"Impossible" is a bit of a tricky claim, for there also is some malware out there that is packed alongside actual software, essentially using that as its padding. I don't see how a visualizer would be able to show the difference. But it's great and interesting tool otherwise!
Yeah but they would be a different case than a file pretending to be a contract as here. Of course it is much harder if you are expecting a similar exe anyway. You need to actually RE and analyse each function for that.
@4:00 comes the show stealer. Never heard about bin vis before. Thanks 🙏 for the mention & also thank you for the ❤️and pinned comment I got from you last time. You make cybersecurity easy and interesting. If I had a boss like you in my previous company I wouldn't have left that office. Your videos is keeping my hopes alive to cling on to this field and contribute for the greater humanity. Love 💕 you 🎉
There is another free tool called common sense. If you need to break out the forensics to determine that a 700 MB file is not an A4 page business proposition that would be 24 KB, oh well ....
@@ad1340yt Kaspersky vs Common Sense 2023 might well be equal when it comes to blocking malware and ransomware samples. But we won't know until Leo shows us the results.
Dumb question but why not just fill the blank space with random data to make it appear like there's something there? I don't really think the file visualizer would be of any use against that method...
viruses like to be small when you download them but huge when you unzip them small so it doesnt take forever to download, but afterwards huge so antiviruses dont scan them because theyre that huge
Beat me to it. But this actually already happens in certain cases, with some malware coming alongside actual software and basically using that as its padding. Random data would do too but why go out of the way? However, scammers can get it out there and target more people faster by putting in as little effort as possible.
because bytes actually have meaning so it would be some kind of instructions or data if you don't use a blank byte and if you were to put random data or instruction in it, there is a big chance the program will broke and wont execute which make it much more complex than just filling it with blank bytes
@@2wr633 Yes and no; Bytes have a meaning yes but that's for a machine - a person cannot tell if a scramble of bytes in a 600 MB files it's an actual data structure or a just a mess of randomness. Not even to mention when I meant "Randomness" I don't meant pure randomness, I meant something that resembles a program structure but doesn't hold any significant function / purpose.
Extensions are not a reliable way of determining, the first two bytes is reliable but attackers can also embed files further down or call them externally. A more reliable way is to look at the system calls the file makes.
@@manticore4952 I mean, if we are checking if a file contains ANY executable code at all, then sure, yeah. They could remove the magic number or obfuscate it in any way they like. But we aren't talking about that. We are talking about whether a file is safe to open or not. And you know what? 9/10 if it isn't an executable it's safe to open. If you are certain that the real extension is .pdf, then it is perfectly safe to open (unless a new exploit arose, but I doubt that).
Is it just me or have you not done the absolute basics by enabling file extensions on the view menu? afaik, an .exe masquerading as a .PDF will still clearly end in .exe. That's normally more than enough to spot this crap.
4:09 I think the malware creator is a little bit dumb. They should have added random non ascii binaries to the rest of the file instead of blank padding Random binaries that does nothing like assigning values to memory or just loops or functions that does nothing but can fill up the rest of the space.
This makes me wonder if you could train an AI on these visualisations to detect these kinds of hiding strategies. So like a very basic classification conv net.
There's a paper on this method ("Binary File’s Visualization and Entropy Features Analysis Combined with Multiple Deep Learning Networks for Malware Classification") by Guo et al. which consists in training a CNN against samples of malware both visualized using this method (as you proposed) and with their entropy sequence visualized in grayscale, with a 99% accuracy and with a capability to "group" easily malware from the same families, indeed very effective.
love your videos it gave me a lot of insight, Also if its not to much trouble could you make a video on how to fix Windows updates not installing after debloat? i really dont want to reset windows.
I got hacked by a trojan in windows 10 pc, it is a rootkit, because it infected the bootable usb, it seems, can it be cleaned by cloud download of windows 10?
if in legit .exe file there are lot of empty space then what will happen if we remove those? will it still work with decreased size since we are just removing empty?
