The Book of Trees is now available!      See other retailers
Home     About     VC Book     Stats     Blog     Books     Links     Contact  
Search the VC database:
    Computer Systems   < Prev | 158 of 1000 | Next >
The materials shown on this page are copyright protected by
their authors and/or respective institutions.
Graphing Malware - Netsky.AD vs Buchon
Author(s):
Ero Carrera, Gergely Erdelyi
Institution:
F-Secure Corporation
Year:
2004
URL:
http://tinyurl.com/58o24
Project Description:
Windows binary malware has come a long way. Today's average worm is often tens or hundreds of kilobytes of code exhibiting a level of complexity that surpasses even some operating systems. This degree of complexity, coupled with the overwhelming flow of new malware, calls for improvements to tools and techniques used in analysis.

The authors focused greatly on graph theory to aid the analysis of these viruses. They use a series of tools for reverse engineering malware such as: IDA - the Interactive DisAssembler, IDAPython - Python extension for IDA, and pydot - Python interface to Graphviz utilities. IDAPython and pydot were developed by the authors and released as open source. The resulting graphs are done by exploring the code of a malware sample looking for all the functions and the relationships between them (who calls who). This information, together with text references, are then exported using pydot into a format that Graphviz utilities can read.

These two images illustrate a comparative analysis between two viruses, respectively, Netsky.AD (first image) and Buchon (second image).

Comments (1):
superr

Posted by eldar18 on Apr 27, 2008 at 12:32 PM (GMT)

*Note* Before you submit your comment, bear in mind there's no guarantee it will be seen by this project's author. In case you want to contact the author directly, please follow the provided URL.
Leave a Comment:
* COMMENTS HAVE BEEN TEMPORARILY DISABLED *
(We're looking for the best solution to avoid unwanted SPAM)
Manuel Lima | VisualComplexity.com