Entropy and its Significance in Malware Development

The concept of entropy originates from physics, more specifically classical thermodynamics. This very concept in itssef is highly complex. However, as we do not need a thorough understanding of the physical concept, you can think of entropy as disorder, randomnes or unpredictability in an information set.

In computer sience entropy denotes the predictability of a binary executable.

This is usually measured through Shannon Entropy. Shannon Entropy is a formula one can use to measure the randomness and unpredictability of data in a file. It is calculated based on the propability distribution of byte values (0-255).

Introduction

If you’re familiar with the usual shellcode execution techniques, you will know that shellcode typically needs to be run within a thread. A commonality among different methods is the usage of the CreateThread Windows API function, or NtCreateThreadEx in the case direct syscalls are utilized. The use of these APIs in combination with methods such as VirtualProtect and VirtualAlloc is a common indicator of compromise.

However, by utilizing fibers, we can achieve the same result with a lower footprint, potentially avoiding detection by Anti-Virus vendors.