MalwareViz: a free Malware Visualizer

good afternoon Aloha nobody nobody's is from Allah Aloha alright um my name's Craig feel that work for defense point security I do a little background on myself I got started doing computer forensics when somebody just bought in case and said we need somebody to figure this out and it was great just a volunteer for it and I've been doing it for over a decade now and then once you find enough with forensics the great thing is there's not a lot of people around to tell you what the malware does once you find it so I'm really appreciative of people who have gone through and made automated tools to make my life a lot easier so am our

visualization I run into a lot of problems in that from junior analyst to managers to other reverse engineers and other organizations the communication that we have is is not very good the words we use what people associate emotionally visually to one word means something different to somebody else what they want to get out of something means something entirely different so I'm understanding the absolute crucial value in knowing what a word means to your audience and making sure that they understand what you're trying to communicate this is a one thing I really love is this quote we're in the world of data I saw some somebody put something out that says the amount of data we've

collected out of all of it the most we've collected and is in the last two years it's just amazing that we've just turned on sensors on everything and now we don't know what to do with all of this and we need more people that can do it Einstein's quote I love and it's based on a book equals MC squared it if you want the short cut version to that netflix has a good video called einstein's big idea and the point is it takes energy II and all the scientists that had to figure out how to communicate what energy is and what what what all the different forms of energy that we have and matter and ce4 solera taz meaning

the speed of light and what the speed of light is and how it affects our life and squared and whatnot and he took all these huge different scientific ideas I was able to get one of the most powerful ideas down to something very short and as you he points out I have no idea if he said the second part here I got it from the internet so obviously it's true but I appreciate the thought in that we could always go towards giving more data to a manager who has to make a decision or a junior analyst who's just getting started but we really need those shortcuts of life to help us to better understand things because at some point

we're all idiots at something right so you need somebody to give you that shortcut to help you to get you to the next level the book is called equals MC squared by David botanist it's local library wonderful great book and the netflix version goes into all the men and women who helped create this you know 15 year old the female mathematicians from france i mean there's a lot of people that went into standing on shoulders essentially if people who came before something else i want to share a plague incorporated if you've not downloaded this this is a fantastic game you can just do the free version and it basically at the point of it is you choose what you're going to be

and your goal of the game is to wipe out the human population before the humans can kill you right it's a bit morbid but the idea is very the same in that you're creating code you're creating something to attack somebody else and you are going to have certain defenses you're going to have to overcome and those defenses are going to try and find ways of stopping you one of his recent packs that you can download and install is starting the Ebola virus in the United States right it's very fairly timely the interesting part is you will lose depending on how fast the humans decide to put news articles about what's going on throwing money at the problem to get

more scientists because once you kill all the scientists that can read and write code you basically win right it's those people who live in Greenland or Madagascar that can survive because they don't have a lot of interaction with humans so this is a great game to get you in the mentality of what happens on the often side right I like defense doing the defense forensics mal reverse-engineer inside because I think it's harder quite frankly often seems to have kind of an open book of tools and techniques and just waiting for somebody to make a mistake or not patching something to get in and take over everything it is the hard part is finding that that patient zero and

finding out if that's really patient zero is that where the infection started or once you get the patient zero is there actually a different patient zero to find out when did this code come into existence when did it start right so in Tarot bacteriophage t4 virus int arrow means intestines bacteria is all over your skin so on your skin it's in your bowels it's all of your body it helps you to live life there's a lot of really good bacteria out there the t4 virus however is something that that's how to explain this it's basically a syringe so the code of this thing and the the code is all up in here it's all the DNA and

it actually gets injected it'll find the bacteria at the bottom and it'll ject the code into the bacteria and do some very interesting things so i chose the t4 virus because i like what it does and it it helps me to visualize the design of how I designed my website mal malware vids ok so excuse me on your left side together TT the 2d version and the 3d version on this side this is all from Wikipedia so you can look at this as well so the DNA is all the stuff in here right that's your code that's what you want to look at protein proteins not a very good word of describing something so a set of protein

