June 7, 2017 by

The Rise of Polymorphic Malware

Anti-malware programs detect malware through the use of a signature. Most malware is made up of unique markers, patterns of code, which allows anti-malware programs to detect them. Attackers have become aware of the functionality between malware and anti-malware programs, coming up with new malware types such as polymorphic malware. These new types of malware are rendering traditional antivirus program useless t detecting and stopping malware.

Polymorphic malware is code engineered with the ability to transform from its original form every time it is executed to evade detection. Its unique, changing characteristics include file names, types, or encryption keys making the malware unidentifiable. Forms of polymorphic malware can include viruses, worms, trojans, or spyware, which constantly change.

When the malware is activated the code is scrambled and right before execution is unscrambled to its original code. Although the appearance of the code changes with each execution, the function remains uniform. For example, a polymorphic spyware will continue to get the private information of the user and send it to the attacker.

Over the past few years, polymorphic viruses have been the primary malware released by attackers. Researchers found that 97% of malwares are released using polymorphic malware[1]. In 2007, spam email, Storm Worm Email, was the key to about 8% global malware attacks. When the email was opened by the user, an trojan was installed onto the user’s computer, eventually becoming a bot. This malware was difficult to detect due to its ability to transform about every thirty minutes.

According to a report by Webroot[2], polymorphism was one of the trends of 2016 and 94% of malware found by Webroot was seen only once. To combat against polymorphic malware, organizations should keep all software and applications on the network up to date. The security patches released are critical to closing the vulnerabilities that may be present and used by attackers for malicious purposes.

All employees should also receive regular educational training regarding the best security practices. End users should know how to recognize suspicious links and attachment, thus lowering the chance of an attack. Attackers should also use strong and secure passwords with multi-factor authentication and regularly change their passwords. Conventional means of malware protection are becoming ineffective against polymorphic malware. Alongside protections such as antivirus, firewalls, and IPS, organizations should leverage behavior-based detection tools.

Due to polymorphic malware’s ability to change its patterns of code, and because it can be avoided by traditional tools, behavior-based detection solution are the best approach. It has the capability of being more precise than conventional signature-based methods. Endpoint detection and response or advanced threat protection are behavior-based detection which can pinpoint threats in real time, detecting malware before data is compromised.


[1] Sensors Tech Forum,  ‘97% of Malware Infections Are Polymorphic, Researchers Say’

[2] Webroot Threat Report, 2017

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

APT10 Operation Cloud Hopper Targets MSPs

APT10, a cyber espionage group operating out of China, has been targeting Managed Service Providers...

Read more arrow_forward

The Growing Insider Threat

A security threat originating from within the organization which is targeted or attacked is an...

Read more arrow_forward

The Importance of Memory Forensics

Digital forensics experts who do not use memory forensics are leaving evidence behind. Memory...

Read more arrow_forward