Hashing: A Fingerprint for Malware
Hashing is a common method used to uniquely identify malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware (a sort of fingerprint). The Message-Digest Algorithm 5 (MD5) hash function is the one most commonly used for malware analysis, though the Secure Hash Algorithm 1 (SHA-1) is also popular.
For example, using the freely available md5deep program to calculate the hash of the Solitaire program that comes with Windows would generate the following output:
C:\>md5deep c:\WINDOWS\system32\sol.exe 373e7a863a1a345c60edb9e20ec32311 c:\WINDOWS\system32\sol.exe
The hash is
The GUI-based WinMD5 calculator, shown in Figure 1-1 ...