In a digital world it is hard to understand threats and attacks since they don’t appear in a way we can feel them. For example if we see a big leaning tree during a storm day, we can easily feel the danger and we probably would stay away from it. Or if we see an uncovered electrical cable and we need to handle it, we would probably disconnect the electricity source before touching the cable. In the digital space this is not so simple since it is hard to see threats because belonging to a different visible spectrum.
So I decided to try to translate what is hard to see in a physical space, such as a Malware, into something that is easy to see, such as a picture, by using common binary visualization algorithms and tools.
What am I looking at ?
Your are looking a graphical representation of Shamoon Malware. There is a vast selection of Shamoon Malware on Internet but this is one of my favorite. Its name is
bd2097055380b96c62f39e1160d260122551fa50d1eccdc70390958af56ac003 and it is widely discussed here.
Why are there different colors and symmetric images inside a big cube ?
Often Malware are encrypted/compressed in order to discourage Malware analysts performing reverse engineering. Every encryption/compression and every encoding algorithm holds a specific entropy. Similar entropy are visualized in “similar way”, so they look like with the same color or representation pattern.
In this specific case you are see an executable structure (PE File, represented by blue lines) with high intensive entropy but within visible internal structures. For example grouped dots with orange flavor represent internal encoded strings typically used for commands or to launch external prompts.
Tell me more about Shamoon
From Wikipedia. Shamoon, (Persian: شمعون) also known as W32.DistTrack, is a modular computer virus that was discovered in 2012, targeting then-recent 32-bit NT kernel versions of Microsoft Windows. The virus was notable due to the destructive nature of the attack and the cost of recovery. Shamoon can spread from an infected machine to other computers on the network. Once a system is infected, the virus continues to compile a list of files from specific locations on the system, upload them to the attacker, and erase them. Finally the virus overwrites the master boot record of the infected computer, making it unusable.
The virus was used for cyberwarfare against national oil companies including Saudi Arabia’s Saudi Aramco and Qatar’s RasGas. A group named “Cutting Sword of Justice” claimed responsibility for an attack on 35,000 Saudi Aramco workstations, causing the company to spend more than a week restoring their services. The group later indicated that the Shamoon virus had been used in the attack. Computer systems at RasGas were also knocked offline by an unidentified computer virus, with some security experts attributing the damage to Shamoon. It was later described as the “biggest hack in history.”
Symantec, Kaspersky Lab, and Seculert announced discovery of the malware on 16 August 2012. Kaspersky Lab and Seculert found similarities between Shamoon and the Flame malware. Shamoon made a surprise comeback in November 2016 according to Symantec,and it was involved in a new attack on 23 January 2017.
Famous Emotet Attacks
- Wipers attacking Saudi organizations and beyond (HERE)
- Shamoon Targets Oil and Gas Organizations (HERE)
- Saipem attacked by Chamoon (HERE)
Is It Art ?
I have no idea if you can consider this Art or not. Maybe you can consider it a new form of digital art ? Anyway, this is not my point, I don’t pretend to be an artist at all! What I have done to obtain this result is mainly in finding some of the most representative Malware families, collecting them, apply visual algorithms against the more significant Malware stage and try to select the best prospective (in term of 3D angles and visualization prospective). I hope you enjoy it !
- Binary Data Visualization by CodiSec (amazing job guys !)
- Malpedia for some texts.