Polymorphic Malware, And How They Continually Change To Avoid Detection

There are a lot of variants of malware, with each having their own unique traits. Then there is one that continuously change.

This kind of malware is called 'polymorphic malware'. From viruses, worms, bots, trojans, or keyloggers, their polymorphic variants can have different characteristics every time they run, like having different file names and types or encryption keys.

With their ever-changing characteristics, polymorphic malware can be unrecognizable to many detection techniques.

With its ever-changing nature, polymorphic malware are often used to evade pattern-matching detection relied on by security solutions like antivirus software. While certain characteristics of polymorphic malware change, its functional purpose remains the same.

By changing their characteristics to generate a new signature, antivirus software that are based on signature-based detection solutions won't recognize polymorphic malware as malicious.

Even if the new signature is identified and added to antivirus solutions’ signature database, polymorphic malware that continues to change its signatures can still carry out attacks without being detected.

Demon hiding

Polymorphic malware's name comes from the term 'polymorphism', which means in programming languages and type theory, a single interface to entities of different types.

Polymorphism can also be described as the ability of an object to take on many forms.

Malware creators have used this polymorphism attacks since at least the 1990s.

For many years, people using computers have relied on the conventional wisdom on malware protection, by investing on preventative measures, like using antivirus, or setting up firewalls. These approach, while they do recognize many patterns, signatures and behaviors, they can be rendered useless when dealing with malware with their polymorphic variant.

As a result, their ineffectiveness at detecting and stopping the malware prior to compromise, would allow the malware to infect and even stay on the affected system for a long period of time.

Related: Understanding The "Fileless Malware", And What You Can Do To Protect Yourself

Polymorphic malware attacks are often supported with N number of mechanisms, meaning that they can change by unknown times.

This kind of malware can evade antivirus protections by using a variety of processes like change in filename, compression, and encryption. In addition to this, the malware may also enter the system through processes like data appending and data pre-pending.

Encryption is the most common technique to hide polymorphic malware's code from being detected and thus, polymorphic malware detection has never been an easy task. The payload of polymorphic malware is encrypted and won't generate any meaning.

Modern antivirus software are turning the table by employing some of the same kinds of polymorphic evasive techniques as protective measures.

The strategy can include endpoints detection, which is similar to how polymorphic malware rely on particular operating system and device weaknesses. Using the same knowledge, endpoint detection can also be used to harden systems.

The techniques originally were called a 'moving target defense'.

There is also the strategy that involves the antivirus in digging deeper into the operating systems that they protect. This approach can prevent zero-day exploitation attempts, malware deployment and malicious communications from an infected bot, by looking for typical behaviors such as privilege escalation or running processes.

Other approaches include, and not limited to: using the emulation technique to make the malware to dispatch itself but inside a controlled environment, detecting multiple transformation techniques, generic decryption scanning, negative heuristic analysis and Memory Block Hashing.

Memory Block Hashing
Memory Block Hashing method can be used for identifying memory based remnants

While there isn't any foolproof antivirus software to defend against this type of malware, people can have a better chance in preventing polymorphic malware infection on their devices by combining people, processes, and technology.

There are a number of best practices that people and companies can follow to better protect themselves from polymorphic malware, and below are a few key tips:

  • Keep system updated to the newest version: the best and the most preventive measure comes from keeping various installed apps and software tools updated to their newest version. Enterprise software manufacturers regularly release software updates that contain critical security patches for known vulnerabilities. Running outdated software with security vulnerabilities leaves systems vulnerable to exploits that can lead to a variety of malware infections.
  • Never open suspicious links or attachments: A no brainer. Unknown links or attachments sent by someone unknown can certainly contain malware, and in fact, it is the most common way for malware infection. People should learn how to recognize suspicious links and attachments to help mitigate this common entry vector for malware attacks.

  • Use strong passwords and change them regularly: a strong password is one thing, and to ensure that hackers can never gain entry, people should change their passwords as often as possible. To manage this, they can use password manager. Using multi-factor authentication can also help.

  • Use behavior-based detection tools: since polymorphic malware is designed primarily to evade detection by traditional antivirus tools, the best solutions to defend against this kind of malware is to use a more advanced behavior-based detection techniques. These tools have endpoint detection and response, or advanced threat protection to pinpoint threats in real time, before any of the data is compromised.