Which type of virus can rewrite its own code while maintaining its functionality?

Back in 1990, a new strain of computer viruses emerged and entered the cybersecurity lexicon: polymorphic viruses. Thirty-plus years later, these nasty viruses continue to bedevil computer users, businesses and networks around the world.

Essentially, polymorphic viruses were developed to evade early antivirus software. And in the decades since their creation, they have become even more complex and more of a threat to businesses. Today, a variety of polymorphic malware are deployed to hijack networks, destroy data, steal information and even trigger ransomware attacks. Here's what you need to know about the threat and how to avoid polymorphic malware.

What Is a Polymorphic Virus?

Polymorphic viruses are the chameleons of cybersecurity. They are designed to change their appearance or signature files to avoid detection by traditional antivirus software, which scans for specific files and looks for specific patterns. A polymorphic virus will continue changing its file names and physical location — not only after each infection, but as often as every 10 minutes.[1]

To further evade cybersecurity efforts, polymorphic viruses will also constantly reset their encryption methods and keys. To do this, they generally use mutation engines that can change the software billions of times and alter decryption routines in the process. Attackers hope that by using such a strategy, even if the malware is detected, companies will not be able to locate subsequent infections and clean them from their systems. 

While polymorphic viruses may change their appearance, the associated malware and goals remain the same: steal information, disrupt a company's operations or perform one of many types of ransomware attacks. Today, polymorphic viruses have become standard weapons in the cybercriminal's arsenal. It has been estimated that 97% of all malware now employs some form of polymorphic virus.[2]

Examples of Polymorphic Malware

Polymorphic viruses are usually spread using standard cyberattack techniques including spam, phishing emails, infected websites or other malware. Some of the more notorious polymorphic viruses include Ursnif (also known as Gozi), a banking Trojan; Vobfus, a Windows worm virus; and Bagle, an email worm. Combined with other forms of malware, such polymorphic viruses can be devastating. For example:

• Storm Worm: Using social engineering, a spam email about deadly storms in Europe back in 2007 caused an estimated 8% of all malware infections worldwide that year. This polymorphic virus changed its appearance every 30 minutes and used an email attachment to turn the victim's system into a bot.
• Virlock: The Virlock polymorphic virus evolved in 2015 to include ransomware routines. As ransomware, not only could it lock the target computer but it could also infect other files, replicate and change the format of files.
• CryptoWall: A form of polymorphic ransomware, CryptoWall encrypts files on the victim's computer. The idea, of course, is to demand a ransom to decrypt the information. To evade usual protective measures, the polymorphic engine behind CryptoWall creates a new variant of the malware for each target.
• Beebone: Remotely controlled servers and computers that are then used to attack other systems, known as botnets, have also been further enabled using polymorphic malware. In one of the more sophisticated attacks demonstrating this capability, the Beebone botnet infected an estimated 12,000 computers in 2015. Using a polymorphic downloader to deliver a variety of malware, Beebone proved difficult to detect and trace. It required the coordination of several international law enforcement agencies including the FBI and Europol to eventually take down the botnet.[3]

How to Know if Your Computer Is Infected with a Polymorphic Virus

So if polymorphic viruses can adopt nearly any appearance, how can you tell if a computer is afflicted with the virus? Fortunately, administrators can look for some telltale signs that a system is infected, including:

• Slowdowns: Unusual or sudden system slowdowns are often an indication that polymorphic malware is attacking a computer, usually taking up extra cycles as it encrypts files on the system.
• Odd requests: Users who see an unusual request to enter a password when it has never been required before should take it as a good indication that malware is trying to infect the system or the network. Individual users may also see strange requests to enter sensitive information like employee numbers, birth dates or social security numbers.
• Misdirection: If a web browser suddenly takes a user to a URL or web site that the user didn't enter, it can be a sign that malware is trying to direct them to an infected site. Unusual pop-up ads that block sites also indicate malware.

Best Practices to Prevent a Polymorphic Virus Infection

While polymorphic viruses present a wily adversary, companies can protect themselves by following a proven set of safe cybersecurity practices.

• Keep software up to date: While polymorphic malware will change its appearance, the targets are usually the same. Most software companies maintain security updates to protect those targets, so it's essential to keep up with any patches on client and server computers.
• Don't open odd links or attachments: Email continues to be cybercriminals’ preferred entry point, so it's a prime opportunity to stop polymorphic infections. In addition to deploying email security tools, train employees not to succumb to phishing attacks and not to open any suspicious links — even from known email addresses.
• Update passwords: Lists of known passwords and other information are regularly bought and sold on the dark web, so requiring employees to regularly change their passwords can thwart attacks. Like the previous caveat against opening suspicious attachments, this requirement should also be part of regular employee security awareness training.
• Back up your data: It cannot be repeated often enough: Back up your data on a regular basis. Data backups can save a company millions of dollars and thwart ransomware attacks.
• Use heuristic and behavior detection: Security software that uses current information about known polymorphic malware techniques can prevent an infection. A heuristic approach, for example, will prevent certain virus-like actions, such as encrypting important files. Behavior-based detection can alert users to previously unreported polymorphic threats based on, for example, unusual access requests.

The Bottom Line

Polymorphic viruses have a long history, and cybercriminals have had many years to develop more advanced techniques to hide their appearance and infections. Indeed, polymorphic malware is used extensively in all types of cyberattacks, including ransomware. By following tried and true cybersecurity practices, companies can stay one step ahead of the criminals.

[1] “Polymorphic Virus,” TechTarget

[2] “What Is the Polymorphic Virus?”, Kaspersky

[3] “International Police Operation Targets Polymorphic Beebone Botnet,” Europol

Which viruses can change its own code to avoid detection?

What is it called when malware changes its code?

What is polymorphic and metamorphic virus?

Which type of virus is hard to detect as it changes its own code to evade matching a virus signature?