Hashing is a common method used to uniquely identify malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware (a sort of fingerprint). The Message-Digest Algorithm 5 (MD5) hash function is the one most commonly used for malware analysis, though the Secure Hash Algorithm 1 (SHA-1) is also popular.
For example, using the freely available md5deep program to calculate the hash of the Solitaire program that comes with Windows would generate the following output:
C:\>md5deep c:\WINDOWS\system32\sol.exe 373e7a863a1a345c60edb9e20ec32311 c:\WINDOWS\system32\sol.exe
The hash is 373e7a863a1a345c60edb9e20ec32311.
The GUI-based WinMD5 calculator, shown in Figure 1-1, can calculate and display hashes for several files at a time.
Once you have a unique hash for a piece of malware, you can use it as follows:
Use the hash as a label.
Share that hash with other analysts to help them to identify malware.
Search for that hash online to see if the file has already been identified.