think about scaffolding right so this is the scaffolding of that cell when you get I got my flu shot last week and the injected h1n1 and and two other flu viruses code inside of me and the interesting that happens when you get that is scientists are basically taking this code and they're able to actually cut out the part that reproduces itself and that can attack your body so your body can find the t1 cell or the h1n1 and go hey I've seen this before I've made a anti virus database entry for this I know how to kill it right so it basically has a whole bunch of keys that it goes around your body with and says a

what cell are you do I have a key for you I know what you are I'm killing you the problem is if your antibodies your your antivirus interline a virus does not have that key and you get an h1n one that your body is not seen before it tries all these keys and goes I'm not sure what this is so at that point your body has to make a decision whether to kill it or just let it survive and move on all right so here is the life cycle of a t4 virus basically it starts here this in green is that's the bacteria the black circle is the code right so that's like saying that's your operating system

and here's your malware being injected into it once it gets to this point the interesting thing is the code makes a decision scientists don't know why it makes this decision but it has to make a decision it chooses by the environment that it gets put into to do two things one thing is it says okay I'm just going to go ahead and start breaking down that code take over it rebuild myself and once I make them enough of myself I'm just going to punch send out some chemicals to thin out to the wall and break out and we're going to go attacks that attack the next bacteria all right this is built into the code the

interesting part is right here in May decide to wait till the bacteria itself splits into two it's injected into the code and lysogenic means to loosen so it loosens actually the code of that bacteria in your body injects itself waits for it to split and then go as go ahead and does the same thing I love this idea because the malware that I find mal there I that I deal with it's built into the code as to sometimes it's built into the code as to what to do for example it will look for hey I don't know what operating system i'm on but where's your temporary file folder so i'm going to go ahead and put myself in

the temporary folder another example is it would say okay what version of windows in my on am I on linux the first entry will say what can I get to the internet you'll see a whole bunch of internet traffic that says I need to go to Google or I need to go to Windows Update is a very popular one because it wants to make sure i'm an environment that i actually want to run into okay if it can't get out to the internet it's thinking well i may be in a virtual machine somebody may be looking at me i need to destroy myself there's that word i wanted to throw in there Apatow Sassan this really quick cuz i really like this

word a pitocin is kind of like snapchat we're basically you're creating data that you have a time limit for that you want it to die at a certain time we don't do this in our world we collect everything and nothing's ever supposed to go away but really windows XP has a apatow sis right eventually it's going to die Stuxnet had a nap Atossa swear it said at this point in 2012 you're to delete yourself and go away so that we can deny that this was ever in existence the other interesting point is is how many people look across their enterprise what executables are in your temporary space or in your your recycle bin okay we don't really do this however malware

survives there for years and we done it's temp it's supposed to be temporary yet we don't really focus multiple AV scanners on that area and we don't dump it on a regular basis so Zeus other rootkits toolkits know this and they'll stick themselves in that environment knowing there's no Apatow so there's no there's no point at which you're just going to kill everything in a certain environment so maybe we should start thinking about this is there data that we can actually do without it would give us less to look at when we do forensics and it may even protect us more and it's already it's already built into immunology virology this idea of looking at code that's

already in biology already in our own systems and if we can learn to communicate that better we can help better educate ourselves and the general population on how things work this all right so there's your t4 virus they called it a t4 virus because the first scientist to look under the microscope said hey this looks like a tea I pretty straightforward it was the fourth one they looked at so they call the t4 and this down here is the basic design of my website so any time you run malware through malware vids at the very least you're going to see this design so you kind of burn that into your mind so what you're seeing is two things the double

circles can be either red or green red means hey I found something wrong with this you really should take a secondary look at this built into the algorithm the second node or pill or whatever you want to call that button is virustotal so if virustotal finds anything wrong with this the double circles will be red it's just as hey I already know this is malicious however and I'll show you in the next next picture well let's just stick with this from it there's your bacteria you can see all the tea for viruses along here just attacking it like crazy and for those reverse engineers or getting into this I'll throw out the word mutex for a minute

what a mutex does is once you have one of these infect a bacteria when you infect a machine many of them will have a mutex and that means mutually exclusive I like to think of it as like the porta-potties on the fourth of July down here at the mall right there's tons of them but you know when one person inside one that's mutually exclusive you don't throw a bunch of people in 21 so like that analogy when a piece of malware infects a box windows 7 or whatever it is not going to allow another piece of malware to infect the same box it says hey do you have a mutex yes okay I'm not going