![[#2024MAMA] G-DRAGON - 무제(Untitled, 2014)+POWER+HOME SWEET HOME+뱅뱅뱅+FANTASTIC BABY | Mnet 241123 방송](http://i.ytimg.com/vi/Ox29z5Nf1Uk/mqdefault.jpg)
"Impossible" is a bit of a tricky claim, for there also is some malware out there that is packed alongside actual software, essentially using that as its padding. I don't see how a visualizer would be able to show the difference. But it's great and interesting tool otherwise!
Just another way of telling somebody it's just a false positive lol.
Yeah but they would be a different case than a file pretending to be a contract as here. Of course it is much harder if you are expecting a similar exe anyway. You need to actually RE and analyse each function for that.
AI can be helpful with it
@@larry-kapo-ya7326 fr how they not done that with AI yet
@@larry-kapo-ya7326I’m pretty sure AI is already running in some antiviruses
I remember the beginning of this channel. In that time with your internet you would not be capable of analyze 700 MB file in real time.
@4:00 comes the show stealer. Never heard about bin vis before. Thanks 🙏 for the mention & also thank you for the ❤️and pinned comment I got from you last time. You make cybersecurity easy and interesting. If I had a boss like you in my previous company I wouldn't have left that office. Your videos is keeping my hopes alive to cling on to this field and contribute for the greater humanity. Love 💕 you 🎉
There is another free tool called common sense. If you need to break out the forensics to determine that a 700 MB file is not an A4 page business proposition that would be 24 KB, oh well ....
perhaps the best anti virus is the common sense we made along the way
umm actually the best antivirus is kaspersky
@@ad1340yt kaspersky wont help you if you lack common sense
@@ad1340yt Kaspersky vs Common Sense 2023 might well be equal when it comes to blocking malware and ransomware samples. But we won't know until Leo shows us the results.
The "common sense" of today is just tomorrows attack vector. It's not enough.
@@ad1340yt is it ? Im not sure if its kaspersky or bitdefender or something else
Dumb question but why not just fill the blank space with random data to make it appear like there's something there?
I don't really think the file visualizer would be of any use against that method...
viruses like to be small when you download them but huge when you unzip them
small so it doesnt take forever to download, but afterwards huge so antiviruses dont scan them because theyre that huge
Beat me to it. But this actually already happens in certain cases, with some malware coming alongside actual software and basically using that as its padding. Random data would do too but why go out of the way?
However, scammers can get it out there and target more people faster by putting in as little effort as possible.
because bytes actually have meaning so it would be some kind of instructions or data if you don't use a blank byte and if you were to put random data or instruction in it, there is a big chance the program will broke and wont execute which make it much more complex than just filling it with blank bytes
@@2wr633 you can make your exe skip that though, or not?
@@2wr633 Yes and no; Bytes have a meaning yes but that's for a machine - a person cannot tell if a scramble of bytes in a 600 MB files it's an actual data structure or a just a mess of randomness. Not even to mention when I meant "Randomness" I don't meant pure randomness, I meant something that resembles a program structure but doesn't hold any significant function / purpose.
It's perfect job for A.I. malware scanner.
Teach it how clean files looks like and how sketchy files looks like.
And let it scan the web.
That wouldn't work very well because you could just pad the file with random bytes and it wouldn't be able to detect it.
@@duplicake4054 Hey, if companies start releasing visualizers for their softwares, it would be so great for people who pirate them lol.
I don't really understand. Why not look at the extension (.scr) or the first two bytes (MZ) to find out if it's a real pdf or an executable?
@@nneeerrrd or boomers
Extensions are not a reliable way of determining, the first two bytes is reliable but attackers can also embed files further down or call them externally. A more reliable way is to look at the system calls the file makes.
@@manticore4952 I mean, if we are checking if a file contains ANY executable code at all, then sure, yeah. They could remove the magic number or obfuscate it in any way they like. But we aren't talking about that.
