Wes Brown (Chief Architect, ThreatGRID)

LAB TITLE: Using Visualization to Analyze Malware

LAB ABSTRACT:

Last year’s Supercomputing and Malware talk had visualizations that showed diagrams of relationships between hosts for a single sample. These graphs were beautfiul and helped show the scale and scope of the data that worked with.

For this year’s talk, we’re taking that ball and running away with it. We’ll show how to use visualization to analyze malware in the micro level as well as the macro level. In this talk, we will show the audience how to generate the visualizations that we show, as well as the proof of concept scripts so that a member can experiment with it.

A sneak preview at some of the things that we will be showing:

* Using heatmaps on top of block fuzzy hashing data; this will allow pinpointing the differences between two similiar malware samples, such as Zeus variants.

* Using heatmaps to show entropy at a block level to find encrypted sections in malware — this is useful for finding obfuscated code or more importantly, finding the non-encrypted sections for the actual executable unpacker.

* Even more interestingly, using multiple heatmaps to represent different aspects of data such as entropy, PDF streams, and sections to allow a reverse engineer to visually scan through a lot of malware.

* Showing relationships between time and execution in a timeline visualization to pinpoint events and traffic to particular sites.

* Visualizing the network connections that multiple malware samples make to specific sites to find relationships between them.

ABOUT WES BROWN

Wes Brown is currently Chief Architect at ThreatGRID working on scalable systems for malware intelligence collection and correlation; he leads a small expert team and greatly enjoys the challenges of building a high performance cluster from a software engineering and architectural point of view. Liberal application of statistics, kernel hacking, hypervisor development, alcohol, coffee, cursing, his wife’s home cooking, and his fellow engineers make his job possible.

Brown is an expert at reverse engineering, having worked with security biometric devices, Intel’s HECI transport, encryption algorithms, and proprietary communication and switching protocols. He has developed protocol intercept code, device communication protocols, test and fuzzing frameworks. He is also a highly respected speaker at conferences, pioneering the concept of injectable virtual machines, and discussing malware analysis from a manual and automated perspective.