The security administrator is implementing a malware storage system to archive all malware seen by the
company into a central database. The malware must be categorized and stored based on similarities in
the code. Which of the following should the security administrator use to identify similar malware?

A.
TwoFish

B.
SHA-512

C.
Fuzzy hashes

D.
HMAC

Explanation:
Hashing is used to ensure that a message has not been altered. It can be useful for positively identifying
malware when a suspected file has the same hash value as a known piece of malware. However,
modifying a single bit of a malicious file will alter its hash value. To counter this, a continuous stream of
hash values is generated for rolling block of code. This can be used to determine the similarity between a
suspected file and known pieces of malware.
Incorrect Answers:
A: Twofish is a block cipher algorithm that operates on 128-bit blocks of data and can use cryptographic
keys of up to 256 bits in length. It is used to provide confidentiality protection of data.
B: SHA-512 is a version of Secure Hash Algorithm (SHA) and is a 512-bit hash algorithm that can be used
for hashing. Hashing is not an encryption algorithm but the hash can be used to verify that the data has
not been altered.
D: Hash-based Message Authentication Code (HMAC) is a hash algorithm that guarantees the integrity of
a message during transmission, but does not provide non-repudiation.

http://blog.sei.cmu.edu/post.cfm/fuzzy-hashing-techniques-in-applied-malware-analysis
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 332-333, 336