A few of us have run ssdeep and we believe that it has some serious potential from a forensic point of view, especially when it comes to malware. Consider creating a master hash list of malicous artifacts, and running sss deep against it. ssdeep will give you a number (not really a percentage match as I understand it) corresponding to the similarity of the file versus the file hash list. May help with id'ing new malcode and zero day attacks, given the trend toward modular malcode. Your thoughts?
-rmac-
A few of us have run ssdeep and we believe that it has some serious potential from a forensic point of view, especially when it comes to malware.
I agree, that's exactly where I see it's potenatial, during live analysis. May even have potential for IDS, with obvious overheads.
The potential for something like ssdeep goes far beyond live analysis. Capturing memory, for instance, and using ssdeep to "hash" the recovered executable from the memory dump and compare it to rmac's database would be extremely useful.
Regarding rmac's comment on "new" malcode and zero days…by definition, a zero day hasn't been seen before, and ssdeep is most useful when there are variants available. The same is true with "new" malcode…hashing the new stuff and adding it to the database is a great idea.
I'm not sure that it would be as useful with IDS, particularly those that are signature based. If the signature is triggered and then the executable is captured, perhaps. Otherwise, I'm not sure I see the utility.