The sub-techniques beta is now live! Read the release blog post for more info.

Binary Padding

Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.

Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and static anti-virus signatures.[1] The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.[2] Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.[3]

ID: T1009
Tactic: Defense Evasion
Platform: Linux, macOS, Windows
Data Sources: Binary file metadata, File monitoring, Malware reverse engineering
Defense Bypassed: Signature-based detection, Anti-virus
Contributors: Martin Jirkal, ESET
Version: 1.1
Created: 31 May 2017
Last Modified: 30 May 2019

Procedure Examples

Name Description

APT32 includes garbage code to mislead anti-malware software and researchers.[1][14]


BRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.[18]


Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.[11]


CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.[10]


A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.[5]


FinFisher contains junk code in its functions in an effort to confuse disassembly programs.[8][9]


Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.[6]


Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.[17]


Moafee has been known to employ binary padding.[16]


Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[15]


SamSam has used garbage code to pad some of its malware components.[13]


A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.[7]


yty contains junk code in its binary, likely to confuse malware analysts.[4]


ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.[12]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool.

When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file.