Researcher’s Tool Maps Malware In Beautiful 3D Models

Quist’s VERA visualization software showing a key section of the Koobface worm.

Security researchers face a tough problem: Computer viruses, unlike their biological counterparts, can’t be seen under a microscope. Even common reverse engineering tools merely render malware as thousands of lines of garbled text more legible to machine than man.

Now one researcher hopes to show the malware that plagues PCs in all its evil elegance. At the Shmoocon security conference later this month, Danny Quist plans to demo a new three-dimensional version of a tool he’s created called Visualization of Executables for Reversing and Analysis, or VERA, that maps viruses’ and worms’ code into intuitively visible models.

Quist, who teaches government and corporate students the art of reverse engineering at Los Alamos National Labs, says he hopes VERA will make the process of taking apart and understanding malware’s functionality far easier. “One of the problems when you’re reverse engineering is that you’re looking for a needle in a stack of needles. The process is arduous,” he says. “A few little visual hints can lead you there. Branches, heavy loops, those kinds of things allow you to hone in and see what’s interesting.”

To graph a malware file, VERA observes  the  software running in a virtual sandbox and identifies the basic blocks of commands it executes. Then those chunks of instructions are colorcoded by their function and linked by the order of the malware’s operations, like a giant, highly-complex flow chart. VERA distances blocks of code that aren’t connected, so that the malware forms elegant branching shapes instead of clumping together.

In the video below, for instance, VERA maps a section of the Koobface worm that has spread through social networking sites since late 2008. The “beach ball” shape that the video zooms in to show, Quist says, represents the commands the worm uses at the moment of infecting the computer’s hard drive.

A higher resolution video can be seen here.

Quist plans to reveal more about the details of his 3D modeling technique and to release the free software to the public at the Shmoocon security conference in Washington, DC.

One of his earlier papers, which explains the mechanics of malware modeling and even surveys the software’s users for their feedback, is below.

 

Article source: http://www.forbes.com/sites/andygreenberg/2012/01/12/researchers-tool-maps-malware-in-beautiful-3d-models/

View full post on National Cyber Security » Virus/Malware/Worms