June 7, 2017 by

The Rise of Polymorphic Malware

Anti-malware programs detect malware through the use of a signature. Most malware is made up of unique markers, patterns of code, which allows anti-malware programs to detect them. Attackers have become aware of the functionality between malware and anti-malware programs, coming up with new malware types such as polymorphic malware. These new types of malware are rendering traditional antivirus program useless t detecting and stopping malware.

Polymorphic malware is code engineered with the ability to transform from its original form every time it is executed to evade detection. Its unique, changing characteristics include file names, types, or encryption keys making the malware unidentifiable. Forms of polymorphic malware can include viruses, worms, trojans, or spyware, which constantly change.

When the malware is activated the code is scrambled and right before execution is unscrambled to its original code. Although the appearance of the code changes with each execution, the function remains uniform. For example, a polymorphic spyware will continue to get the private information of the user and send it to the attacker.

Over the past few years, polymorphic viruses have been the primary malware released by attackers. Researchers found that 97% of malwares are released using polymorphic malware[1]. In 2007, spam email, Storm Worm Email, was the key to about 8% global malware attacks. When the email was opened by the user, an trojan was installed onto the user’s computer, eventually becoming a bot. This malware was difficult to detect due to its ability to transform about every thirty minutes.

According to a report by Webroot[2], polymorphism was one of the trends of 2016 and 94% of malware found by Webroot was seen only once. To combat against polymorphic malware, organizations should keep all software and applications on the network up to date. The security patches released are critical to closing the vulnerabilities that may be present and used by attackers for malicious purposes.

All employees should also receive regular educational training regarding the best security practices. End users should know how to recognize suspicious links and attachment, thus lowering the chance of an attack. Attackers should also use strong and secure passwords with multi-factor authentication and regularly change their passwords. Conventional means of malware protection are becoming ineffective against polymorphic malware. Alongside protections such as antivirus, firewalls, and IPS, organizations should leverage behavior-based detection tools.

Due to polymorphic malware’s ability to change its patterns of code, and because it can be avoided by traditional tools, behavior-based detection solution are the best approach. It has the capability of being more precise than conventional signature-based methods. Endpoint detection and response or advanced threat protection are behavior-based detection which can pinpoint threats in real time, detecting malware before data is compromised.


[1] Sensors Tech Forum,  ‘97% of Malware Infections Are Polymorphic, Researchers Say’

[2] Webroot Threat Report, 2017

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

APT10 Operation Cloud Hopper Targets MSPs

APT10, a cyber espionage group operating out of China, has been targeting Managed Service Providers...

Read more arrow_forward

The Growing Insider Threat

A security threat originating from within the organization which is targeted or attacked is an...

Read more arrow_forward

The Importance of Memory Forensics

Digital forensics experts who do not use memory forensics are leaving evidence behind. Memory...

Read more arrow_forward