Jump to content
Nytro

DensityScout

By Nytro, in Programe securitate

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

DensityScout

This tool calculates density (like entropy) for files of any file-system-path to finally output an accordingly descending ordered list. This makes it possible to quickly find (even unknown) malware on a potentially infected Microsoft Windows driven machine.

Download latest Windows version

Download latest Linux version

Author

Christian Wojner

Language

English

License

ISCL

[TABLE]

[TR]

[TD]Releases

[/TD]

[TD]Changes

[/TD]

[TD=align: center]icon_windows_small.gif[/TD]

[TD=align: center]icon_linux_small.gif[/TD]

[TD=align: center]icon_apple_small.gif[/TD]

[/TR]

[TR]

[TD]Build 43[/TD]

[TD]Important bugfixes[/TD]

[TD=align: center][/TD]

[TD=align: center][/TD]

[TD=align: center]x[/TD]

[/TR]

[TR]

[TD]Build 42[/TD]

[TD]-[/TD]

[TD=align: center][/TD]

[TD=align: center][/TD]

[TD=align: center]x[/TD]

[/TR]

[/TABLE]

Description

DensityScout is a tool that has been written for one purpose: finding (possibly unknown) malware on a potentially infected system. Therefore it takes advantage of the typical approach of malware authors to protect their "products" with obfuscation like run-time-packing and -encryption. The tool itself is based on the concept of our Bytehist tool, btw.

So what does DensityScout do?

DensityScout's main focus is to scan a desired file-system-path by calculating the density of each file to finally print out an accordingly descending list. Usually most Microsoft Windows executables are not packed or encrypted in any way which throws the hits of malicious executables to the top of the list where one can easily focus on.

What's Density?

Density can also be understood as "entropy". However, the algorithm behind density is not 100% equal to the one which entropy is based on. So we decided to choose a different name.

Further thinking ...

DensityScout isn't only good for finding malicious executables - it can also be used to find packed or encrypted data-containers and the like!

Be aware!

For the ones that are already aware of our investigations regarding "The WOW Effect" be warned on doing live-forensics and analysis on 64-Bit Microsoft Windows systems using the 32-Bit version of DensityScout (or/and any other 32-Bit based tool). Use the 64-Bit version instead! The ones of you who do not know what this means exactly, please do read our according paper.

Sursa: https://cert.at/downloads/software/densityscout_en.html

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...