Researcher's Tool Maps Malware In Elegant 3D Model

← Back to Stories (view on slashdot.org)

Researcher's Tool Maps Malware In Elegant 3D Model

Posted by samzenpus on Thursday January 12, 2012 @08:01PM from the making-bad-pretty dept.

Sparrowvsrevolution writes "At the Shmoocon security conference later this month, Danny Quist plans to demo a new three-dimensional version of a tool he's created called Visualization of Executables for Reversing and Analysis, or VERA, that maps viruses' and worms' code into intuitively visible models. Quist, who teaches government and corporate students the art of reverse engineering at Los Alamos National Labs, says he hopes VERA will make the process of taking apart and understanding malware's functionality far easier. VERA observes malware running in a virtual sandbox and identifies the basic blocks of commands it executes. Then those chunks of instructions are color-coded by their function and linked by the order of the malware's operations, like a giant, 3D flow chart. Quist provides a sample video showing a model of a section of the Koobface worm."

36 comments

Min score:

Reason:

Sort:

3D visualisation by Mannfred · 2012-01-12 20:26 · Score: 4, Insightful

We rolled our eyes at Jurassic Park's representation of a "Unix system" back in 1993 (the directory hierarchy was basically a bunch of 3D boxes you could fly around), but here we are 20 years later looking at a code analyser which represents the information as.. a bunch of 3D boxes you can fly around :-)
1. Re:3D visualisation by Rizimar · 2012-01-12 20:44 · Score: 5, Informative
  
  Only that "representation" in Jurassic Park was an actual application called File System Navigator.
2. Re:3D visualisation by Anonymous Coward · 2012-01-12 21:38 · Score: 0
  
  We rolled our eyes at Jurassic Park's representation of a "Unix system" back in 1993 (the directory hierarchy was basically a bunch of 3D boxes you could fly around)
  Then you may be surprised to learn that custom 3d interfaces like that are not (and were not) uncommon. Hammond is exactly the kind of rich intelligent fool that would want one. I've had the unfortunate experience of having to work on not one, but two vanity programs of this type. Think MS Bob, but in 3d.
  The kid's "This is Unix!" exclamation makes a lot more sense once you realize this.
3. Re:3D visualisation by dr_blurb · 2012-01-12 21:54 · Score: 2
  
  There's an open source port called File System Visualizer.
  Here are some (possibly outdated) compilation instructions.
4. Re:3D visualisation by buchner.johannes · 2012-01-12 22:48 · Score: 2
  
  We rolled our eyes at Jurassic Park's representation of a "Unix system" back in 1993 (the directory hierarchy was basically a bunch of 3D boxes you could fly around), but here we are 20 years later looking at a code analyser which represents the information as.. a bunch of 3D boxes you can fly around :-)
  I know this!
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
5. Re:3D visualisation by sourcerror · 2012-01-12 23:04 · Score: 2
  
  This is the reason why when I first used Unix (Solaris) in a comp sci lab, I was pretty disappointed.
6. Re:3D visualisation by Stenchwarrior · 2012-01-13 01:14 · Score: 1
  
  Are you sure they didn't just hack the Gibson?
  
  --
  Loading...
7. Re:3D visualisation by thegarbz · 2012-01-13 01:57 · Score: 1
  
  We rolled our eyes because it was 3D for 3D's sake. The interface was not intuitive and the information it provided wasn't immediately obvious or useful. Navigating an interface in 3D is often a horrendous and complicated waste.
  Representing 3D information on the other hand is not. I use a utility very similar to the app used in Jurassic Park to identify what is taking up harddisk space. Instantly seeing the relative sizes of directories in 2D or 3D is much more intuitive than reading and comparing numbers on the screen.Just like the good old graph it all comes down to what information you can get out of the graphic.
  A picture tells 1000 words, but it can also just be a garbage picture.
Groovy by Anonymous Coward · 2012-01-12 20:30 · Score: 0

Funky map needs a legend.
More general tool? by bughunter · 2012-01-12 20:31 · Score: 3, Insightful

Interesting idea. It also looks like a potentially useful method for reverse engineering any code... not just trojans and worms.

--
I can see the fnords!
1. Re:More general tool? by vikingpower · 2012-01-12 21:42 · Score: 2
  
  That is what I thought. Underpinning the whole of it by an easy-to-grasp and agreed-upon formalism ( the 3D equivalent of UML ? ) would be a next step, I presume.
  
  --
  Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
Obligatory XKCD by Anonymous Coward · 2012-01-12 20:34 · Score: 3, Informative

Here you go, as always xkcd is relevant: http://xkcd.com/350/
1. Re:Obligatory XKCD by Anonymous Coward · 2012-01-13 06:26 · Score: 0
  
  Here you go, as always xkcd is relevant: http://xkcd.com/350/
  It also seems that XKCD got closer to a practical solution by flattening the display to 2D and using color to represent the 3rd+ dimension(s). Go XKCD.
expert programmers organically visualize... by somethingtoremember · 2012-01-12 21:37 · Score: 1

... in their own heads, its what makes them expert programmers
Re:Looks like letters by Anonymous Coward · 2012-01-12 21:44 · Score: 0

What operating system does this malware run on?
Looks useful for any code by Omnifarious · 2012-01-12 21:47 · Score: 1

So much of modern software engineering is basically reverse engineering something someone else wrote who's no longer around. This could be an incredibly useful tool for just about anybody do software work.

