Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Analysis tool for estimating the likelihood that a binary contains compressed or encrypted bytes
This tool is an implementation in Python of Bintropy, an analysis tool presented in this paper in the scope of packing detection based on entropy. It implements both modes of operation and an additional one, respectively on the entire binary, per section or per segment. It uses the entropy values mentioned in the paper for deciding whether the binary contains compressed/encrypted bytes.
It relies on lief
for abstracting either PE, ELF or Mach-O executables. This tool thus supports these three formats.
$ pip install bintropy
$ bintropy --help
Use the -m
/--mode
option.
0
: full binary (default)1
: per section2
: per segmentNote that mode 2 will logically give results very similar to mode 0.
$ bintropy binary
<<< boolean >>>
$ bintropy binary --dot-not-decide
<<< highest block entropy, average block entropy >>>
$ bintropy binary --mode [1|2]
<<< boolean >>>
$ bintropy binary -m [1|2] --do-not-decide
<<< highest block entropy, average block entropy >>>
Use the -b
/--benchmark
option to get one more value, the processing time in seconds.
$ bintropy binary -b
<<< boolean, processing time >>>
$ bintropy binary -b --do-not-decide
<<< highest block entropy, average block entropy, processing time >>>
The reference paper uses 6.677 for the average block entropy and 7.199 for the highest block entropy (obtained by analyzing a dataset of PE files and using the first mode of operation). These values can be overriden with the dedicated options.
$ bintropy binary --threshold-average-entropy 5.678 --threshold-highest-entropy 6.789
[...]
This tool features plot generation for drawing binary's sections and the entropy within.
$ bintropy binary --plot
<<< boolean >>>
Example of generated figures:
You may also like these:
FAQs
Analysis tool for estimating the likelihood that a binary contains compressed or encrypted bytes
We found that bintropy demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.