Polymorphic virus

Polymorphic viruses mutate to change their code while retaining their core function.


Also for WindowsiOSAndroidChromebook and For Business

What is a polymorphic virus?

There are several similarities between biological viruses and computer viruses. While biological viruses invade cells to survive and propagate, computer viruses piggyback on files in a computer’s system to thrive and spread. Both types of viruses can also manipulate and corrupt their host’s code to make copies of themselves.

A subset of computer viruses called polymorphic viruses carries another characteristic from their biological counterpart’s arsenal: mutation. Think of how frequently the influenza virus mutates or the growing number of novel coronavirus variants — the alterations sometimes help the diseases evade biological defenses. Similarly, polymorphic viruses mutate to change their code while usually retaining their core function. The difference between a mutating biological virus and a polymorphic PC virus is that the former mutates naturally while someone programs the latter with polymorphism.  

What does a polymorphic virus do?

Like a regular computer virus, a polymorphic virus corrupts data and slows down system resources, sometimes leading to computer malfunctions like blue screen errors. All viruses, polymorphic or regular, require host programs, user action to move between systems, and either attach pieces of their malicious code on host files or replace them entirely with malicious copies. Where polymorphic viruses step up their game is that they employ a polymorphic engine to hide their code, usually through cryptography.

The polymorphic engine, also known as a mutation engine, modifies the malware’s decryption procedure every time it replicates, making its new state challenging for conventional antivirus software to identify. For a movie example, think of a polymorphic virus as the T-1000 from Terminator 2, shapeshifting to hide its identity while never losing its core function.

Polymorphic virus vs. polymorphic malware

When people talk about polymorphic viruses, they often mean polymorphic malware. To understand this better, you need to know the difference between virus and malware infections in computing. In short, a virus is just one type of malware. Other types of malware that can use mutation engines to circumvent antivirus technology include worms, Trojans, bots, keyloggers, and ransomware. For example, a polymorphic malware like Emotet is a banking Trojan that steals sensitive information while misleading cybersecurity tools to hide.  

Another example of polymorphic malware is Win32/VirLock ransomware. Not only does Win32/VirLock lock computer screens and encrypt data, but it alters its structure for every infected file and execution. Virlock is one of the first ransomware strains to use polymorphism.  

What is a polymorphic worm?

A polymorphic worm is a kind of computer worm that’s hard to detect because it morphs its structure as it propagates. Additionally, a polymorphic worm may also modify its malicious payload to prevent security software from stopping it. The Storm Worm is an example of an adaptive malware that conventional antivirus technology struggled to remediate because it was changing its signature. The worm’s polymorphic packer had many variations, allowing it to alter signatures as fast as every 10 to 30 minutes. Storm’s threat-evasion capabilities were frustrating for cybersecurity specialists because it opened backdoors in computers and formed large botnets readily.

What is the difference between polymorphic and metamorphic malware?

Although polymorphic malware encrypts its original code to stop detection, it doesn’t change its code. But metamorphic malware is more dangerous because it modifies its own code. When malware with metamorphic capabilities infects a host, the next iteration can look completely different.  

Can a polymorphic virus be detected?

A polymorphic virus or any malicious software using a mutation engine is challenging for traditional antivirus tools to detect because it changes its state after infection. As you probably know, typical security software uses signature-based techniques. When polymorphic malware changes its signature, antivirus software using signature-detection falls short.  

However, advanced antivirus software that uses heuristic analysis to power anti-malware technology can detect emerging threats like polymorphic malware. So, what does “heuristics” mean? Well, researchers came up with the term to describe an anti-malware program that scrutinizes a potential threat’s structure, programming logic, and data for junk code, unusual instructions, and threat behaviors.

Like other cyber threats, polymorphic malware spreads through phishing emails, malicious websites, and dangerous links. It may also take advantage of flaws in operating systems and programs. Preventing transmuting threats requires a full defense strategy. Use proactive antivirus tools, patch your software regularly, and steer clear of any infection vector a polymorphic virus may employ. Organization leaders looking to stop polymorphic threats should consider investing in Endpoint Protection that uses machine learning and artificial intelligence to recognize and prevent hostile code.