Using Visualization to Analyze Malware presented at HITBSecConf Malaysia 2013

by Wes Brown,

Summary : Last year’s Supercomputing and Malware talk had visualizations that showed diagrams of relationships between hosts for a single sample. These graphs were beautfiul and helped show the scale and scope of the data that worked with.
For this year’s talk, we’re taking that ball and running away with it. We’ll show how to use visualization to analyze malware in the micro level as well as the macro level. In this talk, we will show the audience how to generate the visualizations that we show, as well as the proof of concept scripts so that a member can experiment with it.
A sneak preview at some of the things that we will be showing:
* Using heatmaps on top of block fuzzy hashing data; this will allow pinpointing the differences between two similiar malware samples, such as Zeus variants.
* Using heatmaps to show entropy at a block level to find encrypted sections in malware — this is useful for finding obfuscated code or more importantly, finding the non-encrypted sections for the actual executable unpacker.
* Even more interestingly, using multiple heatmaps to represent different aspects of data such as entropy, PDF streams, and sections to allow a reverse engineer to visually scan through a lot of malware.
* Showing relationships between time and execution in a timeline visualization to pinpoint events and traffic to particular sites.
* Visualizing the network connections that multiple malware samples make to specific sites to find relationships between them.