--
Need a Python, C++, Unix, Linux develop
1. Re:Looks useful for any code by Anonymous Coward · 2012-01-12 22:25 · Score: 0
  
  Until reverse engineering in any form gets made illegal at the behest of Hollywood, Microsoft and thousands of other companies.
  I'm sure an ammendment to the DMCA won't be far away to specifically make it illegal and punishable by a long stretch in federal pokey.
2. Re:Looks useful for any code by Anonymous Coward · 2012-01-13 00:46 · Score: 0
  
  You can combat that with... wait for it... Free software.
  Release the sourcecode for anything you write under whatever Free or Free-ish licensing model you choose. That's what I do and I get more value back in interested people writing plugins and improving my own code than I "lose" in releasing it in the first place.
Polymorphic code by fa2k · 2012-01-12 22:21 · Score: 1

This will probably not work for polymorphic viruses that rewrite their own code to avoid detection.
1. Re:Polymorphic code by TheLink · 2012-01-13 01:24 · Score: 1
  
  Probably depends on how polymorphic they are. That said I've always wondered how these AV/Antimalware researchers and software would do in detecting malware written in perl- TIMTOWTDI and all that... ;)
  FWIW I personally think that malware detection is the wrong approach for protecting against malware.
  Because in theory the problem of malware detection is actually harder than solving the "halting problem" (which in theory is impossible).
  Think about it the halting problem can be stated as follows (from wiki):
  
  Given a description of a computer program, decide whether the program finishes running or continues to run forever. This is equivalent to the problem of deciding, given a program and an input, whether the program will eventually halt when run with that input, or will run forever.
  The malware detection problem is:
  
  Given a computer program without a description, without the full inputs (or possibly even the full program - it could fetch more instructions from the Internet), determine whether the program is malware or not
  .
  So if the "halting problem" is unsolvable in theory, then so is the malware detection problem in theory :). Of course in practice, you might be able to solve some cases.
  However IMO the better approach would be to use more and better sandboxing. Sandboxing would be the equivalent of avoiding the halting problem by actually limiting the amount of time the program gets to run.
  Even if the program gets to politely requests for a sandbox it could still be OK- since the program is giving a hint upfront of the limits of what it could possibly do. Of course if almost every program says they need "unlimited access/time" then so much for that ;). But Microsoft and Apple may have the clout to smackdown developers who do that.
  --
  
  Too many replies beneath your current threshold
2. Re:Polymorphic code by dannyquist · 2012-01-13 10:07 · Score: 1
  
  Hi, Danny Quist here. I wrote VERA and was interviewed in that article. In that example it was polymorphic. The red nodes are the unpacker, and the yellow code represents the unpacked, polymorphic area of the virus.
"Researcher's Tool Maps Malware In Elegant 3D Mode by mapkinase · 2012-01-12 22:31 · Score: 1

"Researcher's Tool Maps Malware In Elegant 3D Model"
Find a word in this sentence that does not belong. One attempt.

--
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Re:"Researcher's Tool Maps Malware In Elegant 3D M by Anonymous Coward · 2012-01-12 23:13 · Score: 0

Elegant
IDA Pro anyone? by Anonymous Coward · 2012-01-12 23:26 · Score: 0

Having watched the video, I highly doubt that this "visualization" is of much practical use. It may look nice, but it doesn't contain much useful information. There are already disassemblers which can visualize code in a 2D graph which is much more useful than this.
intuitive by Anonymous Coward · 2012-01-13 00:15 · Score: 0

A word one should never use when reporting on a human factors experiment.
then of course there was Doom process navigator by decora · 2012-01-13 00:17 · Score: 1

Doom as an Interface for Process Management
http://www.cs.unm.edu/~dlchao/flake/doom/chi/chi.html
---
1. Re:then of course there was Doom process navigator by Anonymous Coward · 2012-01-13 00:33 · Score: 0
  
  This is Doom!
  I KNOW this!
Beautiful? by Stenchwarrior · 2012-01-13 01:19 · Score: 1

I guess this is one of those "beauty is in the eye of the beholder" things or whatever, but beautiful is probably not the term I would use to describe these models. They look like wire-frames for a new Pixar character. Perhaps we just didn't get to see the rendered results?

--
Loading...
Re:"Researcher's Tool Maps Malware In Elegant 3D M by VortexCortex · 2012-01-13 01:25 · Score: 1

Malware.
Re:"Researcher's Tool Maps Malware In Elegant 3D M by mapkinase · 2012-01-13 02:09 · Score: 1

Correct answer is "Elegant".

--
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Looks Mysteriously like DNA Code by retroworks · 2012-01-13 02:22 · Score: 1

And is it any coincidence that a new 3D Replicator has been introduced at CES? http://tinyurl.com/8yoby4j I think not. Code was the conception. Malware is coming manifest in a hardware form. Isn't that how Terminator started?

--
Gently reply
It's a joke. Chill by sgt+scrub · 2012-01-13 02:50 · Score: 1

I tried doing that but always came up with the same image. :P

--
Having to work for a living is the root of all evil.
Danny Quist by Anonymous Coward · 2012-01-13 04:56 · Score: 0

He's a pretty big deal
is that UbiGraph? by a5an0 · 2012-01-13 08:53 · Score: 0

http://ubietylab.net/ubigraph/