Malware and entropy

Discussion in 'other security issues & news' started by MrBrian, Mar 2, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Mal(ware)formation statistics:
    From Malware Validation Techniques:
    From paper "Using Entropy Analysis to Find Encrypted and Packed Malware" (hxxp://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.120.9861&rep=rep1&type=pdf):
    Free programs that I tried that calculate entropy:
    1. Process Explorer - highlights in purple (if default settings are used) processes (and also DLLs if viewing in lower pane) whose corresponding disk file is likely packed. No entropy calculation is explicitly given.
    2. Entyzer - command-line program that calculates either entropy of whole file, or of individual sections, depending on the argument supplied. I had no problems with the 32 bit version, but had problems with the 64 bit version.
    3. Malware Analyzer v2.8 - command-line program that calculates entropy of individual sections; can't remember if entropy of whole file is also given.
    4. PeSweep - command-line program that calculates entropy of individual sections; can't remember if entropy of whole file is also given.
    5. Ent (hxxp://gynvael.coldwind.pl/?id=162 and hxxp://gynvael.coldwind.pl/?id=158 ) - calculates entropy of whole file, and also gives detailed graph of file regions with high entropy; graph can get very long.
    6. Bytehist - Graphically shows byte distribution by whole file and also by section, which is useful although it isn't the same as entropy.
    7. CrypTool - calculates entropy and also floating frequency; calculates these slowly.
    8. PEiD - it's unclear what part of file the entropy calculations are performed on
    9. Mandiant Red Curtain - calculates entropy of whole file and also code section; can calculate entropy of all files in a given folder.

    Free programs that I didn't try that calculate entropy:
    1. El Jefe.
    2. PEPackerInfo2.0.py - used in paper "Classification of Packed Executables for Accurate Computer Virus Detection."
    3. Hexer entropy plugin
    4. IDA Entropy Plugin
    5. Crypto Implementations Analysis Toolkit
    6. Ent - hxxp://www.fourmilab.ch/random/

    Of those that I tried, I recommend Process Explorer, Entyzer, Ent, Mandiant Red Curtain, and Bytehist.

    P.S. Hitman Pro uses entropy as one of the characteristics to determine if a file is suspicious.
     
    Last edited: Mar 2, 2011
  2. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    thanks MrBrian for this info
    i guess "Universal Virus Sniffer" and "Advanced malware identification" tools use entropy to detect suspicious processes too
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you for the info also, and you're welcome :).
     
Loading...
Thread Status:
Not open for further replies.