Polymorphic and metamorphic malware constantly changes itself in order to avoid detection and persistently remain on the system. This adaptive behavior is the main distinctive attribute of these types of malware, which is also why they are harder to detect; it is also why they pose a great threat to systems. On the surface, the functionality of this sort of changing and mutating malware appears the same, but each has its own differences.
Polymorphic malware continually changes its features using dynamic encryption keys, making each iteration appear different. This method is very effective against anti-malware products that rely on traditional signature-based detection methods. By the time the malware signature is identified and released, the malware has already evolved into something new. Since only a part of its code is changed, this makes polymorphic malware quite easier to identify than metamorphic malware.
Here are some techniques used by polymorphic malware –
- Subroutine reordering – A set of simple instructions designed to run inside a program on a frequent basis is known as a subroutine. The malware changes its code`s subroutines frequently so it`s harder to be detected by antiviruses.
- Dead-Code insertion – The technique of inserting nonsensical code to change the malware`s appearance while not altering its behavior.
Register swapping – The technique of switching registers from generation to generation without altering the program code to obfuscate the malware. Some examples of polymorphic malware are –
- Storm Worm – Back in 2007, through spam emails, this polymorphic malware was able to infect an estimated 8% of devices around the globe. It changes its appearance every 30 minutes and turns the victim`s system into a robot, enabling it to receive commands from a malicious external controller.
- CryptoWall – This malware encrypts the files of the victim`s computer, not to demand ransom, but to evade usual protective measures. It creates new variants for each target.
- Virlock – This early strain of ransomware evolved in 2015. It locks the target`s computer and encrypts files. It posed as an FBI copyright violation notice, demanding $250 to unlock the computer.
Polymorphic malware can be detected using two different techniques: the entry point algorithm, and generic description technology. The entry point algorithm scans the machine code at the entry point of each file, and generic description technology runs the file on a protected virtual computer.Metamorphic malware
Metamorphic malware evades detection by rewriting its own code with every iteration, making it new and unique from its previous code. This malware doesn`t use any encryption keys; the malware itself changes its existing instructions to functionally equivalent ones when creating copies. Because of its complexity, detection is much harder for antivirus scanners. It requires extensive knowledge to create this type of malware since it includes many transformation techniques.
Techniques such as subroutine reordering, dead code insertion, and register swapping are also used by metamorphic malware. Some of the other techniques that are used include: instruction replacement, code permutation, and random jump instructions.
Some examples of metamorphic malware are –
- W95/Regswap – Initiated in December 1988, it uses the register swapping technique, but the complexity isn`t very high.
- W32/Evol – Appeared in July 2000, it runs a metamorphic engine and can run on any major Win32 platform. It is capable of inserting garbage code between core instructions of the program.
- Win95/Zmist – Includes techniques such as code integration, jump instructions, and Entry-Point Obscuring (EPO), which hides the malware`s entry point to avoid detection.
Metamorphic malware can be detected using methods such as tracking emulators, and geometric detection, which combines machine learning and computer vision to find geometric features.
Best practices to prevent polymorphic and metamorphic malware
- Having strong account protection policies, such complex passwords and Multi-Factor Authentication (MFA).
- Employing robust security solutions such as firewalls, entry point detection software, and heuristic and behavior detection software.
- Installing the latest software security updates and keeping them up to date.
- Educating your employees on good security practices, and building awareness of the latest cyberattacks.
Polymorphic and metamorphic malware is sophisticated in nature. These software variants are able to obfuscate themselves and evade detection from anti-malware scanners. They use various complicated methodologies to remain hidden. It is crucial that organizations understand these types of malware and implement necessary defenses against them.
About the Author:
Dilki Rathnayake is a Cybersecurity student studying for her BSc (Hons) in Cybersecurity and Digital Forensics at Kingston University. She is also skilled in Computer Network Security and Linux System Administration. She has conducted awareness programs and volunteered for communities that advocate best practices for online safety. In the meantime, she enjoys writing blog articles for Bora and exploring more about IT Security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.