Fuzzy hashing is a great method to compare files for similarity. ssdeep (http://ssdeep.sourceforge.net) is a useful tool to generate the fuzzy hash for a sample, and it also helps in determining percentage similarity between the samples. This technique is useful in comparing a suspect binary with the samples in a repository to identify the samples that are similar; this can help in identifying the samples that belong to the same malware family or the same actor group.

You can use ssdeep to calculate and compare fuzzy hashes. Installation of ssdeep on Ubuntu Linux VM was covered in Chapter 1, To determine a fuzzy hash of a sample, run the following command:

$ ssdeep veri.exessdeep,1.1--blocksize:hash:hash,filename ...