Packed PE file detection :
Advanced malwares evade detection to common methodologies/softwares by polymorphism or obfuscation. Malwares can be transferred and executed across different victims as packed executables which can avoid detection by signature analysis. We can detect packed files by extracting specific elements of packing and calculating entropy of the entry point.
Entropy is the measure of unpredicatability or randomness in an information stream.
- PEID – most common tool to detect PE packed or encrypted malware by signature detection
- MRC – structured analysis by file entropy. If encryption or suspicious packing is detected, weight value is added so that entry becomes high.
Recent malware execution files are packed to avoid malware detection and fast propagation. PE packed file is compressed and encrypted. Thus the data within the pack is random, which can be found by byte entropy calculation. The original execution code is compressed in the “Packed Data” section in the image and it has to be unpacked for binary analysis.
The entropy values range between 0 – 8. Specific file types will have entropy values within smaller bands in that range.
Methods used to differentiate normal file and packed file are :
entropy calculation of the whole file, entropy calculation of the entry section
Entropy calculation at the entry section gives the better option.
Essential elements of a packed PE file is IMAGE_HEADER_SECTION. One important feature is that the packed file is executable only when WRITE property is included in the header section. So this is one of the main points checked in the detection of packing.
Packed PE file detection techniques – entropy based detection and characteristic based detection (behaviour based ).
Entropy based detection – By previous data sets, Packed PE file has entropy > 6.85 in the entry point.
Characteristic based detection – there are different characteristics/action taken in unpacking file in normal PE file and packed PE file. In packed executables, WRITE property is required to do the unpacking and executing. Therefore packed PE file can be selected by checking the entry point section and verifying if it includes WRITE property.
In a Normal file, EXECUTE, READ, CODE or DATA occurs commonly.
Packed PE detection flow chart : faster and efficient detection. Receives the whole drive and sequentially checks each file in the disk for PE signature(by looking for the “MZ” file signature).
If it is a PE file, then find the entry point section. Check if entry point section has WRITE property included, and if so, calculate entropy of that section to find if it is greater than the threshold for normal PE file.(6.85)
This method has better detection rate and time, when done on huge dataset / whole harddrive.
Implementation of crypto-malware detection using file entropy changes in the project
In the project, one of the pre-detection methods is Detection by file entropy changes. The steps involve :
- Calculating binary entropy of the files (.txt, .doc, .pdf) in the path or drive specified
- Detecting ASCII percent change of the files.
The process involve detecting the repetitive patterns in the binary sequence that would indicate a
deviation from the assumption of randomness.
Implementation of the binary entropy analysis to detect cryptomalware execution in real time is here.
deviation from the assumption of randomness.
Implementation of the binary entropy analysis to detect cryptomalware execution in real time is here.
Source:
http://www.forensickb.com/2013/03/file-entropy-explained.html
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.120.9861&rep=rep1&type=pdf
http://csrc.nist.gov/groups/ST/toolkit/rng/documents/SP800-22rev1a.pdf
No comments:
Post a Comment