The Book of Trees is now available!      See other retailers
Home     About     VC Book     Stats     Blog     Books     Links     Contact  
Search the VC database:
    Computer Systems   < Prev | 8 of 39 | Next >
The materials shown on this page are copyright protected by
their authors and/or respective institutions.
Graphing Malware - Sobig.F
Ero Carrera, Gergely Erdelyi
F-Secure Corporation
Project Description:
Windows binary malware has come a long way. Today's average worm is often tens or hundreds of kilobytes of code exhibiting a level of complexity that surpasses even some operating systems. This degree of complexity, coupled with the overwhelming flow of new malware, calls for improvements to tools and techniques used in analysis.

The authors focused greatly on graph theory to aid the analysis of these viruses. They use a series of tools for reverse engineering malware such as: IDA - the Interactive DisAssembler, IDAPython - Python extension for IDA, and pydot - Python interface to Graphviz utilities. IDAPython and pydot were developed by the authors and released as open source. The resulting graphs are done by exploring the code of a malware sample looking for all the functions and the relationships between them (who calls who). This information, together with text references, are then exported using pydot into a format that Graphviz utilities can read.

These images show a graph representing the structure of the Sobig.F Virus.

Comments (0):
*Note* Before you submit your comment, bear in mind there's no guarantee it will be seen by this project's author. In case you want to contact the author directly, please follow the provided URL.
Leave a Comment:
(We're looking for the best solution to avoid unwanted SPAM)
Manuel Lima |