SANS Digital Forensics and Incident Response Blog

Finding (unknown) malware with DensityScout ...

Introduction

The latest REMnux version has a new tool on board that's an completely unknown to you: "DensityScout". This article reveals all that you need to know to understand where and how this tool can save you hours of your precious time.

NOTE: This article addresses build 42 of this tool. At the time of writing REMnux contains an older version (build 40) which lacks the new pe/PE options. However, according substitutional or comparable configurations are provided where needed.

Description

DensityScout is a tool that has been written for one purpose: finding (eventually unknown) malware on a potentially infected system.

Therefore it takes advantage of the typical approach of malware authors to protect their "products" with obfuscation like run-time-packing and -encryption. The tool itself is based on the concept of the Bytehist tool, which is already on-board of REMnux since its initial incarnation.

So what does DensityScout do?

Actually it's quite simple. DensityScout's main focus is to scan a desired file-system-path by calculating the density of each file to finally print out a descending list. Usually Microsoft Windows executables are not packed or encrypted in any way which throws the hits of malicious executables to the top of the list where you can easily focus on.

What's Density?

I decided to not use the well-known word "entropy" for the mathematical concept of the calculations going on under the hood of DensityScout. I'm not a mathematician so I tried my best to calculate all the numerical information I found necessary and relevant to have to decide if something is packed/encrypted or not. So, what came out is something similar to "entropy" but with a ... different taste. To circumvent any philosophically discussion with real mathematicians I decided to call it "density". But at the end of the day - at least in my opinion - only one thing counts: Does it work? Yes it does!

Usage

DensityScout is a command-line based tool and so just as usual it comes along with a quick-help already on-board. Just run DensityScout without any arguments and you will see something similar to the following output ...

DensityScout (Build 42)

Author: Christian Wojner, CERT.at

Syntax: densityscout [options] file_or_directory

options: -a .............. Show errors and empties, too
-d .............. Just output data
-l density ...... Lower than the given density
-n number ....... Print number lines
-m mode ......... Mode ABS (default) or CHI (for filesize > 100 Kb)
-o file ......... File to write output to
-p density ...... Immediately print if lower than the given density
-r .............. Walk recursively
-s suffix(es) ... Filetype(s) (i.e.: dll or dll,exe,...)
-S suffix(es) ... Filetype(s) to ignore (i.e.: dll or dll,exe)
-pe ............. Include all portable executables by magic number
-PE ............. Ignore all portable executables by magic number

Note: Packed and/or encrypted data usually has a much higher density than
normal data (like text or executable binaries).

Modes: ABS ... Computes the average distance from the ideal quantity for each
byte-state according to the overall byte-quantity of the
evaluated file.
Typical ABS-density for a packed file: < 0.1
Typical ABS-density for a normal file: > 0.9

CHI ... Just the same as ABS but actually squaring each distance.
Typical CHI-density for a packed file: < 100.0
Typical CHI-density for a normal file: > 1000.0

Why so many options?

Most of the options are focused on performance optimizations and better quality of the results in equal measure. Without any restrictions/filters/understanding DensityScout can easily take hours to finish if you fire it at a whole drive/mount-point as such a mis-configuration easily leads to an unwanted computation of many GB. Also it might not be a good idea to include file-types which are packed/encrypted per se.

My best practice ...

IMHO it doesn't make any sense to come up with all possible combinations of DensityScout's options so I will show you one of my default approaches to find malware on a potentially infected system using DensityScout. Besides the explanations to it I will give additional hints for further thinking/ideas/creativity as well.

Here is one of the fastest ways to get a quick glance of if there's anything "suspicious" of a specific Microsoft Windows installation:

densityscout -s cpl,exe,dll,ocx,sys,scr -p 0.1 -o results.txt c:\Windows\System32

The option "-s cpl,exe,dll,ocx,sys,scr" tells DensityScout to only include files in further computations that have a typical portable executable extension. However, with the latest version (build 42) to achieve this kind of filtering I recommend the all new option "-pe". It tells DensityScout to select the files by checking them against the magic number of portable executables - "MZ", for the ones that do not know. This provides us even with portable executables with extensions we won't expect.

