July 22, 2022
A polymorphic virus, sometimes referred to as a metamorphic virus, is a type of malware that is programmed to repeatedly mutate its appearance or signature files through new decryption routines. This makes many traditional cybersecurity tools, such as antivirus or antimalware solutions, which rely on signature based detection, fail to recognize and block the threat.
How can a polymorphic virus evolve?
File name changes | Compression | Encryption
How often can a polymorphic virus evolve?
≈ 10 minutes
How prevalent are polymorphic viruses?
Nearly all malware attacks include some form of polymorphic techniques
A polymorphic attack usually follows this process:
While polymorphic viruses may evolve in terms of their file name, size or location, the function, operation and goal of the malware remains the same. For example, a trojan that has polymorphic properties will always operate as a trojan — even if the file signature changes.
Polymorphic viruses first emerged in the 1990s as part of a research program to demonstrate the limitations of existing antivirus scanners. The very first, a virus called 1260, or V2PX, was meant to serve as a warning to internet users, though it inadvertently inspired a wave of criminal activity based on the virus’s capabilities. In the decades that followed, countless polymorphic viruses have emerged and today nearly every malware infection employs some form of polymorphism.
Some of the most well-known examples of polymorphic viruses and malware include:
Though polymorphic virus is a common term in the cybersecurity world, not all polymorphic attacks are viruses. Some rely on other types of malware — such as Trojans, keyloggers, bots, spyware and ransomware — that have been equipped with a mutation engine. Technically speaking, these attacks involve polymorphic malware or metamorphic malware.
Polymorphic viruses — or any type of malware that contains polymorphic techniques — can be difficult to detect by traditional threat detection methods because of their advanced mutation capabilities.
In simple terms, traditional antivirus or antimalware software looks for signatures or heuristics, which are sequences of code within the file. These tools cannot recognize the threat once it is re-encrypted. This is true even if another endpoint has been infected previously on the same network by a known polymorphic virus that has been added to the blocklist.
To detect polymorphic viruses, organizations must employ advanced cybersecurity tools that enable signature-less malware protection.
Signature-less malware protection uses machine learning (ML) algorithms to determine the likelihood that a file is malicious by analyzing the broader picture and extracting so-called “features” from the files analyzed. These are high-level characteristics that numerically describe the structure of the file. For example, the ML model can look at the amount of randomness in various areas of the file, as well as images, icons, user interface templates or string tables. The tool can also dissect and describe the code in a numerical fashion so that it can be fed into a machine learning classifier.
One of the most effective ways to protect the organization from a polymorphic virus is to implement a robust next-generation antivirus solution (NGAV) that includes protection from both known and unknown threats, including fileless attacks and signature-less attacks, as well as prevention of malware-free attacks and integration with threat intelligence tools.
For more information please read our related post, What is NGAV?
A large portion of polymorphic virus attacks begin with compromise at the user level. For this reason, it’s important that all internet users remain vigilant of attack indicators and exhibit responsible behavior.
Some common tips include:
CrowdStrike Falcon® Prevent™ is the new standard in prevention, delivering superior protection from malware, exploits, malware-free intrusions and advanced persistent threats. Organizations gain an unprecedented level of visibility into attempted attacks in an easy-to-read process tree that provides the details and context necessary to understand what’s happening on the endpoint and how to remediate effectively.
CrowdStrike Falcon® Prevent enables state-of-the-art protection:
Watch the video below to see how CrowdStrike’s next generation AV solution offers superior protection to help your company prevent breaches: