieves
Faking Your Internet Address
Thwarting Anti-Spam Defenses
Distributing Your Malware
Digital Forgeries
Validating Your Stolen Goods
Cloaking Connections