DensityScout sniffs out malware in compressed files
You think your PC is infected by something dangerous, but your regular antivirus package hasn’t raised any alerts. So what now?
This is a question we cover fairly often here. Only last week we reported on the latest version of Mandiant Redline, which will scan your system’s executables and highlight those most likely to be malware. Now, CERT (Computer Emergency Response Team) Austria has come up with another small contribution in DensityScout; it’s not for PC novices, but if you’re an expert computer user then you could find the program very helpful indeed.
What DensityScout essentially tries to do is identify files in a given folder path that have been packed. This is a technique commonly used by malware to obfuscate or encrypt its contents, making it more difficult for regular scanners to identify the threat (although it’s also used by many legitimate programs, so you need to be cautious how you interpret its results).
And the program uses a simple mathematical idea to figure this out. Standard unpacked executable files will have an uneven spread of bytes; that is, some byte patterns will occur more often than others due to structures in the file. But the packing process means you’ll have a much more even distribution of byte usage throughout the file, and so by calculating and reporting on a file’s density (which the author says is similar to entropy, though we’re still awaiting the precise details), you can more easily find possible malware.
So what does this mean? The author recommends launching the program with a line like this:
densityscout -s cpl,exe,dll,ocx,sys,scr -p 0.1 -o results.txt c:\Windows\System32
(Be sure to read his SANS blog post on DensityScout for the full details.)
Which essentially means scan all the executable files in the Windows System32 folder, saving the data to results.txt. Those results are then placed in order, with the lowest and most suspect values at the top. Which, on our test Windows 7 system, started like this:
(0.02417) | c:\Windows\System32\FlashPlayerInstaller.exe
(0.16460) | c:\Windows\System32\DivX.dll
(0.22350) | c:\Windows\System32\iglhsip32.dll
(0.28759) | c:\Windows\System32\AuthFWGP.dll
That’s not bad at all. The program has immediately highlighted a couple of non-system files within the \Windows\System32 folder (and there were other examples further down the list).
But it also illustrates the problem with DensityScout: legitimate files may be packed, too, so you need to interpret these results with care. And you certainly can’t scan an entire system and expect useful results (if nothing else it’ll take too long; the program must count every byte in the scanned file types so isn’t too speedy).
Still, we were impressed by DensityScout’s ability to highlight packed files in our Windows folders. And they’re a common target area for malware, so even if you never use the program for anything else, then its ability to check those locations could be very useful. Just be sure to very carefully research any files it throws up, because being packed does not necessarily mean a program has any malicious intent.