Comparing different versions of SDBot using SABRE BinDiff v1.7

Programming stuff

Saturday, October 1. 2005

Posted by sp in Malware

Comment (1)
Trackbacks (0)
41113 hits

Comparing different versions of SDBot using SABRE BinDiff v1.7

SABRE BinDiff is a cool little tool made by Sabre Security. It works as a plugin for the popular disassembler IDA Pro and compares two versions of a binary file. After the comparison ended it can show which functions changed between the two versions of the file and which didn't. That alone wouldn't make it noteworthy but thanks to some cool graph-based algorithms BinDiff can even create successful matches when the order of the functions or the code inside the functions changed.

In this small paper I wrote about my experiences while using BinDiff to compare four different versions of the widespread Trojan horse SDBot.

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Nice paper, 10x!
#1 QuickSilver on 2007-09-28 11:07 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
 
Submitted comments will be subject to moderation before being displayed.
 

Frontpage - Top level

Calendar

Back November '18
Mon Tue Wed Thu Fri Sat Sun
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30    

Quicksearch

Archives

Contact

142691645
AIM StatusRiijngoud
LambdaCube
sporst

Links

Top Exits

www.the-interweb.com (689)
en.wikipedia.org (342)
www.amazon.com (150)
the-interweb.com (95)
www.slideshare.net (83)
www.zynamics.com (78)
www.offensive-security.com (49)
www.s9y.org (45)
code.google.com (40)
nostarch.com (38)

Syndicate This Blog

Blog Administration

Open login screen

Powered by

Serendipity PHP Weblog

Categories



All categories