Network News

X My Profile
View More Activity

Drawing a (Scary) Face On Malicious Software

If the phishing scams, computer viruses and worms that land in our inboxes each day take the form of hostile-looking beasts, we might all want to avoid them like the plague. Such is the vision of Romanian artist Alex Dragulescu, whose stunning renderings of some of the more prevalent nasties out there helps put a menacing face to malware such as "Storm," and "Netsky."

Dragulescu, a research assistant at the Massachusetts Institute of Technology's Sociable Media Group, created his so-called "threat art" in conjunction with live malware intercepted by e-mail security firm MessageLabs. Each is disassembled into a dump of binary code and then run through a program Dragulescu wrote. That program spends a few hours crunching through all the data, looking for patterns in the code that will determine the shape, color and complexity of each piece of threat art.

The artist's imagining of a Storm worm variant. Click on the picture to enlarge.

The configuration of these created organisms is driven largely by their actions. For example, if there is a repeated attempt to write to a system memory address, a particular Windows API call that tries to write to a file or [blast out e-mail], the program tracks that and looks for the prevalence, number and behavior of those occurrences, Dragulescu told Security Fix. "Phishing e-mails tend to take the shape of an organism with many long tentacles and don't really have other shapes. They can even be kind of transparent." It's too bad phishing attacks aren't more transparent; an estimated three to five percent of people who receive phishing e-mails take the bait.

A variant of the Netsky e-mail worm, as rendered by Dragulescu's program. Click on the picture to enlarge.

One particularly fascinating sample of threat art, which Dragulescu created, depicts an e-mail worm sample MessageLabs received that was essentially a version of the Netsky worm that had been infected by Parite, a virus that appends itself to every executable file on a victim's computer. The image to the left shows the artist's conception of the Netsky worm, while below is his programs rendering of Parite glomming onto the Netsky sample that MessageLabs intercepted. MessageLabs's Paul Wood said the Netsky-Parite sample was almost certainly sent from a Windows machine that was infected with both pieces of malware.

A Netsky worm variant infected by the Parite file-infecting virus. Click on the picture to enlarge.

"Sometimes this is the result of an anti-virus product that tries to clean an infection but only removes part of it, leaving some components behind," Wood said.

The threat art is hardly Dragulescu's first foray into helping the world visualize ubiquitous yet faceless computer concepts. Take, for instance, his "spam architecture," or his "spam plants," the latter of which take its form from rules that look at the ASCII values (computer code that represent the English alphabet) of each spam sample.

One of Dragulescu's spam plants. Click on the picture to enlarge.

Like his threat art, most of Dragulescu's spam plants are elegant but vaguely threatening. A spam plant that I found downright cheerful and placid-looking is featured here.

Dragulescu acknowledges that some may be tempted to dismiss his threat art as little more than clever marketing by MessageLabs and a nice way for the student/artist to earn some extra income and recognition. But he says he hopes people can look beyond that.

"It's easy to lose the overall sense that these malicious things have their own characteristics....that they are bad things you don't want," he said. "It's interesting to me to see that they've all got slightly different personalities."

For more of Dragulescu's images, check out his Web site and the MessageLabs threat art page.

By Brian Krebs  |  January 18, 2008; 1:10 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Apple Patches QuickTime, iPhone and iPod Security Holes
Next: Report: 51 Percent Of Malicious Web Sites Are Hacked

Comments

Some years back, I downloaded a British program called ++++ RUBBER DUCKY.++++

Aside from drastically slowing down my computer, if I recall correctly [?] it was suppose to visually warn me of virus and/or spyware on my machine, buy how submerged [?] the RUBBER DUCKY was in a water tank and if it was under the water line, by the pattern of air bubbles from the duck to the surface.

Once I suspected that it might itself be either a hidden virus, or spyware, I got it off my machine, only to have speed restored. I 'think' I was using Windows 95 on a 486 machine, but since then I have wondered why no one else has [I guess] ever bothered to VISUALLY represent either a virus or spyware.

Now that the art work has appeared, might there be a practical application for it along the lines of Rubber Ducky for those of us who do not qualify as website managers for the program you mentioned within the last 2 weeks to check URLs, etc?

Posted by: brucerealtor@gmail.com | January 19, 2008 12:48 AM | Report abuse

awola...should be outlawed by the government because of the damage it causes to most computer users

Posted by: Anonymous | January 19, 2008 1:07 PM | Report abuse

Actually man, Rubber Ducky is a system monitor, in terms of bubbles and water and what not, it simply shows how your system is performing, nothing to do with virus activity.

and why would they ever make a visual monitor? thits silly.

Its more resource heavy and why do you want to monitor viruseS? you want to either keep or remove them... not much else to it.

Having a visual icon to help recognise it, is good, but theres no point in any toher use besides visual recognition.

ps. rubber ducky keeps me entertained at work... lol

Posted by: Master_Scythe | January 20, 2008 11:31 PM | Report abuse

Artwork derived from code is not new (folks were doing it with color-enabled dot matrix printers many years back. But Dragulescu's work is visually interesting and very relevant to current events.

I wonder how "friendly" code will represent itself when rendered through Dragulescu's algorithms.

Posted by: C.B. | January 22, 2008 9:55 AM | Report abuse

This is really very good andvery important stuff; however I am afraid that I need something semi-automatic that I can just click on! I wish I had an apple computer; but am thingking of insstalling FreeBSD or PC-BSD. 'google bought up Green Borders, which encloses one's Browser in a protective shileld or green border, and took it off the Market. Is there some Anti-Trust Violation here? There is an Israeli company which, Trust Wre, which supplys someting very similar to Green Borders. perhaos Congress must be the one to act on theis matter;or cionversly Google was doing a faavor for the National Security Agency, which is behind more that a little of the Malwaare out there. There is a sort of war developing between Muslims and Christians. Professor Jacob Neusner aattempted to head this off, but was under-cut by the trouble makers of the Universit of 'south florida, in 1994, by USF President Betty Castor, and his Seminars canceled after Invitations had gone out to the worlds leading Christian and Muslim Scholars, and they had been accepted. Perhaps former USF President Betty Castor, Tampa Bat Congress Woman Castor, and the USF Bureaucrats, hilosophy and Religion Departments need to be questioned and investigated for their impetus behind their Evil Deeds. Al Queda is heavily recruited those with great computer skills. Qlqueda has plenty of Oil Money, each time you buy from Exxon Mobile, Chevron Texaco, British Petroleum, and Royal Dutch Shell. Boycott these, when possible; they are the ultimate financiers behind Al Queda. Royal Dutch Shell financed the first king Saud, to overthrow the nice great grandfather of the present King of Jordan, who was a nice Hashimite-peaceful descendant of the Prophet Mohammad himself. Will Congresss dare investigate any of this? No, it is too fearful, with good reason. It must first divide the US Oil Industries, the Western Oil Industry from the four big Intetrnationals by passing a constitutional amendment to put a progressive sales tax onl the Importation of Oil, as the first step to a rational oil policy. Otherwise, a rationaly lil policy is impossiible; a united oil industry is too strong to control; Congress must divide and conquer, and favor the Western Domestic Oil Inndustry. or just Give Up!

Posted by: Xeno77777 | January 25, 2008 8:15 PM | Report abuse

hi Skabrewno [url=http://web.skgwu.com/board/8198615.html]Skabrwino[/url] http://web.skgkw.com/board/8198615.html

Posted by: simeksaz | March 23, 2008 3:39 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company