Video Screencast Help

Implement fuzzy hash lookup in DeepSight

Created: 02 Jul 2013
Matt C's picture
0 Agree
0 Disagree
0 0 Votes
Login to vote

There has been recent work on the concept of Fuzzy Hashing using algorithms such as ssdeep (http://ssdeep.sourceforge.net/) and applicability into the anti-malware and security spaces.  Unlike most hashing algorithms which produce a dramatically different output based on a small change to the input, fuzzy hash algorithms produce a small change to the output based on a small change to the input.  This makes fuzzy hashing useful for discerning when two inputs are similar.  

 

Often times, CIRT groups within organizations have a need to compare a new, previously undiscovered malware sample (based on traditional MD5 or SHA256 hash) to previously discovered samples.  This allows them to quickly categorize the new malware into an already existing known malware family if possible, or to categorize the malware as a brand new, radically different family.

 

REQUEST:  Provide a fuzzy hash lookup option within DeepSight that would allow CIRT groups to submit a hash value (ssdeep, for instance) and have Symantec check its malware library to see if the hash value is similar to malware that is already known.  There should be controls to allow the CIRT administrator to adjust the sensitivity of returned matches (how dissimilar the hash values can be while still being considered a match).  

 

Thanks!