to run I'm going to close myself because I already know somebody's in there I already know it's infected so that's what a mutex is and it's very helpful when you do reverse engineering all right mal WR calm this this is also called this is the online version of cuckoo sandbox if you could into reverse engineer and you'll notice some not Sandhya Los Alamos National Laboratories uses this to do a huge amount of automated analysis it's extremely well written it's all Python and if you get anything out of this I hope if you've not considered learning python it's extremely helpful in a lot of the the tools that are coming out that are that are extremely helpful ida pro is

probably the most popular one for doing reverse engineering it its built-in language used to be their own custom thing they've now put in a Python interpreter so that you can automate a lot of processes right so this is all built in Python the problem being is them go back to that too much data problem we've got so much data and there's so many people that don't want to see all of this that you have to ask yourself okay how do we explain this to a manager how do we explain this to somebody just getting involved or doesn't even really care that much but wants to know the basics of what's going on so what my site does is it tries to

simplify this and I'm very visual I was dyslexic as a child and I i thought i was going to grow up to be a garbage man I couldn't read very well so visual i love visual visual helps me out a lot visual helps me to memorize things and recognize distances very quickly so what's going on here is you have your basic design so this is green sayin virus told is not seen anything it doesn't that could be two things either one nobody's uploaded this to virus tool or two none of the 50-plus antivirus is in there see this that's important to think about because there's Russian companies that their only purpose is to rewrap malware so

that it does not get detected right so when when we say hey your machines compromised and we need you to do something and and they come back and say well we scanned it with a V we didn't find anything that's a huge problem okay your AV is not going to detect this stuff it's already been tested on tools like a virus total to make sure it doesn't get detected and in the underworld where you buy these things they give you a promise they say if this gets detected by any antivirus there we will recompile it for you will make another one for you so that you know we can still accept your five thousand dollars for this kit and you can go on

still in credit card numbers or whatever alright so what does the algorithm do here this circle is red because of two things you see IP address go and in traffic and you see a URL if all you see is a URL think of adobe com or Java com right there's files that will turn on and their immediate thing to do is go to the internet to find out hey am I supposed to update myself that's legitimate that that happens all the time malware usually has it built into the code to ask itself hey um I'm probably going to get blocked once twice three four five fifty times I need some way of getting around their way of

blocking me so any time you have more than one call back if it goes to the cut the URL and then to the IP address itself that's usually not built into regular legitimate software right to have it hard coded to go to the IP address so that is why the red circle turns red it says hey you got too much network traffic going on here okay created Files the Forensic side where anything executable I gave it a secondary thing to do I have to give a thank you to Carl from virustotal when you create a virus total account you can do three automated scans a minute right they give you a key you can use your key in Python script

and say hey I have three files 30 files a minute it'll scan it for you I explained to Carl what I was doing with my website and he upped it to 30 for me because files that drop out of this they may have not seen it yet however the files that drop out many of them have already been detected by antivirus right so you so it gives that secondary check to say oh what it's wrapped in I have no idea what I'm looking at if it's been packed encrypted any word you want to use for its trying to hide itself it's basic text right so that's executables these down here I put a hole into the

algorithm a whole bunch of things that are important but not as important for example temp files bat files HTML logs you may find this in the malware but these usually don't have code that interests me for example the bat file many times will just be deleting the original file so it can copy itself to temp space right so you'll execute it on your desktop magically it's gone from your desktop but it's in your temp directory and in Windows 7 it's for many people it's hard to find the temp directory right because it's not exactly you know app data it's not that easy to find always all right let's look at some okay i'm going to give some thank yous

and then we'll do the live demo and notice from these all of these except for graphviz at the bottom this is Python this is the advantage of Python I've gone to every analyst and engineer in my environment and gave them a 5 to 10 minute intro to python because I want us all to speak the same language and it just it just solves a problem of getting everybody on the same page to solve a similar problem and it just it it's emotionally well emotionally I have to say the word love I love Python it solved so many problems for me and helped me to do so many things quickly I don't have a programmer background I

