- Feb 3, 2012
- 271
DensityScout is an interesting command-line tool from CERT Austria which can highlight malware-related files on your PC.
[attachment=1185]
The program uses an unusual mathematical technique to figure this out. Or, as the author puts it, DensityScout "calculates density (like entropy) for files of any file-system-path to finally output an accordingly descending ordered list".
But the underlying idea is this. Standard unpacked executable files will have an uneven spread of bytes; that is, some byte patterns will occur more often than others due to structures in the file. Malware is often packed, though, which not only conceals the real executable, but also means you'll have a more even distribution of byte usage throughout the file.
So what does this mean? The author recommends launching the program with a line like this.
densityscout -s cpl,exe,dll,ocx,sys,scr -p 0.1 -o results.txt c:\Windows\System32
(Be sure to read his SANS blog post on the program.)
Which essentially means scan all the executable files in the Windows System32 folder, saving the data to results.txt. Those results are then placed in order, with the lowest and most suspect values at the top. Which in our case started like this:
(0.02417) | c:\Windows\System32\FlashPlayerInstaller.exe
(0.16460) | c:\Windows\System32\DivX.dll
(0.22350) | c:\Windows\System32\iglhsip32.dll
(0.28759) | c:\Windows\System32\AuthFWGP.dll
And as you can see, the program has worked, at least to a degree: the two top values are "intruders", presumably packed (though also entirely legitimate, so of course you must check any highlighted files to see what they really are).
There's no magic solution here, then, and the program's command-line nature mean it's not exactly easy to use. But, if you're an expert who would like a little extra antivirus help then DensityScout could definitely come in handy occasionally.
Verdict:
A clever idea which could help you locate suspect files on your computer (though its command-line nature and general complexity mean it's strictly experts-only)
Download
[attachment=1185]
The program uses an unusual mathematical technique to figure this out. Or, as the author puts it, DensityScout "calculates density (like entropy) for files of any file-system-path to finally output an accordingly descending ordered list".
But the underlying idea is this. Standard unpacked executable files will have an uneven spread of bytes; that is, some byte patterns will occur more often than others due to structures in the file. Malware is often packed, though, which not only conceals the real executable, but also means you'll have a more even distribution of byte usage throughout the file.
So what does this mean? The author recommends launching the program with a line like this.
densityscout -s cpl,exe,dll,ocx,sys,scr -p 0.1 -o results.txt c:\Windows\System32
(Be sure to read his SANS blog post on the program.)
Which essentially means scan all the executable files in the Windows System32 folder, saving the data to results.txt. Those results are then placed in order, with the lowest and most suspect values at the top. Which in our case started like this:
(0.02417) | c:\Windows\System32\FlashPlayerInstaller.exe
(0.16460) | c:\Windows\System32\DivX.dll
(0.22350) | c:\Windows\System32\iglhsip32.dll
(0.28759) | c:\Windows\System32\AuthFWGP.dll
And as you can see, the program has worked, at least to a degree: the two top values are "intruders", presumably packed (though also entirely legitimate, so of course you must check any highlighted files to see what they really are).
There's no magic solution here, then, and the program's command-line nature mean it's not exactly easy to use. But, if you're an expert who would like a little extra antivirus help then DensityScout could definitely come in handy occasionally.
Verdict:
A clever idea which could help you locate suspect files on your computer (though its command-line nature and general complexity mean it's strictly experts-only)
Download
