Drawing a (Scary) Face On Malicious Software
If the phishing scams, computer viruses and worms that land in our inboxes each day take the form of hostile-looking beasts, we might all want to avoid them like the plague. Such is the vision of Romanian artist Alex Dragulescu, whose stunning renderings of some of the more prevalent nasties out there helps put a menacing face to malware such as "Storm," and "Netsky."
Dragulescu, a research assistant at the Massachusetts Institute of Technology's Sociable Media Group, created his so-called "threat art" in conjunction with live malware intercepted by e-mail security firm MessageLabs. Each is disassembled into a dump of binary code and then run through a program Dragulescu wrote. That program spends a few hours crunching through all the data, looking for patterns in the code that will determine the shape, color and complexity of each piece of threat art.
The configuration of these created organisms is driven largely by their actions. For example, if there is a repeated attempt to write to a system memory address, a particular Windows API call that tries to write to a file or [blast out e-mail], the program tracks that and looks for the prevalence, number and behavior of those occurrences, Dragulescu told Security Fix. "Phishing e-mails tend to take the shape of an organism with many long tentacles and don't really have other shapes. They can even be kind of transparent." It's too bad phishing attacks aren't more transparent; an estimated three to five percent of people who receive phishing e-mails take the bait.
One particularly fascinating sample of threat art, which Dragulescu created, depicts an e-mail worm sample MessageLabs received that was essentially a version of the Netsky worm that had been infected by Parite, a virus that appends itself to every executable file on a victim's computer. The image to the left shows the artist's conception of the Netsky worm, while below is his programs rendering of Parite glomming onto the Netsky sample that MessageLabs intercepted. MessageLabs's Paul Wood said the Netsky-Parite sample was almost certainly sent from a Windows machine that was infected with both pieces of malware.
"Sometimes this is the result of an anti-virus product that tries to clean an infection but only removes part of it, leaving some components behind," Wood said.
The threat art is hardly Dragulescu's first foray into helping the world visualize ubiquitous yet faceless computer concepts. Take, for instance, his "spam architecture," or his "spam plants," the latter of which take its form from rules that look at the ASCII values (computer code that represent the English alphabet) of each spam sample.
Like his threat art, most of Dragulescu's spam plants are elegant but vaguely threatening. A spam plant that I found downright cheerful and placid-looking is featured here.
Dragulescu acknowledges that some may be tempted to dismiss his threat art as little more than clever marketing by MessageLabs and a nice way for the student/artist to earn some extra income and recognition. But he says he hopes people can look beyond that.
"It's easy to lose the overall sense that these malicious things have their own characteristics....that they are bad things you don't want," he said. "It's interesting to me to see that they've all got slightly different personalities."
January 18, 2008; 1:10 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Apple Patches QuickTime, iPhone and iPod Security Holes
Next: Report: 51 Percent Of Malicious Web Sites Are Hacked
Posted by: firstname.lastname@example.org | January 19, 2008 12:48 AM | Report abuse
Posted by: Anonymous | January 19, 2008 1:07 PM | Report abuse
Posted by: Master_Scythe | January 20, 2008 11:31 PM | Report abuse
Posted by: C.B. | January 22, 2008 9:55 AM | Report abuse
Posted by: Xeno77777 | January 25, 2008 8:15 PM | Report abuse
Posted by: simeksaz | March 23, 2008 3:39 PM | Report abuse
The comments to this entry are closed.