Description

Computes a signature based on Context Triggered Piecewise Hashes (CTPH) for each input file, also called a fuzzy hash. If requested, the program matches those signatures against a file of known signatures and reports any possible matches. It can also examine one or more files of signatures and find any matches in those files. Output is written to standard out and errors to standard error. The program only accepts the first 100MB of data presented via standard input.

Installation

From sources (tested on Ubuntu 12.04)

$ cd /data/src/
$ wget http://downloads.sourceforge.net/project/ssdeep/ssdeep-2.9/ssdeep-2.9.tar.gz
$ tar xzvf ssdeep-2.9.tar.gz
$ cd ssdeep-2.9/
$ ./configure
$ make
$ sudo make install

Linux

ssdeep

$ sudo aptitude install ssdeep

Note

To ensure you have the latest version available, the installation from sources is recommended

ssdeep for Python

$ sudo aptitude install cython
$ sudo pip install ssdeep

Mac OS X

ssdeep

$ sudo port install ssdeep

ssdeep for Python

$ sudo port install py27-cython
$ sudo pip install ssdeep

Usage

Syntax

Usage: ssdeep [-m file] [-k file] [-dpgvrsblcxa] [-t val] [-h|-V] [FILES]

Options

-m <file>

Match FILES against known hashes in file

-k <file>

Match signatures in FILES against signatures in file

-d

Directory mode, compare all files in a directory

-p

Pretty matching mode. Similar to -d but includes all matches

-g

Cluster matches together

-v

Verbose mode. Displays filename as its being processed

-r

Recursive mode

-s

Silent mode; all errors are supressed

-b

Uses only the bare name of files; all path information omitted

-l

Uses relative paths for filenames

-c

Prints output in CSV format

-x

Compare FILES as signature files

-a

Display all matches, regardless of score

-t <val>

Only displays matches above the given threshold

-h

Display this help message

-V

Display version number and exit

Examples

Scan a directory

$ ssdeep -brd -t 60 application-x-dosexec/
1fe919b64287b22cd7f7997166491051 matches 0c5aaeb4447d809a3237057e397d00c7 (61)
263d270b9f7529aacb437e3649d47b76 matches 10092daefa94ee9602b30b746b7770af (74)
2a1655c0d4f65537b49b80fd68cabf5c matches 10092daefa94ee9602b30b746b7770af (63)
2a1655c0d4f65537b49b80fd68cabf5c matches 263d270b9f7529aacb437e3649d47b76 (63)
2c1c0ea0b4a31962bd4d9402e7c62575 matches 1ef31cf21ea1d943a168d4ea403a833c (99)
2d07fb6c96dae9095ddd4689da2cea6c matches 14a09a48ad23fe0ea5a180bee8cb750a (69)
331f93f98cd45f7a3c4aa5b18e1bd75f matches 0c5aaeb4447d809a3237057e397d00c7 (68)
518140c9061ddcfcfe88d6ac3c1b94e7 matches 3a236ad06a27af93675bfbe8862a5381 (61)
518140c9061ddcfcfe88d6ac3c1b94e7 matches 3dd0150bcdd70c151cb58865a4993c28 (61)
5e60a735afb32c3b19b186170964ffb9 matches 1ef31cf21ea1d943a168d4ea403a833c (79)
5e60a735afb32c3b19b186170964ffb9 matches 2c1c0ea0b4a31962bd4d9402e7c62575 (79)
6319efb42f2a5cc8fc4f14402d7ee1c3 matches 5972eff0dc24bc7b5906ef2b95bcfc1a (100)
642a1387e47e54aabbcce4eac243176a matches 5d5138f09a10148f4a85547aa24f7877 (100)
68de34fbac8824e021398b76f94784ef matches 11598cff75be9bfce649a5a59de72447 (68)
690d2fb0c5bd6297127def02452fd4ac matches 5d5138f09a10148f4a85547aa24f7877 (97)
690d2fb0c5bd6297127def02452fd4ac matches 642a1387e47e54aabbcce4eac243176a (97)
[REMOVED]

Compare 2 files

Comparing files enables to find similar malware and hence group them into variants.

Generate a hash for the targeted file:

$ ssdeep -b application-x-dosexec/7fd4971a9bcee3e3cd844adc56e5eedd > hash.txt

Then compare the hash with the second file:

$ ssdeep -bm hash.txt application-x-dosexec/6bb58c8bc28655345b6842f17029075d
6bb58c8bc28655345b6842f17029075d matches hash.txt:7fd4971a9bcee3e3cd844adc56e5eedd (58)

It gives a score of 58.

The analysis of these 2 files with VirusTotal and Anubis confirm that:

• Both files are identified as a Sality variant
• Very few differences exist (e.g. name of created processes) while the malware are running

7fd4971a9bcee3e3cd844adc56e5eedd

VirusTotal: https://www.virustotal.com/fr/file/ff531bc9e9731f27ba8fb428b9e53211af301c2fe0bddc1ddb71ffc9c5de84f0/analysis/

Anubis: https://anubis.iseclab.org/?action=result&task_id=1b8d2a9806041d0c421c1b38a656298e4&format=html

6bb58c8bc28655345b6842f17029075d

VirusTotal: https://www.virustotal.com/fr/file/a9adca8d6c440c59144787eadc9b96f853496835a48fddb0f6a8b512651f7566/analysis/

Anubis: https://anubis.iseclab.org/?action=result&task_id=1733a045e82313cb4693daeb75951ca5a&format=html

Python ssdeep

>>> import ssdeep
>>> hash1 = ssdeep.hash('Also called fuzzy hashes, Ctph can match inputs that have homologies.')
>>> hash1
'3:AXGBicFlgVNhBGcL6wCrFQEv:AXGHsNhxLsr2C'
>>> hash2 = ssdeep.hash('Also called fuzzy hashes, CTPH can match inputs that have homologies.')
>>> hash2'
'3:AXGBicFlIHBGcL6wCrFQEv:AXGH6xLsr2C'
>>> ssdeep.compare(hash1, hash2)
22

Comments