We will analyze the history of samples downloaded from a few links. The focus of the analysis will be to understand the effect of server-side polymorphism. For that purpose we will monitor the executables downloaded from the selected links and build a collection of samples. The meta data of the samples and the changes in the samples during the time the link is alive will be analyzed.
Some of the questions that we will attempt to address: Is the same malware or malware family downloaded from the same link? Is the samples just repacked versions of the same malware? What types of changes do we see in the binaries? Is the polymorphism pro-active or reactive?
Inconsistencies in naming and detection of server-side polymorphic samples will also be covered. A few basic types of server-side polymorphism will be illustrated and analyzed.