What is Polymorphic Malware?

Data Security Knowledge Base

A Definition and Best Practices for Defending Against Polymorphic Malware

Text

Polymorphic malware is a type of malware that constantly changes its identifiable features in order to evade detection. Many of the common forms of malware can be polymorphic, including viruses, worms, bots, trojans, or keyloggers. Polymorphic techniques involve frequently changing identifiable characteristics like file names and types or encryption keys to make the malware unrecognizable to many detection techniques.

Polymorphism is used to evade pattern-matching detection relied on by security solutions like antivirus software. While certain characteristics of polymorphic malware change, its functional purpose remains the same. For example, a polymorphic virus will continue to spread and infect devices even if its signature changes to avoid detection. By changing characteristics to generate a new signature, signature-based detection solutions will not recognize the file as malicious. Even if the new signature is identified and added to antivirus solutions’ signature database, polymorphic malware can continue to change signatures and carry out attacks without being detected.

Examples of Polymorphic Malware

Text

Webroot researchers have found that 97% of malware infections employ polymorphic techniques. While some of these tactics have been around since the 1990s, a new wave of aggressive polymorphic malware has emerged over the past decade. Some high profile examples of polymorphic malware include:

Storm Worm Email:

The infamous spam email sent in 2007 with the subject “230 dead as storm batters Europe” was, at one point, responsible for as much as 8% of all global malware infections. When the message’s attachment is opened, the malware installs wincom32 service and a trojan onto the recipient’s computer, transforming it into a bot. One of the reasons the storm worm was so hard to detect with traditional antivirus software was the malicious code used morphed every 30 minutes or so.

CryptoWall Ransomware:

CryptoWall is a polymorphic ransomware strain that encrypts files on the victim’s computer and demands a ransom payment for their decryption. The polymorphic builder used in Cryptowall is used to develop what is essentially a new variant for every potential victim.

The Threat Posed by Polymorphic Malware

Text

Many malware strains now have polymorphic capabilities, rendering traditional antivirus solutions ineffective at detecting and stopping the malware prior to compromise. For years, the conventional wisdom on malware protection has been to invest in preventative solutions like antivirus, firewalls and IPS. However, these solutions do not work against polymorphic malware. The fact that some polymorphic techniques are used in nearly all successful attacks today means that if your company is relying on these solutions then you are leaving yourself open to attack.

At present, Gartner estimates that enterprise infosec spend is 90% prevention and 10% detection. However, there are certain limitations with this prevention-centered approach and, especially in the case of polymorphic malware, many prevention controls are failing to stop malicious activities.

Best Practices for Protecting Against Polymorphic Malware

Text

Protecting against polymorphic malware requires a layered approach to enterprise security combining people, processes, and technology. There are a number of best practices companies should follow for polymorphic malware protection, ranging from general best practices for malware protection to specialty solutions for behavior-based detection. Here are a few key tips for protecting against polymorphic malware:

Keep Your Software Up To Date:

One straightforward way to help prevent malware infections is to keep the various applications and software tools your company uses up to date. Enterprise software manufacturers like Microsoft, Oracle, and Adobe regularly release software updates that contain critical security patches for known vulnerabilities. Running outdated software with security vulnerabilities leaves your company open to exploits that can lead to a variety of malware infections.