Saturday, July 4, 2015
Hashing The Good, The Bad and The Similar - ssdeep
In the first and second post within this series we looked at the good and bad about the typical hashing.
In this post we will look at identifying similarities between two files we already know are not the same. However, what would be helpful is if we knew how similar they are. This information is quite helpful when dealing with polymorphic-code.
Let's get cracking
Revisiting the existing hash. Here are our two files with different hashes.
Using a tool like ssdeep we can learn about the similarities of these files
Let's see what the files generate for ssdeep
Comparing the similarity
root@securitynik:~# ssdeep -bvp hashing_lab.txt hashing_lab.txt.copy
Ok then as we can see from the output above, these files match 99%. That is quite a match and obviously help us to understand that these 2 files are clearly related even though they are not the same.