Researcher's Tool Maps Malware In Elegant 3D Model

Sparrowvsrevolution writes "At the Shmoocon security conference later this month, Danny Quist plans to demo a new three-dimensional version of a tool he's created called Visualization of Executables for Reversing and Analysis, or VERA, that maps viruses' and worms' code into intuitively visible models. Quist, who teaches government and corporate students the art of reverse engineering at Los Alamos National Labs, says he hopes VERA will make the process of taking apart and understanding malware's functionality far easier. VERA observes malware running in a virtual sandbox and identifies the basic blocks of commands it executes. Then those chunks of instructions are color-coded by their function and linked by the order of the malware's operations, like a giant, 3D flow chart. Quist provides a sample video showing a model of a section of the Koobface worm."

3D visualisation

[Mannfred]

We rolled our eyes at Jurassic Park's representation of a "Unix system" back in 1993 (the directory hierarchy was basically a bunch of 3D boxes you could fly around), but here we are 20 years later looking at a code analyser which represents the information as.. a bunch of 3D boxes you can fly around :-)

Re:3D visualisation

[Rizimar]

Only that "representation" in Jurassic Park was an actual application called File System Navigator. [wikipedia.org]

Re:

[dr_blurb]

There's an open source port called File System Visualizer [sourceforge.net].
Here are some (possibly outdated) compilation instructions [patrickmin.com].

then of course there was Doom process navigator

[decora]

Doom as an Interface for Process Management

http://www.cs.unm.edu/~dlchao/flake/doom/chi/chi.html [unm.edu]

---

Re:

[sourcerror]

This is the reason why when I first used Unix (Solaris) in a comp sci lab, I was pretty disappointed.

Re:

[buchner.johannes]

We rolled our eyes at Jurassic Park's representation of a "Unix system" back in 1993 (the directory hierarchy was basically a bunch of 3D boxes you could fly around), but here we are 20 years later looking at a code analyser which represents the information as.. a bunch of 3D boxes you can fly around :-)

I know this!

Re:

[Stenchwarrior]

Are you sure they didn't just hack the Gibson [deviantart.com]?

Re:

[thegarbz]

We rolled our eyes because it was 3D for 3D's sake. The interface was not intuitive and the information it provided wasn't immediately obvious or useful. Navigating an interface in 3D is often a horrendous and complicated waste.

Representing 3D information on the other hand is not. I use a utility very similar to the app used in Jurassic Park to identify what is taking up harddisk space. Instantly seeing the relative sizes of directories in 2D or 3D is much more intuitive than reading and comparing numbers o

More general tool?

[bughunter]

Interesting idea. It also looks like a potentially useful method for reverse engineering any code... not just trojans and worms.

Re:

[vikingpower]

That is what I thought. Underpinning the whole of it by an easy-to-grasp and agreed-upon formalism ( the 3D equivalent of UML ? ) would be a next step, I presume.

Obligatory XKCD

[Anonymous Coward]

Here you go, as always xkcd is relevant: http://xkcd.com/350/

expert programmers organically visualize...

[somethingtoremember]

... in their own heads, its what makes them expert programmers

Looks useful for any code

[Omnifarious]

So much of modern software engineering is basically reverse engineering something someone else wrote who's no longer around. This could be an incredibly useful tool for just about anybody do software work.

Polymorphic code

[fa2k]

This will probably not work for polymorphic viruses that rewrite their own code to avoid detection.

Re:

[TheLink]

Probably depends on how polymorphic they are. That said I've always wondered how these AV/Antimalware researchers and software would do in detecting malware written in perl- TIMTOWTDI and all that... ;)

FWIW I personally think that malware detection is the wrong approach for protecting against malware.

Because in theory the problem of malware detection is actually harder than solving the "halting problem" (which in theory is impossible).

Think about it the halting problem can be stated as follows (from wiki):

Given a description of a computer program, decide whether the program finishes running or continues to run forever. This is equivalent to the problem of deciding, given a program and an input, whether the program will eventually halt when run with that input, or will run forever.

T

Re:

[dannyquist]

Hi, Danny Quist here. I wrote VERA and was interviewed in that article. In that example it was polymorphic. The red nodes are the unpacker, and the yellow code represents the unpacked, polymorphic area of the virus.

"Researcher's Tool Maps Malware In Elegant 3D Mode

[mapkinase]

"Researcher's Tool Maps Malware In Elegant 3D Model"

Find a word in this sentence that does not belong. One attempt.

Re:

[VortexCortex]

Malware.

Re:

[mapkinase]

Correct answer is "Elegant".

Beautiful?

[Stenchwarrior]

I guess this is one of those "beauty is in the eye of the beholder" things or whatever, but beautiful is probably not the term I would use to describe these models. They look like wire-frames for a new Pixar character. Perhaps we just didn't get to see the rendered results?

Looks Mysteriously like DNA Code

[retroworks]

And is it any coincidence that a new 3D Replicator has been introduced at CES? http://tinyurl.com/8yoby4j [tinyurl.com] I think not. Code was the conception. Malware is coming manifest in a hardware form. Isn't that how Terminator started?

It's a joke. Chill

[sgt scrub]

I tried doing that but always came up with the same image [microsoft.com]. :P