studied the International Studies global economics which training me for nothing right one of those one of those social sciences a college in Austria just acts their entire social department because they weren't training people to get a job where they could sustain themselves and not live off the government right so it's an interesting thought that you actually go to college to get a job so I I worked at a computer store compusa while I was getting my degree so once I got into the real world I want well the only job I can get some computers so then I went down the certification route which yeah that's a whole nother rants I have 14 certifications and most of them

have done nothing for me so I looked at what really it has done great things for me and my cisco cert and my cissp have helped me but I Cisco was Sir was awesome the cissp I'd I don't want to offend anybody I didn't feel like I was awesome at my job by having my cissp but it seems to be written into government contracts so it's a value to somebody so I so to that I would want to downplay it you may need it for your for your career graphviz really quick is the AT&T tool that can take your text file and create a SVG SVG is a scalable vector graphic thank you scalable vector graphics and

it's really helpful a lot of the Wikipedia graphs you'll see see if I can load this up a lot of the week computer graphs you'll see our SVG because it can go very small and very large without losing any pixilation it looks very crisp very clear alright so this is Mel w or calm or Mallory calm Ned and Jeckle two guys I think they're out of Brazil have done great work this thing was down for a month before my presentation so I was panicking fairly I was panicking a lot about that I'm like well what do I do now so they got it back up they upgraded their hardware I sent them some money because I really I'm just like

please help me out get this done so anyway off to your right here I get put away my let me tell you what we're universe sorry okay off to your right this is all seen network traffic and that looks really blurry from my angle so hopefully just visually know that these are all callbacks okay netbiz calm and this link right here will take you to that location so let me show you i'm not done this before this is actually this is going to happen in real time so i mean i've done this before that doesn't make sense alright so here we're seeing a domain so this is going back to get a bug coming at me a URL and then

there's the associated IP address hopefully we had some drop files no drop files well let's do it anyway so all I do is copy here's my website virustotal all they asked was that I put them on the front page very nice of them paste it in there hits go what's happening in the background is python is great for scraping google uses python to do its spidering to index websites so what it's doing right now is it's going to mal WR com grabbing everything and then another tool a python tool called beautiful soup is cutting it out and just getting what I want out of that and of course this is a live demo so it's not going to work

the first time I love you patient the only python is really fast so lonely speed limitation here is usually the network so it could be the wireless for me to there so Python anywhere is where this is hosted and Python anywhere is great because it's an Amazon Cloud all the tools that you would load into this are already are already basically they're all you do is import your tools import beautifulsoup import requests import anything else you need and it's done for you don't have to do any setup and then they know you're going to be scraping other websites so you can build scrapers to say look check check whatever if you're going to look at

Bitcoin prices right check bitcoin and whatnot and I know somebody probably hacked me this day right but let's grab an Eleanor waiting is my internet even working right now

alright let's grab another one I'll just right click on this copy the link and you know failures not that big a deal greatest things in the world have taught me usually when I felt at something and vs. doing really well at it but this usually takes less than a minute so I'm slightly concerned that oh ah slightly concerned that somebody is messed with my website I'll give you option will ask I can either go through and show you how I could fix this by showing you the actual code or I could go back to the presentation code all right let's go with code so first off well let me show you this web 2 pi I chose the the the uh

so web 2 pi versus Django or cherry pie or one of those other frameworks that would use I tried learning django Django is the basically newyorktimes.com that's it's all made in python django Django is Python web 2 pi is Python I had a lot of trouble understanding Django and there were a lot of job advertisements for Django so I'm thinking oh that's the standard that's what I should learn and it just how my mind work it didn't work out so i found an Italian guy who wrote web 2 pi and he did an awesome job because all you do is download it hit go and it's just going to ask you for a password right and asks you hey do you

want it to be public or private or whatever I'll just put in a password and then boom you're immediately online that's it that's all you have to do for web 2 pi and the awesome thing about that is you say hey I want to edit this page or whatever page and it gives you a bunch of examples so right off the bat you have what are called controllers which is all your Python script and your python is associated to views which is your HTML and the JavaScript the organization the CSS is already built in there for you so it's really helpful in how this works when I see if i start up another one i'll probably get the same error

