Polymorphic virus

Polymorphic viruses are complex file infectors, that can modify(“morph”) themselves in order to avoid detection while retaining the same basic routines after each and every infection.
During each infection the virus changes the look its composition files through encryption with different keys every time, compression of the files or the change of their names. This process is done through mutation engines, that cause a mutation with every new infection.
The use of Dynamic code makes it hard for traditional security tools to detect it. Its main goal of this type of viruses is to steal informations, disrupt operations or perform ransomware attacks The name comes from its ability to change “shape” hence poly (many) morphic (shape, form,transform).

About Polymorphic viruses

What can a polymorphic Virus do and how does it work?

How does it work?

Even though its appearance varies with each mutation, a polymorphic virus’ function remains the same. The function is that of a spyware that acts as keylogger ,this function is kept through mutations.
Usually an Antivirus adds signatures of malware and viruses on a downloadable database upon discovery, the fact that polymorphic viruses change their signature voids all the effort of collecting known signatures. This way the offendants gain a foothold against basic security measures that only check signatures to detect and block malicious code.

How is it made?

Polymorphic viruses are usually composed by underlying malicious code ( keylogger , spyware , ransomware ) as encrypted payload and a mutation engine. The mutation engine doesn’t change the malicious code, it does change the decryption routine of the virus, so that each time it is installed on a new system, the same virus would have a completely different signature between systems.
The encryption on the payload serves to conceal the presence of malicious code to scanners and threat detecting software. Once it is installed on a system the payload gets decrypted and the system gets infected, after which the mutation engine encrypts once again the payload with a different encryption so that for the next infection the decryption will be different, and the files would appear to be different to scanners.

Sanity Checks


How does one avoid polymorphic Viruses?

Polymorphic viruses are usually distributed through spam, infected websites or through the use of other malware. So avoid those. As said earlier most conventional anti-threat software relies on signature and pattern based detection, which is easily fooled by the polymorphic virus’ capabilities.
In order to detect polymorphic viruses, a key requirement is a scanner than can check multiple strings, and their various encryptions at the same time.
Newer security services offer a machine learning approach that analyzes also behaviourally and heuristically to see if something shady is done by a software and not only if the signature is a known as belonging to malicious code.

Heuristic scanning looks for crucial components the threat might be composed of instead of looking for exact string matches. Which increases the changes of the software detecting a virus that can change its underlying string through encryption.

Behaviour scanning analyzes what a piece of code does exactly and not only its code.

If a system were to have unusual slowdowns, strange requests, like access to reserved or personal informations and website misdirection, a browser tab opening without user consent, could be a sign of the virus trying to lead the user on an infective website.

The best approach to avoiding a polymorphic virus from infecting your system is to have an antimalware and threat detection software on the system, these softwares should be kept updated and run oftenly. Avoid opening links or attachments unless you know what sent them, keep passwords updated and back up your data.

Read more on cyber security here!

Polymorphic Virus

Edoardo Salvioni

 next article