Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Binary Padding

Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.

ID: T1009

Tactic: Defense Evasion

Platform:  Linux, macOS, Windows

Data Sources:  Binary file metadata, File monitoring, Malware reverse engineering

Defense Bypassed:  Signature-based detection, Anti-virus

CAPEC ID:  CAPEC-572

Version: 1.0

Examples

NameDescription
APT32

APT32 includes garbage code to mislead anti-malware software and researchers.[1]

BRONZE BUTLER

BRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.[2]

Comnie

Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.[3]

CORESHELL

CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.[4]

Emissary

A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.[5]

FinFisher

FinFisher contains junk code in its functions in an effort to confuse disassembly programs.[6][7]

Kwampirs

Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.[8]

Leviathan

Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.[9]

Moafee

Moafee has been known to employ binary padding.[10]

Patchwork

Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[11]

XTunnel

A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.[12]

yty

yty contains junk code in its binary, likely to confuse malware analysts.[13]

ZeroT

ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.[14]

Mitigation

Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting [15] tools, like AppLocker, [16] [17] or Software Restriction Policies [18] where appropriate. [19]

Detection

Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool.

When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file.

References