actually since i'm going to get the same error let's fix it up pretty sure i know what's wrong with it so so what's probably happening here is I automated this thing to scrape the crap out of mal WR calm just because you know I needed data I was trying to do a scientific thing and the end goal is to have a whole bunch of different images of what malware looks like and be able from a thousand view back to look at Mauer and say this has the same code it looks the same right the t4 virus looks the same the h1n1 virus looks the same the code may be slightly different but the number of callbacks how many executables gets

dropped and that and what not look the same so let me go to that before we go through the code so here's recent so here's some examples of what's going on and the far left you'll notice this did not work so this is dynamic analysis that you have to say to yourself okay I have to do static analysis now why did it work the great majority of malware you get wants to go home it needs to tell somebody hey I was successful right so here's some more information to to know so for example this one on the Left did not work you're gonna have to do static analysis on that one these other ones totally worked you see the blue

traffic okay all of that is network traffic you see the files that dropped out all of that tells you that's what you're going to probably find on that machine when you go and do your ftk or NK so why not to find out what that is all right so here's the advantage of SVG files let me just bring up one of these all right so there's the basic shape and remember see how this one's red it may be hard to tell with the white background but this arrow is actually read the rest of these are black because the original one may or may not have gotten caught by virustotal all of these executables are a secondary scan against

virustotal this is the part where I say hey you know what check total again to make sure this hasn't been packed in a way to hide itself now here's what SVG does every single thing in here is clickable if you click on the code itself it takes you back to where it got the code at mal WR calm right so if you're a forensic analyst if you're a Maurer verse engineer you want definitely deeper deeper data this is where you would start you know you need your md5 hashes you need your file size you need the actual network traffic other things that got downloaded to help you solve this answer strings right strings are hugely helpful it's a great

starting point to find out is there any English in here if you see no English in here at all it's packed it's not going to show you anything your AV is probably not going to trigger on it at all right so let's go back here virustotal it has 10 hits so this is the original file that dropped and still has 10 hits when you click on it goes to the latest version and we start saying okay riskware toolbar adware okay so this may them so even though you may be able to it one day read the code read and write the code whether it's your own genes through genomics through human sequencing or through computer code

through debugging ida pro immunity debugger right once you can read through the code you still have the problem of why right even though if you could tell everything about this tool that works why was this code created and that's one of the hardest things to answer if you can find out what was stolen you kind of go okay they stole this they're there after your pii or they're after your credit card number that's why but that's one of the hardest things in the thing in the back your mind that you should be thinking as you're trying to answer these questions all right so any one of these is also clickable and then you'll see it dumped together a whole bunch of

stuff that I really don't care about I don't care about gifts I don't care about HTML PNG's I don't care as much about let me rephrase it that way words are very powerful and I want to make sure I give the right words there so I do care a lot more about the JavaScript which can be detected by a virus total exe so let's click on this exe right here so it takes you to the md5 of it which converts it to the shot 512 of it and you can start getting more of an idea of what this is this is adware or a toolbar or this is the type of stuff you'll be looking for when you start

doing your your analysis and investigation all right what about the callbacks where do they go to you'll notice the arrows some of them go just to the URL and so you have look you got one two three arrows they go to this IP so this very quickly can explain to a manager why we're blocking something you say it look there's your malware a buyer's total does see it as being bad and this is why we're blocking those okay what we should also see in here usually is probably like this one google AP is calm there's always that legitimate not always a lot of the kits there's that legitimate hey can I get to the internet before I do anything else

before I unpack all of my SI toos all of my IP addresses and URL is to get more information right before I put it in clear text in RAM can I get to the internet so once it passes that stage usually I always think of it mentally is a popcorn kernel right I don't want a 2 on the popcorn there's a lot of people that that worried about what Packer did it use right how is it in code how's it encrypted ram is the popcorn chew on the popcorn don't you on the colonel I mean if you can dump ram at the right time everything you need is in clear text in RAM so any investigation you do any

