Keypoints
- Binary padding appends junk data to executables to alter file size and checksum without changing runtime behavior.
- Padding can defeat hash-based blocklists and static antivirus signatures by changing known file hashes.
- Padding may be added to file ends or specific sections using functions that generate random or structured filler bytes.
- Large padded files can bypass scanners with file-size limits or degrade performance of on-access scanning engines.
- Detection often requires file metadata analysis, size heuristics, and correlating runtime behaviors like discovery or lateral movement.
Description:
- Like stuffing a harmless-looking suitcase with heavy, meaningless items to avoid weight checks, binary padding bloats a file so it looks different while hiding the same malicious contents.
- Attackers append junk data or enlarge sections of a binary to change its checksum and on-disk fingerprint, enabling evasion of hash-based blocklists and some static scanners; it matters because it reduces detection likelihood and can keep samples out of analysis pipelines that impose size limits.
Detection:
- Monitor file size anomalies by baseline sizing per file type and flag sudden large increases for known binaries using filesystem metadata and SIEM alerts.
- Use multi-hash and fuzzy hashing (ssdeep, sdhash) to detect modified binaries despite altered checksums; compare against known-good baselines.
- Inspect PE/ELF/Mach-O section headers and virtual sizes; flag unusually large padding at section ends or nonstandard section names with file-parsing tools (e.g., pefile, readelf, otool).
- Enable deep scanning for large files on dedicated analysis nodes or sandbox solutions; configure AV/sandbox to accept larger files or route oversized samples to offline scanners.
- Correlate execution telemetry (process parent/child chains, cmdline anomalies, network connections, credential access attempts) to identify padded files used in active intrusions.
- Watch file ingestion sources and triage rules on public scanning service limits; obtain copies before upload and maintain internal repositories of large artifacts for analysis.
- Expect false positives from legitimately large installers or packed installers; reduce noise by whitelisting known vendor signatures and combining size checks with structural anomalies and behavioral indicators.
Tactics:
Defense Evasion
Platforms:
Linux, Windows, macOS
Data Sources:
File: File Metadata
Relationship Citations:
(Citation: emotet_trendmicro_mar2023),(Citation: Palo Alto Comnie),(Citation: Group IB GrimAgent July 2021),(Citation: Securelist Brazilian Banking Malware July 2020),(Citation: Haq 2014),(Citation: Secureworks BRONZE BUTLER Oct 2017),(Citation: Carbon Black HotCroissant April 2020),(Citation: Morphisec Snip3 May 2021),(Citation: Group IB Ransomware September 2020),(Citation: Talos Bisonal Mar 2020),(Citation: Symantec Orangeworm April 2018),(Citation: Cisco Akira Ransomware OCT 2024),(Citation: Check Point Black Basta October 2022),(Citation: Zscaler Higaisa 2020),(Citation: Mandiant ROADSWEEP August 2022),(Citation: Proofpoint Leviathan Oct 2017),(Citation: Emissary Trojan Feb 2016),(Citation: Trend Micro Tick November 2019),(Citation: ESET Grandoreiro April 2020),(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020),(Citation: SentinelOne NobleBaron June 2021),(Citation: Elastic Latrodectus May 2024),(Citation: Cybereason Cobalt Kitty 2017),(Citation: BlackBerry CostaRicto November 2020),(Citation: Huntress LightSpy macOS 2024),(Citation: TrendMicro Patchwork Dec 2017),(Citation: Trend Micro Qakbot May 2020),