| Fuzzy Hashing version 2.2 |
[Jul. 21st, 2009|09:58 pm] |
Good news everybody! I've published a new version of the ssdeep program for fuzzy hashing. The new version adds a long-requested feature: the capability to compare files of previously generated signatures. That is, let's say you compute some lists of fuzzy hashes like this:
C:\> ssdeep -r C: > list1.txt
C:\> ssdeep -r D:\Malware Samples > list2.txt
C:\> ssdeep -r E:\Temp\New Malware > list3.txt
You can now find any similar files in those two lists like this:
C:\> ssdeep -x list1.txt list2.txt list3.txt
list1:C:\Windows\System32\ntoskrn1.exe matches list2:D:\Malware Samples\VIRUS.EXE (83)
Notice the filename of the known hashes is given in the output along with the matching filenames. |
|
|
| Fuzzy Hashing in FTK |
[Mar. 26th, 2009|10:47 pm] |
So apparently I've been asleep at the switch. Fuzzy hashing has been incorporated into AccessData's flagship Forensic Toolkit! Not only have they added the feature but they've also written a great paper describing fuzzy hashing and how it works in FTK.
Now I know what some of you are thinking. How did AccessData include fuzzy hashing, which is licensed under the GPL2, in a proprietary program like FTK? Well, to tell you the truth, in all this excitement I kind of lost track myself. (Wait... wrong speech.)
I think AccessData rewrote fuzzy hashing. The edit distance code, for example, has been replaced with some database calls. I don't know how they're computing the rolling and FNV hashes, but if they took the time to rewrite the edit distance code they probably rewrote the rest too. The edit distance code dates back to 1989 and was last updated in 1993. There's no sense in rewriting something that's been working for fifteen years unless you absolutely must.
Regardless, go forth and be fuzzy! |
|
|
| Using Fuzzy Hashing from C# |
[Jan. 15th, 2009|06:06 pm] |
Recently ssdeep user Jose Cintron wanted to use fuzzy hashing in a C# program. After some significant head scratching he came up with the following code necessary to use at least part of the DLL from his program:
using System.Runtime.InteropServices; // Needed for DllImport
public class ssdeepWrapper
{
// fuzzy.dll should be somewhere in the path or specify exactly
// where to find it.
[DllImport("fuzzy.dll")]
public static extern int fuzzy_hash_filename(string fname,
StringBuilder result);
[DllImport("fuzzy.dll")]
public static extern int fuzzy_compare(string sig1, string sig2);
}Any thoughts? Has anybody else tried using fuzzy hashing from a different language? |
|
|
| ssdeep version 2.1 is out |
[Jan. 1st, 2009|09:57 am] |
Happy New Year! Now you can prove 2008 is a lot like 2009 using the latest version of ssdeep, your favorite fuzzy hashing program and API. This is mostly a bug fix release, but you can now use the API to hash a file without having to open it yourself. Enjoy! |
|
|
| Fuzzy Hashing on Virus Total |
[Nov. 24th, 2008|01:39 pm] |
Fuzzy hashes have been incorporated into the Virus Total automated analysis. In their words, "VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines." An executable submitted to the web site is scanned with several anti-virus engines and matched against a set of suspicious files. As of today they are computing the fuzzy hashes of incoming files! I don't know if they are comparing them against a set of known files, but this is a great step forward. |
|
|
| navigation |
| [ |
viewing |
| |
most recent entries |
] |
| |
|
|