investigation get the ram get the ram and i had one case where I asked for that and they shipped me the RAM physically right so you laugh of that but I have to take responsibility for that we have to take responsibility for that as as cyber community people who know how to speak the language right I have to take responsibility for that because I should have asked questions of do you know what that means if I don't take any responsibility for that and just laugh at them the end user then then the communication is lost and we don't help the environment by by simply in a huge mistake right so I learned my lesson when I say dump the ram I have to

ask do you know what that means we have a tool to do that we have plenty of tools to help automate that process and I'm and people who worry about absolute forensics I unless you're law enforcement doing real forensics your incident response you don't care so much about storing everything perfectly and getting in the hand signatures and the md5 I dumped ram right to the hard drive and have them ship me the hard drive because I don't care as much about what's in unallocated space the free space is I care about making sure I get the ram what's my time Oh crud all right sorry I had a lot to go through let's go let's go to the bread and butter all

right so gallery analysis if you want to see how I think about some of these things I put in a whole bunch of analysis just to help you think through you know if somebody needs to start getting the understanding malware reverse engineering this is a great starting point a lot education here infamous malware you have Stuxnet Ouroboros I have no idea if these are really Stuxnet Ouroboros because a lot of legitimate malware has been uploaded to mal WR calm and some people who thought they knew their what they were talking about has uploaded it and named it that and they don't allow you to download to investigate yourself mauers started to change that in that their

default is to share with everybody instead of having to click on share with everybody when you upload your malware I feel like I said that very fast I hope that was alright so let's go to search this page was really impressive because the creator of web 2 pi made it like three lines of Python code like he did all of it for me so basically if you want to put in hey my tag is what can I do with one hand really quick Zeus so us all right I have 214 entries that say it's Zeus and I can go ahead and click on any one of these things that start finding out what it is all right so this

quiz this query at the end this one of the main reasons I wanted to create malware viz I wanted to very quickly look at a whole data set of different types of malware and see if I could say hey look these look related so I'll explain the 14 list of apt okay let's go down to the ones that say Mannion apt so manye did a really good report insane so your md5 your fingerprint of a file if you change one bit from 120 the entire fingerprints different it's not close at all they pointed out the fact that if you instead of doing a fingerprint on the whole file if you just do it on what are called

import tables or just like here's your whole file if you just do the empty five at the top that that will stay the same even though they change the call back or change files that get dropped at the bottom and they listed their report they gave it out and said hey here the md5 so I said okay what if I google that md5 I googled the md5 and this is really small I apologize but I googled the md5 and mal WR had files uploaded to it with that md5 as the import table so I I did pictures of these and you'll see that one two three four five six these are all the exact same code except they've

changed the callback and visually looking at it you can say well wait a minute these look the same they're not dropping a file except that one is in that one is so there is some similarity but some non similarity but very quickly I can say well these this might be the same code where we have we're at a disadvantage in that the kits being created mass-produce malware so we used to be able to do static analysis on a lot of stuff but but when you can make a million different pieces of malware that automatically compiles itself with a different compiler and it thank you and a difference a different coat or any word you want to use for hiding plain

English right well I mean we're losing the battle we need more people to make automatic tools that automatically help us to quickly make a decision and move on the days of spending a week to two weeks one piece of our have to be over because we're getting our butts kicked there's not enough people who know that we're code illiterate we don't have enough people who can read and write code and my hope and an idea to you is what are you doing to help people learn code in your environment I mean that's may sound daunting but when you have ones and zeroes down here in English here in my mind python is right here just get

people's toe in the door it's the closest thing to English then then other languages I'm not if you want to do pearl or c plus whatever influence your environment the more people we have making tools to automate even one process the more we're getting more to the automatic mentality because static analysis manually doing anything has to be over our reports I mean anything we can do to save us even one second a day and over entire year you've just saved somebody hours right time travel is possible if you automate as much as you can do so again this is this is all free you can play with this after obviously I fix the website you knew it had to

happen right I tried it this morning and still still problems Zeus adware let's do it and we're really quick let's do unknown

it's the database on this I wanted to make this free so if people wanted to download it try it on there one machine they could trying to take something that works just fine in the cloud and stick it on your desktop is a big pain in the butt so I gave up on it sorry it's still free so you can use it online so what are you looking at here a lot of the green these are unknown because none of virustotal saw any of these as being of interest either they didn't have it or they you know just I have nothing in my database to say that h1n1 is bad so why would I attack it right but as you can

see just by having these callbacks and all of these files that get put on your machine these are bad right so there's a ton of these I'll show you one really quick thing that I thought was interesting is this one does not look right and one interesting thing about this is I'm like why doesn't this work right the file that was supposed to come be connected to this it has a file size of zero but you see that up there that's Chinese I didn't build this site in Chinese so I'm like what the heck how did that get to be Chinese so the interesting part about it is there's already code built into web 2 pi by the

