Saturday, July 4, 2015

Hashing The Good, The Bad and The Similar - ssdeep


The Similar!!

In the first and second post within this series we looked at the good and bad about the typical hashing.

In this post we will look at identifying similarities between two files we already know are not the same. However, what would be helpful is if we knew how similar they are. This information is quite helpful when dealing with polymorphic-code.


Let's get cracking


Revisiting the existing hash. Here are our two files with different hashes.






How Similar
Using a tool like ssdeep we can learn about the similarities of these files

Let's see what the files generate for ssdeep


Comparing the similarity
root@securitynik:~# ssdeep -bvp hashing_lab.txt hashing_lab.txt.copy



Ok then as we can see from the output above, these files match 99%. That is quite a match and obviously help us to understand that these 2 files are clearly related even though they are not the same.


Reference:
http://jessekornblum.com/presentations/htcia06.pdf
http://ssdeep.sourceforge.net/usage.html
http://www.fastcolabs.com/3025246/what-is-polymorphic-code

No comments:

Post a Comment