What is Polymorphic Malware? An Overview

Dexter Morgan | November 2nd, 2017 | Forensics

A malware is a malicious software that when installed on a computer, disrupts its operation, gathers sensitive information, and harms the files. Now the question is that what is Polymorphic Malware? A Polymorphic Malware is a virus, Trojan, worm or a spyware that constantly changes, thus making it difficult for the investigators top detect its presence. Its name is derived from the word “morph” that means changes.

The first polymorphic malware named 1260, was introduced by Mark Washburn in 1990. Another malware was written in 1992 by a hacker named Dark Avenger in order to avoid pattern recognition by the anti-virus software. One of the most common polymorphic malware is Virut.

What Mechanism is used by Polymorphic Malware to Invade the User Machine?

The Polymorphic Malware attacks are often supported with N number of mechanisms. The malware can attack or enter into the system with a variety of processes like change in filename, compression, and encryption. In addition to this, the malware may also enter the system through processes like data appending and data pre-pending. For mutating, a polymorphic engine is used, which keeps the original algorithm of the malware intact. This means that the code keeps on changing every time it runs, but the function of the code will remain unaltered.

Encryption is the most common technique to hide this code from being detected and thus, Polymorphic Malware detection has never been an easy task. In this process, the main body of the malware code, known as payload is encrypted and will not generate any meaning. On order to make the code function as before, a decryption function is always added with the code. When the complete code is executed, the decryption function reads the payload and decrypts the code before executing it.

Process of Polymorphic Malware Attack

As discussed earlier, the polymorphic malware performs the same function even after its appearance varies with each mutation. For example, a polymorphic malware intended to work as a kelogger will perform the same function even when its signature changes every time. In the scenario of discovery of this Polymorphic malware attack by an anti-malware, it will go undetected by the anti-malware. This is due to the fact, that the signature of the rogue code changes and thus it will appear to the anti-malware that a new virus or Trojan has entered the system.

Challenges In Polymorphic Malware Detection

In order to avoid its detection, the polymorphic malware makes changes in the code to avoid its detection. It consists of two parts of which one remains the same with each iteration and hence is easy to be detected. Since the virus body is not changed, it provides a complex signature that at times can be detected by the anti-virus programs installed in the user machine.

How To Detect Polymorphic Malware?

In order to stop the obfuscation resulting from polymorphic malware, emulation technique can be deployed. This makes the malware to demangle itself in a virtual environment. This virtual environment is referees as the “sandbox”. The other techniques, which can be used for detecting the polymorphic malware, are multiple transformation techniques like code permutation, register renaming, code expansion, garbage code and code shrinking. Other advanced techniques that can be deployed for the malware detection are generic decryption scanning, emulation and negative heuristic analysis.

One more method that can generate successful results is Memory Block Hashing. This process can be used for identifying memory based remnants.

What is Polymorphic Malware? An Overview

The best method to deal with the Polymorphic malware attack is to deploy multiple and diverse programs of polymorphic malware detection, blocking, filtering, and removal. These programs need to be kept current and should be run very often. In case the auto-protect features are available, they should be enabled for protection from polymorphic malware attack.