Italian guy who made this that allows you to automatically translate certain words that Chinese right there is about okay so about is built in so if the person who makes this malware they ran it from their machine and their machine is Chinese so it's interesting that it left a language signature as to who ran this piece of malware to make this graph so I thought that was interesting for those who think that's other interesting if you've ever used pie scanner it's built into REM Knicks lenny's Elster's reverse engineering class at Sands pi scanner one of the great things that I've used that for is it gets the to hexadecimal entries that will tell you if there's any language signatures so if

you find a executable you can also find if there's chinese russian if there's any time you add an icon or any picture to a file there's language signatures on that in the form of to hexadecimal bites and that's very helpful because the goal is to get into the mind of who created this where's patient zero okay now that you know patient zero who created this code right so all of this I find to be very very interesting let's do this Oh No okay I'll end I think at five minutes I was hoping to have some questions so i'll just do this really quick Pollux i find to be very interesting because this is malware that does not go on on

there's no executable so what this is is this is malware that that has a run deal of 32 this is all in the registry there's no code that's put on the box it goes from the registry to ram okay so every time that think if it gets turned off it's really amazing wired did a great article about this if you just google it soap Alex basically does hey JavaScript I'm sorry run dll then it does JavaScript it sees if PowerShell is installed if it's not it downloads and installs it okay and then it runs the malware which is in dll form okay that is amazing to me that is evolution that is that there's some really quick your

body from your hair down to your toes you have a hundred trillion cells in your body okay each cell has your entire code in it it's three point two gigabytes if you undo that yarn it's over six feet long at six feet long x 100 trillion of its it's baffling phenomenal but there's a ton of code in there that is not used it's not turned on so code can turn on and not turn on and it can evolve it can update right so it's really interesting to see how we update as as code creators and developers everybody every time some security tool comes out basically you've just told the human mind somewhere else here's a challenge find a new way of

compromising me so the game continues are we going to build a bed of your catapult or a better castle wall my my hope and takeaway for you in all of this is that we really do need a lot more people who are literate at this who will read and write the code because it is phenomenally interesting and as we get into you know Craig Vetter is making new he's creating life right he's he's the one who we sequenced the human genome so basically we were getting to the point of instead of doing dynamic analysis of human beings where we see how we come out when two people get together we're starting to get towards static analysis where you

can actually step through the code and figure out what it says it's a one to one from reading biological code to reading computer code we're just reading code we're trying to get something that's in a different language is close to English what we have an emotional connection to right where we can add what you know the word malware means nothing to the great population but if we say your computer has the flu people go oh that's bad I know the flu the flus caused me pain I can associate right so communication is huge so when you're talking with someone else who's not of our our community you really need to take some time to delve in to properly

communicate the severity of what we're doing and as Brian said I don't want to downplay what we do but where's the body count and we talked about how important what we do is important but there really is no body count yet so I mean I don't overly stress about about this stuff but I really want to do my best in my environment and help people I do a lot of training for fellows and interns and I want them to succeed at whatever they decide to succeed in but also having a proper perspective of what we're doing security is very important operations is very important but it really is the fun of the path in the direction to which

we're going to that I didn't get to the code sorry about that thank you for your time I appreciate it if you have any questions I'd be happy to take those and if you some people aren't open to questions in a group setting I'll be available afterwards and I have some business cards if you'd like to have any private conversations because I in it in my world it seems that I've turned from forensics mal reverse engineer more towards a teacher and I've kind of enjoyed that hat I like seeing people get to where they want to go and get to give them as many shortcuts as they can get to get there so for that I thank you for your time

and that's it