We are talking about whether a file is safe to open or not. And you know what? 9/10 if it isn't an executable it's safe to open. If you are certain that the real extension is .pdf, then it is perfectly safe to open (unless a new exploit arose, but I doubt that).
uploading a big file to a website is bothersome and time consuming, any offline local version of this binary visualizer?
Can you make a playlist on your channel for this series of videos?
Is it just me or have you not done the absolute basics by enabling file extensions on the view menu? afaik, an .exe masquerading as a .PDF will still clearly end in .exe. That's normally more than enough to spot this crap.
Very good tutorial ❤
Are there ANY real cases where a 600 MB PDF is NOT fake?
Unless you're abusing it as a "zip" for BMPs, how would you get a "real" PDF that large?
You could scan images.. there was a 750 page book 📚 that was 500MB or so, but scanned as a colour image
4:09 I think the malware creator is a little bit dumb.
They should have added random non ascii binaries to the rest of the file instead of blank padding
Random binaries that does nothing like assigning values to memory or just loops or functions that does nothing but can fill up the rest of the space.
This makes me wonder if you could train an AI on these visualisations to detect these kinds of hiding strategies. So like a very basic classification conv net.
you could, but the model could as well be used to develop an obfuscation layer to make malware's visualization look legit
There's a paper on this method ("Binary File’s Visualization and Entropy Features Analysis Combined with Multiple Deep Learning Networks for Malware Classification") by Guo et al. which consists in training a CNN against samples of malware both visualized using this method (as you proposed) and with their entropy sequence visualized in grayscale, with a 99% accuracy and with a capability to "group" easily malware from the same families, indeed very effective.
@@malwaretestingfan Are there any antivirus software that detects malware with this method, or was this done only for research purposes?
Research, but I suppose most AV companies use AI metholodology on the cloud bundled together with their product.@@aleks_ivanov
Just use data from a legit file instead of 0s to make it look like a real file
❤ good advice.
Advice
@pwhittak88 thanks.
Great watch
Wont anything manipulated with file type,we can know about from checking normally properties
Amazing, thank you Leo. 👍
love your videos it gave me a lot of insight, Also if its not to much trouble could you make a video on how to fix Windows updates not installing after debloat? i really dont want to reset windows.
Next time they will chuck winrar duplicates instead of zero spacing so it looks differently :/
i have very suspicious behaviour on my mobile how i cant tell if im hacked and what can i do ?
nice tool. with there is also an offline version.
we r looking for more antivirus tests
bookmarked the tool.
Great tutorial, Thanks.
That is a brilliant idea!
Really nice👍!
I am using binwalk with recursive search.
Nice Sir :D
Who tf would send a phishing email to "the pc security channel"
Hi there. please make a tutorial video about "Tron Script " to remove Virus from windows computer. thankyou
very nice
I got hacked by a trojan in windows 10 pc, it is a rootkit, because it infected the bootable usb, it seems, can it be cleaned by cloud download of windows 10?
Possibly, though get a gparted USB and wipe the drive first (after backing up files to OneDrive, etc)
awesome tool, is there any offline version of this? (portable would be even better)
if in legit .exe file there are lot of empty space then what will happen if we remove those? will it still work with decreased size since we are just removing empty?
So the more blackness there is the more suspicious the file is?
Amazing
Could you try in famous pdf webs and analyze files?
Wouldnt encryption just garble it into random nonsense visually?
so, they can pad it with pdf files
it hangs on large rar files
why not to copy paste same malware code for 650 mb to make it look legit in the whole file instead of empty bits. Is this possible?
whoa binvis would be great for reverse engineering
what happens when you open the bad pdf ? is chrome (pdf reader) vulnerable ?
It will error out ... As it is an exe or scr file in disguise
@1p2k-223 yes, but it won't execute, so the system won't get infected
Last year with this method tried hack famous Turkish youtuber .
Your voice sounds a bit different
annoying really
couldnt they just get around this by putting the rest of it as a shakespeare play??
i have 9 years mod experience on twitch are you interested ? but i cant do this as a hobby
Permision me only gablesyou🎉🎉