Malware
05 January 2012
If you subscribe to my RSS feed, please visit this article directly. The table below has interactive elements that won't work in most feed readers.
Hover and click for more.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The images above are entropy visualizations of samples from a malware database - black is zero entropy, with colour ranging through blue, up to hot pink for maximum entropy. Large areas of very high entropy are usually sections that are packed - encrypted or obfuscated by the malware authors to make the malware hard to detect and reverse engineer. Smaller areas might be keys, passwords, or other chunks of data meant to be hidden from view.
When you hover over an image, you see a character class visualization with the following colors:
| 0x00 | |
| 0xFF | |
| Printable characters | |
| Everything else |
Clicking will show you high-detail versions of both visualizations, and let you look up the binary hash to see what it is. I've used a square Hilbert curve layout - the files start in the top-left corner, and pass through the quadrants clockwise.
I spent hours looking through thousands these visualizations today. I find them eerie and rather beautiful - an entirely different perspective from my day-to-day interactions with malware.
Related:
- Generating colour maps with space-filling curves 07 Jan 2010
- Portrait of the Hilbert curve 03 Jan 2010
- Visualizing entropy in binary files 04 Jan 2012
- Visualizing binaries with space-filling curves 23 Dec 2011
- Hilbert Curve + Sorting Algorithms + Procrastination = ? 26 Jan 2010
More posts:
- mitmproxy 0.6 07 Aug 2011
- mitmproxy 0.5 27 Jun 2011
- How UDIDs are used: a survey 19 May 2011
- De-anonymizing Apple UDIDs with OpenFeint 04 May 2011
- subscount: Counting RSS feed subscribers 02 Apr 2011
- mitmproxy: Breaking Apple's Game Center with replay 31 Mar 2011
- mitmproxy: A 30-second client playback example 31 Mar 2011
- mitmproxy 0.4 has been released 30 Mar 2011
