sandfly-entropyscan v1.1.1 releases: detect packed or encrypted binaries related to malware
What is sandfly-entropyscan?
sandfly-entropyscan is a utility to quickly scan files or running processes and report on their entropy (a measure of randomness) and if they are a Linux/Unix ELF type executable. Some malware for Linux is packed or encrypted and shows very high entropy. This tool can quickly find high entropy executable files and processes which often are malicious.
Features
- Written in Golang and is portable across multiple architectures with no modifications.
- Standalone binary requires no dependencies and can be used instantly without loading any libraries on suspect machines.
- Not affected by LD_PRELOAD style rootkits that are cloaking files.
- Built-in PID busting to find hidden/cloaked processes from certain types of Loadable Kernel Module (LKM) rootkits.
- Generates entropy and also MD5, SHA1, SHA256 and SHA512 hash values of files.
- Can be used in scanning scripts to find problems automatically.
- Can be used by incident responders to quickly scan and zero in on potential malware on a Linux host.
Why Scan for Entropy?
Entropy is a measure of randomness. For binary data 0.0 is not-random and 8.0 is perfectly random. Good crypto looks like random white noise and will be near 8.0. Good compression removes redundant data making it appear more random than if it was uncompressed and usually will be 7.7 or above.
A lot of malware executables are packed to avoid detection and make reverse engineering harder. Most standard Linux binaries are not packed because they aren’t trying to hide what they are. Searching for high entropy files is a good way to find programs that could be malicious just by having these two attributes of high entropy and executable.
Changelog v1.1.1
Updated go.mod to Go 1.19 and had minor updates to fix typo in package name and small README changes.
Install & Use
Copyright (c) 2019-2022 Sandfly Security Ltd.
https://www.sandlfysecurity.com
@SandflySecurity