Presentations‎ > ‎

Server-side Polymorphism: A Study of a Few Links


Robert Sandilands


In the anti-virus industry, we always talk about the millions of samples we receive per month. The reality is that these samples represent a much smaller number of actual malware families. To gain a better understanding of the actual number of malware families we have to analyze the effect of server-side polymorphism. Server-side polymorphism is where samples are changed/morphed on the server and changes either with every download or on a schedule.
We will analyze the history of samples downloaded from a few links. The focus of the analysis will be to understand the effect of server-side polymorphism. For that purpose we will monitor the executables downloaded from the selected links and build a collection of samples. The meta data of the samples and the changes in the samples during the time the link is alive will be analyzed.
Some of the questions that we will attempt to address: Is the same malware or malware family downloaded from the same link? Is the samples just repacked versions of the same malware? What types of changes do we see in the binaries? Is the polymorphism pro-active or reactive?
Inconsistencies in naming and detection of server-side polymorphic samples will also be covered. A few basic types of server-side polymorphism will be illustrated and analyzed.