EvilZone
Hacking and Security => Reverse Engineering => : Deque July 12, 2014, 10:23:59 PM
-
Hello EZ
I recently updated my PE visualizer tool again and I added local entropy visualization.
This turned out to be pretty interesting. I just generated about 200 pictures and for some interesting ones I compared the malware hashes with their reports.
Here are some interesting ones. Some explanation about the pictures: The left shows the entropy map, which is the information content of certain file locations. The brighter the picture, the higher the entropy (and information content). Very bright areas are usually compressed or encrypted.
The right side shows the file structure, legend attached. Grey areas are sections.
W32.Salty
Salty is an entry-point obscuring (EPO) polymorphic file infector. Here you see an infected file. The encrypted virus body is in the last section (here .gdata, entropy is high, thus a light area for .gdata on the left). Apart from that it overwrites the host file's code with obscuring instructions.
(https://lh3.googleusercontent.com/-ISfo5M0epl8/U8BCGMRFnlI/AAAAAAAAATk/bEM2Ua8v09I/w800-h600-no/VirusShare_191b28bb42ad40340e48926f53359ff5.png)
Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2006-011714-3948-99
VirusTotal Analysis: https://www.virustotal.com/en/file/07ac76fd7886072c06c4d55a1a18b932a56f1a3057f1c6877628812d73b35c96/analysis/
W32.Simile, also known as W32.Etap
W32.Simile is a very complex virus that uses entry-point obscuring, metamorphism, and polymorphic decryption. It infects files in folders on all fixed and remote drives that are mapped at the time that the virus is executed. The virus contains no destructive payload, but infected files may display messages on certain dates.
(http://i.imgur.com/BU5KFoc.png)
Zeus Trojan (one of the many out there)
Zeus (also known as Zbot, Kneber, PRG, NTOS, Wsnpoem and Gorhax) is a crimeware kit designed to steal banking information and credentials through various means. The Zeus trojan is spread ma all over.inly through drive-by downloads and phishing schemes.
(http://i.imgur.com/r0TluUb.png)
-
Well shit 75% of that went straight over my head.
-
Call me an idiot, but what am I supposed to see here? looks like pixelated x-ray photographs :P
-
Sorry that I didn't explain it throughoughly.
These are two pictures, one left one right. The right side shows the structure of the file, which is determined by my PE parser. General: It has headers and sections. Sections are the grey scaled tones and often start with a dot in their name. Sections may contain resources, debug-information, exported and imported functions, and executable code. The entry point marks the start of execution, it is displayed as one red square.
The left side are kind of xrays. The left displays the entropy, which is how much information is in there. Like, if you had everything filled with one and the same byte (= no information content), you would get a black area. If you had random numbers in that area, it would be white, because repetition is unlikely. That also means, encrypted and compressed content is very bright.
An example is in the first picture, which displays an infected host file. The virus hides itself by encrypting its body and copying itself into the last section of the file. The last section there is .gdata (see legend to find it).
You can also see that the overlay (= appended data) and the .data section have almost no information content as the area is black. The .text section contains the executable code, you also see the red squared entry point there. Code has a high entropy, but not as much as encrypted or compressed data.
I hope this cleared some things up?
Edit: The Zeus Trojan must be heavily encrypted.
Only protected files look this bright on the entropy picture. This would be a normal (without protection) one:
(http://i.imgur.com/ggjm3W3.png)
And another harmless, unprotected file:
(http://i.imgur.com/w28kO19.png)
-
Well that's the first time I've ever been able to see a visual structure of different types of malware. It is also neat to see the different parts of the executable and where they reside. Theoretically, there should be notable differences in the structure from program to program.
-
Yes, every file looks very different. Except the ones that have been packed with the same crypter.
I like the viszalization to get a quick overview about the file.
-
Thanks Deque, your explanation cleared the cloud of confusion and the winds of uncertainty have settled.
-
She always impresses even though am reading this thread 3 times just to understand how images and malware relate.Cool though! ;D btwn... what language is your PE visualizer tool coded in?
-
She always impresses even though am reading this thread 3 times just to understand how images and malware relate.Cool though! ;D btwn... what language is your PE visualizer tool coded in?
It is part of my PE library which is written in Java and Scala.
See here for code: https://github.com/katjahahn/PortEx
-
Wow, this forum is next-level! I've never seen anything a PE visualizer tool like this before..
-
It is part of my PE library which is written in Java and Scala.
See here for code: https://github.com/katjahahn/PortEx (https://github.com/katjahahn/PortEx)
thanks ....for the link.
-
Sorry for posting on a semi old thread but thank you so much for the explanation Deque helped sooooo much, cool program by the way! +1