?

Log in

ssdeep 2.11 Released - A Geek Raised by Wolves [entries|archive|friends|userinfo]
jessekornblum

[ website | My Website ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Links
[Links:| Browse by Tag LiveJournal Portal Update Journal Logout ]

ssdeep 2.11 Released [Sep. 11th, 2014|04:04 pm]
jessekornblum
[Tags|, ]

I have published version 2.11 of ssdeep. This is an important update, as described below, and you are encouraged to update immediately. You can download Windows binaries or the *nix source code.

This version corrects a bug in the signature generation code. That is, version 2.10 was generating signatures which were slightly different than in version 2.9. In some cases, the trailing character of each portion of the signature was being truncated. You can see this with an example: Let's look at the /usr/bin/bc file which ships with OS X. It has a SHA-256 hash of cc8e7502045c4698d96e6aa5e2e80ebb52c3b9c266993a8da232add49c797f3e and you can see it on VirusTotal.

When you hash this file with version 2.9, you get:

1536:MsjYdR3Bul8hcURWhEcg4/btZzDcQflbCUPEBEh8wkcGDioxMYeo7:TYf8l8htRWA4ztZsGlWUPEBEh8wmxMYe

With version 2.10:

1536:MsjYdR3Bul8hcURWhEcg4/btZzDcQflbCUPEBEh8wkcGDioxMYeo7:TYf8l8htRWA4ztZsGlWUPEBEh8wmxMY

Note that the trailing 'e' character disappears in the second hash. What was 'mxMYE' is now 'mxMY'. The new version of ssdeep, version 2.11, restores the original signatures:

1536:MsjYdR3Bul8hcURWhEcg4/btZzDcQflbCUPEBEh8wkcGDioxMYeo7:TYf8l8htRWA4ztZsGlWUPEBEh8wmxMYe

Alert readers will notice that VirusTotal has the ssdeep hash from version 2.10. This leads to my next point, which is that any ssdeep hashes you've created with version 2.10 should be recomputed. The signatures aren't wrong per se. They're just not as good as they should be. For reference, version 2.10 was released in July 2013, and so you should update any hashes produced after that date.
LinkReply