In a digital world it is hard to understand threats and attacks since they don’t appear in a way we can feel them. For example if we see a big leaning tree during a storm day, we can easily feel the danger and we probably would stay away from it. Or if we see an uncovered electrical cable and we need to handle it, we would probably disconnect the electricity source before touching the cable. In the digital space this is not so simple since it is hard to see threats because belonging to a different visible spectrum.
So I decided to try to translate what is hard to see in a physical space, such as a Malware, into something that is easy to see, such as a picture, by using common binary visualization algorithms and tools.
What am I looking at ?
Your are looking a graphical representation of Crypt0L0cker Ransomware. There is a vast selection of Crypt0L0cker versions on Internet but this is one of my favorite. Its name is d845e4f2292ba78a993dbbf6f1317894ce1a795c096d7959f3d718e583f1cea3 and is one of the most known ransomware used in large email campaigns against population. Probably this is one of the most representative samples which helped the (in)famous ransomware market to radically increase during 2017/2018.
Why are there different colors and symmetric images inside a big cube ?
Often Malware are encrypted/compressed in order to discourage Malware analysts performing reverse engineering. Every encryption/compression and every encoding algorithm holds a specific entropy. Similar entropy are visualized in “similar way”, so they look like with the same color or representation pattern.
In this specific case you are see an executable structure (PE File, represented by blue dots) holding a code (represented by yellow/orange dots) that would decrypt an encrypted/encoded code (represented by a little bright cube) and a string (cryptographic key?) represented by a straight line which looks like a fourth axis.
Tell me more about Crypt0l0cker
Crypt0L0cker ransomware is an infamous crypto malware [1], which can be found mentioned in various sources as Crypt0L0cker virus. Computer users should be aware of this virus and its distribution methods, because once it infects the computer, it is nearly impossible to repair the damage that it does to it. It is an updated version of TorrentLocker ransomware, and it hides under the name of one of the most dangerous computer viruses in the world – CryptoLocker. The difference is that the virus that we discuss about today has O’s replaced with zeros in its name [2]. It spreads as a Trojan horse [3] via email: its malicious executive file usually reaches computer users disguised as a secure document, for example, speeding ticket or invoice. The sole purpose of this PC threat is to infiltrate victim’s computer system and encrypt files stored in it. Crypt0L0cker malware scans all system folders and locates relevant data including music files, videos, photos, documents, and other types of files, and then encrypts them using a sophisticated encryption algorithm. Once the files are encrypted, the user cannot access them anymore. (from HERE)
Famous Crypt0L0cker Attacks
Is It Art ?
I have no idea if you can consider this Art or not. Maybe you can consider it a new form of digital art ? Anyway, this is not my point, I don’t pretend to be an artist at all! What I have done to obtain this result is mainly in finding some of the most representative Malware families, collecting them, apply visual algorithms against the more significant Malware stage and try to select the best prospective (in term of 3D angles and visualization prospective). I hope you enjoy it !
Credits
- Binary Data Visualization by CodiSec (amazing job guys !)
- Malpedia for some texts.