The security administrator is implementing a malware storage system to archive all malware seen
by the company into a central database. The malware must be categorized and stored based on
similarities in the code. Which of the following should the security administrator use to identify
similar malware?
A.
TwoFish
B.
SHA-512
C.
Fuzzy hashes
D.
HMAC
Explanation:
The answer is Fuzzy Hashes
0
0
Lets take a look at the answers:
**A. TwoFish
In cryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but it was not selected for standardization.
**B.SHA-512
SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA).[3] They are built using the Merkle–Damgård structure, from a one-way compression function itself built using the Davies-Meyer structure from a (classified) specialized block cipher.
**C.Fuzzy hashes
Fuzzy hashing is a concept which involves the ability to compare two distinctly different items and determine a fundamental level of similarity (expressed as a percentage) between the two
** D. HMAC
In cryptography, an HMAC (sometimes disabbreviated as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. It may be used to simultaneously verify both the data integrity and the authentication of a message, as with any MAC. Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-X, where X is the hash function used (e.g. HMAC-MD5 or HMAC-SHA1). The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output, and the size and quality of the key.
Hash comparisons are either a yes or a no – either the hash matches, or it doesn’t. But, that does not mean that the files are not the same, it just means they are not exactly the same.
Hashing is used to ensure that a message has not been altered. It can be useful for positively identifying malware when a suspected file has the same hash value as a known piece of malware.
However, modifying a single bit of a malicious file will alter its hash value.
To counter this, a continuous stream of hash values is generated for rolling block of code.
This can be used to determine the similarity between a suspected file and known pieces of malware.
This is called: Fuzzy hashing which is a concept which involves the ability to compare two distinctly different items and determine a fundamental level of similarity (expressed as a percentage) between the two
Why Fuzzy Hashing is Really Cool
For years, computer forensic investigators have put a great deal of stock in the effectiveness of MD5 hashing. Now to quantify that statement, I mean specifically using MD5 hashes to identify known malicious files. The key word in that sentence is known, but let’s take that one step further to add the word “unmodified” known files. One minor change to a file, and the MD5 hash is now completely different, rendering the investigators search totally ineffective. So, what’s the answer? Easy, fuzzy hashing.
So fuzzy hashing deals with a LEVEL OF SIMILARITY / PROXIMITY between hashes.
0
0