| Graphing Malware – Sobig.F

Windows binary malware has come a long way. Today’s average worm is often tens or hundreds of kilobytes of code exhibiting a level of complexity that surpasses even some operating systems. This degree of complexity, coupled with the overwhelming flow of new malware, calls for improvements to tools and techniques used in analysis.

The authors focused greatly on graph theory to aid the analysis of these viruses. They use a series of tools for reverse engineering malware such as: IDA – the Interactive DisAssembler, IDAPython – Python extension for IDA, and pydot – Python interface to Graphviz utilities. IDAPython and pydot were developed by the authors and released as open source. The resulting graphs are done by exploring the code of a malware sample looking for all the functions and the relationships between them (who calls who). This information, together with text references, are then exported using pydot into a format that Graphviz utilities can read.