RSA 'Infected Art' Show: Malware Made Beautiful

They're beautiful but deadly. In a Symantec/MessageLabs art exhibit showcased during RSA Conference 2009, Trojans and botnets were displayed as captivating works of computational art that bring malware to life. And this year, new artworks also depict benign code used for e-mail archiving, encryption and e-mail continuity, as well as malicious software.





In the first stage of the process, the MessageLabs Intelligence team intercepted the threat and disassembled the code to render it inoperative. From there, the artist, Alex Dragulescu, used a specially built application to analyze the code and determine its values to create a 3-D entity. The entity was transferred to modeling software, where it was positioned and lit to best capture the aesthetics of the model. The artist then put the finishing touches on the final images for presentation. The result? Viruses and malware were transformed into exquisite works of art, such as the image on the left depicting a Phishing Account Notification scam.

Some might also know the CUTWAIL Trojan as PUSHDO and PANDEX. But regardless of the name, it's one of the world's largest botnets, controlling more than one million actively infected machines.

Some Trojans develop specializations, if you will. PWSLINEAGE's specialty is password stealing from the popular Asian Massively Multiplayer Online Role Playing Game (MMORPG), in which accounts can be worth real money (apparently, the hackers know this too). Other similar online games also have been targeted by this game-playing Trojan.

CIMUZ is an information-stealing Trojan that hooks itself into Internet Explorer, capturing information entered or saved by the user, including passwords, keystrokes and other confidential information. It then transmits the harvested data to its command and control center, terminating security software and unlocking firewalls, which leaves the infected computer vulnerable to further attacks.

Trojans love information, and TODYNHO is no exception. This one originates from Brazil and is known for stealing a victim's bank account information. Incidentally, the name TODYNHO was taken from the name of the e-mail attachment used to infect victims.

HUIGEXI is a targeted Trojan dropped via a PDF exploit, used to spy on audio and video communications in addition to Web, e-mail, IM and others. It is most commonly used for industrial espionage.

True to its name, TT.PDF is a PDF attached to an e-mail that contains no content, but plenty of malicious code. If opened, users will be treated to a display stating that the document is damaged and is being repaired. The Trojan then proceeds to crash the viewer after executing malicious code. It then promptly displays another PDF with what appears to be legitimate content so as not to arouse users' suspicions.

TT.DOC is a document used to conceal a targeted Trojan, arriving on the threat landscape via e-mail and claiming to contain a security issues report for the 2008 Beijing Olympic Games. The malware was sent to a small number of business and sporting users involved with the 2008 Beijing Olympics.

TROJAGENTIL3 belongs to a class of targeted Trojans that have endless variants in order to defeat signature-based detection. They're also carefully encoded to avoid behavioral techniques. Although this Trojan has been around for years, the malware's self-replication and variation capabilities allow it to continually evade conventional antivirus systems.

It's one of the most common social engineering tricks. An attacker will send an e-mail that appears to be an e-postcard sent by a friend or family member. Users are generally redirected to several other sites after clicking on the link before they unknowingly download a piece of malware designed to steal information and record keystrokes.

STORM is one of the names for the aggressively spreading malware also known as STORMWORM, DORF< PEACOMM, NUWASAR and SHELATIN. The malware spread globally, becoming one of the biggest botnets in history, with an estimated two million compromised computers under its control.

The figure represents anonymized data based on 24 hours of detailed statistics demonstrating typical usage of archiving, retrieval, search and recovery tools. The sphere is layered with the most recent archived e-mails stored near the surface (blue), while older e-mails inherit brighter colors toward the core (red). The 3-D forms change volume and shape based on attachment size.

This image was based on anonymized sender and recipient data from a 24-hour snapshot of MessageLabs Boundary Encryption service use. Data analysis of e-mail traffic to and from a MessageLabs customer, including the longitude and latitude of e-mails sent and received in one 24-hour period, was mapped into a 3-D space. The size of the data is represented as branch thickness and each color represents the encryption strength applied to the e-mail.

This image is based on anonymized data based on a three-month snapshot of regular e-mail usage from a MessageLabs E-mail Continuity service customer. E-mail frequency and volume data are represented in the image as an uninterrupted arc from sender to recipient. The objects around the edge represent e-mail inboxes and their size represents the size of the data in the e-mail. The arcs represent internal and external e-mail communications. The faded arcs are older e-mails, while the brightest arcs are more recent messages.