I recently found the distribution point for a malware affiliate that dynamically generates a new binary (but the same malware) every time it is queried. The malware distributers periodically query the affiliates distribution point to receive a new binary. However, any queries to the distribution location results in a binary with a different hash value. I generated a sample of 10 binaries and uploaded each of them to VirusTotal.com to find out if the changes being made to the binary disrupted the ability of anti-virus software (AV) to detect the malware. While just under 40% of the AV products that VT uses detected the software, the ones that did detect the malware continued to detect it despite the changes to each individual binary that caused the hash value to change.

Here are the results:

Sample 1

2010-08-24 19:51:04

16/42 38.1%

Sample 2

2010-08-24 19:51:14

15/41 36.6%

Sample 3

2010-08-24 19:51:26

15/41 36.6%

Sample 4

2010-08-24 19:51:39

14/40 35.0%

Sample 5

2010-08-24 19:51:52

15/40 37.5%

Sample 6

2010-08-24 19:52:06

16/42 38.1%

Sample 7

2010-08-24 19:52:19

16/42 38.1%

Sample 8

2010-08-24 19:52:37

14/39 35.9%

Sample 9

2010-08-24 19:52:50

16/42 38.1%

Sample 10

2010-08-24 19:53:03

16/42 38.1%

AV 01 02 03 04 05 06 07 08 09 10 nProtect – – – – – – – – – – CAT-QuickHeal x x x x x x x x x x McAfee x x x x x x x x x x TheHacker – – – – – – – – – – VirusBuster – – – – – – – n – – NOD32 – – – – – – – – – – F-Prot x x x x x x x x x x Symantec – – – – – – – – – – Norman – – – – – – – – – – TrendMicro-HouseCall – – – – – – – – – – Avast – – – – – – – – – – eSafe – – – – – – – – – – ClamAV – – – – – – – – – – Kaspersky – – – – – – – – – – BitDefender x x x x x x x x x x SUPERAntiSpyware – – – – – – – – – – Sophos x x x x x x x x x x Comodo x x x x x x x x x x F-Secure x x x x x x x x x x DrWeb – – – – n – – – – – AntiVir – – – – – – – – – – TrendMicro – – – – – – – – – – McAfee-GW-Edition x n n n n x x x x x Emsisoft x x x n x x x n x x eTrust-Vet x x x x x x x x x x Authentium x x x x x x x x x x Jiangmin – – – – – – – – – – Antiy-AVL – – – – – – – – – – Microsoft – – – – – – – – – – ViRobot – – – – – – – – – – Prevx – – – – – – – – – – GData x x x x x x x x x x AhnLab-V3 – – – – – – – – – – VBA32 x x x x x x x x x x Sunbelt x x x x x x x x x x PCTools – – – – – – – – – – Rising – – – – – – – – – – Ikarus x x x x x x x x x x Fortinet – – – – – – – – – – AVG – – – – – – – – – – Panda x x x x x x x n x x Avast5 – – – – – – – – – –

x = detected

– = not detected

n = not tested