Fans of superhero movies know Mystique from X-Men for her ability to shapeshift and mimic voices with precision, making her a formidable foe. This ability is akin to Polymorphic Malware in cybersecurity, a malicious software constantly changing its form, challenging even the best antivirus solutions.
What it is
Unlike Mystique who largely uses disguise at the initial stage of attack to gain access, Polymorphic Malware – which also gets its name from its ability to alter or morph its code – wreaks more damage once it has gained access to the system. Constantly evolving codes and appearances ensure it evades signature-based detection tools (1) and renders it hard for antivirus solutions to identify.
Polymorphic malware or metamorphic malware as they are sometimes called, comes in various types – viruses that change their code, trojans that trick users into hazardous actions, worms that propagate without user interaction, and ransomware that alter their encryption algorithms to bypass detection tools and encrypt user data. However, the two malware differ (3) in as much that the former morphs its code using a variable encryption key, whereas metamorphic malware rewrites its code without an encryption key.
Of the two, polymorphic malware is more common. Webroot researchers (3) have found that 97% of malware infections employ polymorphic techniques. In contrast, metamorphic malware is more complex, harder to write and hugely transformative, which enables it to evade traditional detection methods.
The evolution
First emerging in the 1990s as part of an exercise by cybersecurity watchdogs to demonstrate to internet users the limitations of existing antivirus scanners when dealing with mutant viruses, the demonstration was exploited by scammers to trigger a wave of polymorphic virus activity. Today nearly every malware infection employs some form of polymorphism. Amongst the best known of these are:
- the Storm Worm that tricked users into downloading a trojan,
- VirLock that infected shared applications and cloud storage, froze computer screens, and
- the legendary Beebone botnet (credited with morphing 19 times in a day) that seized control of banking activity via spyware installed on some 12,000 computers worldwide, requiring the combined efforts of the FBI and Europol to bring it down.
How it works
Taking advantage of the limitations of traditional signature-based detection tools that make them hard to detect, Polymorphic Malware starts out with the scammer disguising the malicious code via encryption (2), allowing it to bypass traditional security tools and gain access to the system, like a stealth bomber flying below the radar. Once installed the infected file is automatically downloaded and decrypted. A mutation engine proceeds to alter the file in terms of its name, size and location, often quite different from the initial file that breached the system, and hence impossible to identify. The virus blends seamlessly into processes, wreaking its damage with dead code insertion, code manipulation, changed register values, subroutine alteration and instruction substitution. Polymorphic Malware uses a variety of methods to change its code.
- Code obfuscation where the malware uses encryption to confuse detection systems as to its identity
- Dynamic encryption keys that make it hard for detection tools that are programmed to determine a fixed pattern
- Variable code structure that makes static signature detection tools ineffective
- Behavioral adaptation that alters its behavioral and execution patterns to blend in with system processes
The mutation engine that Polymorphic malware possesses serves as a host for other viruses, often being used by them to develop their own morphing characteristics.
Tackling the menace
Putting a face to an attacker or an enemy, or simply identifying the perpetrator of the damage, is at the heart of any preventive or remediation method. In the case of a faceless or dynamic villain, this is easier said than done.
To counter the menace, Cybersecurity experts are relying on:
- Behavioral Analyses that determine attack patterns,
- AI and ML that mime attack incident databases to offer early detection,
- Active Endpoint Detection Responses (EDR) that increase threat visibility and facilitate real-time detection, and
- Remediation Measures that restore systems to pre-attack states after the malware strikes.
Crowdstrike (2) advocates signature-less malware protection, the ML-based algorithms that determine the malicious nature of the file, and the installation of cloud-based Next Generation Antivirus solutions (NGAV) that combine AI, behavioral detection features, ML algorithms, and mitigation measures.
TechTarget opines that a sophisticated antivirus solution that handles both Polymorphic and Metamorphic Malware is better equipped to handle the viruses, which merit a different detection technique (4). Polymorphic malware requires an entry point algorithm or generic description technology for detection, while Metamorphic malware is detected using geometric detection or by using tracing emulators.
Best user practices for organizations
Since a significant percentage of these attacks start out with compromise of the user, experts are advising that organizations continue to drive vigilance and alertness at the user level. Responsible user behavior is expected to rein in the menace to a large extent. Users therefore would do well to follow the basic safety protocols that, if not followed, can compromise their safety. Crowdstrike’s article (2) serves as a comprehensive checklist for such desired behaviors.
Yet while best practices ensure the second level of defense, the organization’s SOC has the primary responsibility. Organizations rely on vendors and service providers for their virus solutions. Yet despite vendors introducing new scanning capabilities into their solutions, botnets often breach their defenses at times when the computer is idling. CSO Online (5) advocates using multiple layers of scanning that seek out malware variants and zero-hour protection and response systems, to flag a suspicious file or activity, and have a fairly good measure of security.
Conclusion
Marvel’s X-Men based movie Dark Phoenix sees the end of a rampaging Mystique more by accident than by design. Polymorphic malware, however, are not likely to be detected or meet their end by accident. Gartner (3) estimates that enterprises spend 90% on prevention and 10% on detection, a skewed ratio that will not deter malicious activities. Unless this approach changes and robust detection techniques are deployed, organizations will continue to be on red alert for the rampaging threat of Polymorphic Malware.
References
- What is Polymorphic Malware? – SentinelOne
- What is a Polymorphic Virus? Examples & More – CrowdStrike
- What is Polymorphic Malware? A Definition and Best Practices for Defending Against Polymorphic Malware (digitalguardian.com)
- What are metamorphic and polymorphic malware? (techtarget.com)
- Polymorphic Malware: A Threat That Changes on the Fly | CSO Online
