Entropy file scanner for Linux to detect packed/encrypted binaries related to malware

by do son · May 12, 2020

What is sandfly-filescan?

sandfly-filescan is a utility to quickly scan files and report on their entropy (a measure of randomness) and if they are a Linux/Unix ELF type executable. Some malware for Linux is packed or encrypted and shows very high entropy. This tool can quickly find high entropy executable files which often are malicious.

Features

Written in Golang and is portable across multiple architectures with no modifications.
Standalone binary requires no dependencies and can be used instantly without loading any libraries on suspect machines.
Not affected by ld_preload style rootkits that are cloaking files.
Generates entropy and also MD5, SHA1, SHA256 and SHA512 hash values of files.
Can be used in scanning scripts to find problems automatically.
Can be used by incident responders to quickly scan and zero in on potential malware on a Linux host.

Why Scan for Entropy?

Entropy file scanner is a measure of randomness. For binary data 0.0 is not-random and 8.0 is perfectly random. Good crypto looks like random white noise and will be near 8.0. Good compression removes redundant data making it appear more random than if it was uncompressed and usually will be 7.7 or above.

A lot of malware executables are packed to avoid detection and make reverse engineering harder. Most standard Linux binaries are not packed because they aren’t trying to hide what they are. Searching for high entropy files is a good way to find programs that could be malicious just by having these two attributes of high entropy and executable.