CWSandbox vs. ALLAPLE
Thursday, April 26. 2007
Since middle of December 2006, a polymorphic worm with the name ALLAPLE.B is spreading. Due to the help of Corrado Leita and ScriptGen, nepenthes can also capture this particular worm. Each iteration has a new MD5 sum, thus this hash function is a weak indicator for uniqueness of a given sample. However, it is pretty easy to spot ALLAPLE with the help of CWSandbox since the worm has some unique behavior, for example:
In contrast to static analysis, such a behavior-based malware classification can help to categorize a given malware sample just based on the action it performs. For example, we captured yesterday 84 samples with different MD5 sum that behave exactly like ALLAPLE does. All these samples belong to the same family and are only minor variants.
The complete report is available as HTML analysis and XML analysis.
- It uses the filename urdvxc.exe
- The mutex is always jhdheddfffffhjk5trh
- It pings hosts in a random class B network and if a hosts replies to ICMP echo requests, it tries to attack them on TCP port 139 and 445
In contrast to static analysis, such a behavior-based malware classification can help to categorize a given malware sample just based on the action it performs. For example, we captured yesterday 84 samples with different MD5 sum that behave exactly like ALLAPLE does. All these samples belong to the same family and are only minor variants.
The complete report is available as HTML analysis and XML analysis.
Continue reading "CWSandbox vs. ALLAPLE"
".