The next option "-p 0.1" is for the impatient ones - like me. With this option you can instruct DensityScout to throw out a hint on the command-line for each file it found with a density below of what you put next to it as soon as it's found. If you do not use this option you have to wait until DensityScout is finished and puts out the desired descending list. Though this option can indeed provide you with the wanted information quite fast the downside on it is obviously that those hints can never be descending. However, the value "0.1" in the shown example is a fairly good threshold to get what you want keeping the hints visually manageable.

The option "-o results" is more or less a no-brain-er. This is the output file which will be used for the result list. If this option is not provided the final list is sent directly to sysout which you might not want because of the quantity. Don't get me wrong, the resulting list is always huge but as already mentioned in the beginning the major advantage is that you only have to focus on the top findings of it.

Last but not least for sure you specify the path to start from. In the current example it's only C:\Windows\System32 without any sub-directories which is focused on. As mentioned this is one of the fastest approaches but a very common one. To do a recursive run you just have to add the "-r" option.

What you get ...

On a healthy Windows 7 Professional installation during the run-time of DensityScout you should see something similar to the following:

DensityScout (Build 42)

by Christian Wojner

Calculating density for file ...
(0.03763) | c:\Windows\System32\bootres.dll
(0.05963) | c:\Windows\System32\VAIO S Series - Summer 2011.scr
(0.05214) | c:\Windows\System32\WdfCoinstaller01009.dll

This promptly reveals that Sony has put some strange screensaver on my notebook :-)

The first 20 lines of the final result list should look like this:

(0.03763) | c:\Windows\System32\bootres.dll
(0.05214) | c:\Windows\System32\WdfCoinstaller01009.dll
(0.05963) | c:\Windows\System32\VAIO S Series - Summer 2011.scr
(0.11521) | c:\Windows\System32\LkmdfCoInst.dll
(0.12726) | c:\Windows\System32\mcupdate_GenuineIntel.dll
(0.20664) | c:\Windows\System32\iglhsip64.dll
(0.27113) | c:\Windows\System32\pegibbfc.rs
(0.27516) | c:\Windows\System32\usk.rs
(0.27633) | c:\Windows\System32\cero.rs
(0.28895) | c:\Windows\System32\pegi.rs
(0.30524) | c:\Windows\System32\AuthFWGP.dll
(0.30681) | c:\Windows\System32\iscsicpl.exe
(0.32147) | c:\Windows\System32\msshavmsg.dll
(0.32388) | c:\Windows\System32\SrpUxNativeSnapIn.dll
(0.32859) | c:\Windows\System32\qedwipes.dll
(0.34056) | c:\Windows\System32\imagesp1.dll
(0.34697) | c:\Windows\System32\oflc.rs
(0.36592) | c:\Windows\System32\auditpolmsg.dll
(0.36870) | c:\Windows\System32\onexui.dll
(0.38369) | c:\Windows\System32\resmon.exe

As you can see you won't find a lot packed less than 0.1 portable executables on a healthy Microsoft Windows installation.

Further thinking ...

DensityScout isn't only good for finding malicious executables - it can also be used to find packed or encrypted data-containers and the like!

Something completely different: For the ones that are already aware of my investigations regarding "The WOW Effect" be warned on doing live-forensics and analysis on 64-Bit Microsoft Windows systems using the 32-Bit version of DensityScout (or/and any other 32-Bit based tool). Use the 64-Bit version instead! The ones of you who do not know what I'm talking about, please do read my according paper at

http://cert.at/downloads/papers/wow_effect_en.html

Outro

I hope that you like DensityScout. Get the latest version for Windows/Linux at

http://cert.at/downloads/software/densityscout_en.html

... or use the one aboard of REMnux.

If you have any questions or feedback feel free to drop me a line via wojner(at)cert.at