Anti-malware programs detect malware through the use of a signature. Most malware is made up of unique markers, patterns of code, which allows anti-malware programs to detect them. Attackers have become aware of the functionality between malware and anti-malware programs, coming up with new malware types such as polymorphic malware. These new types of malware are rendering traditional antivirus program useless t detecting and stopping malware.
Polymorphic malware is code engineered with the ability to transform from its original form every time it is executed to evade detection. Its unique, changing characteristics include file names, types, or encryption keys making the malware unidentifiable. Forms of polymorphic malware can include viruses, worms, trojans, or spyware, which constantly change.
When the malware is activated the code is scrambled and right before execution is unscrambled to its original code. Although the appearance of the code changes with each execution, the function remains uniform. For example, a polymorphic spyware will continue to get the private information of the user and send it to the attacker.
Over the past few years, polymorphic viruses have been the primary malware released by attackers. Researchers found that 97% of malwares are released using polymorphic malware[1]. In 2007, spam email, Storm Worm Email, was the key to about 8% global malware attacks. When the email was opened by the user, an trojan was installed onto the user’s computer, eventually becoming a bot. This malware was difficult to detect due to its ability to transform about every thirty minutes.
According to a report by Webroot[2], polymorphism was one of the trends of 2016 and 94% of malware found by Webroot was seen only once. To combat against polymorphic malware, organizations should keep all software and applications on the network up to date. The security patches released are critical to closing the vulnerabilities that may be present and used by attackers for malicious purposes.
All employees should also receive regular educational training regarding the best security practices. End users should know how to recognize suspicious links and attachment, thus lowering the chance of an attack. Attackers should also use strong and secure passwords with multi-factor authentication and regularly change their passwords. Conventional means of malware protection are becoming ineffective against polymorphic malware. Alongside protections such as antivirus, firewalls, and IPS, organizations should leverage behavior-based detection tools.
Due to polymorphic malware’s ability to change its patterns of code, and because it can be avoided by traditional tools, behavior-based detection solution are the best approach. It has the capability of being more precise than conventional signature-based methods. Endpoint detection and response or advanced threat protection are behavior-based detection which can pinpoint threats in real time, detecting malware before data is compromised.
[1] Sensors Tech Forum, March 8, 2016, ‘97% of Malware Infections Are Polymorphic, Researchers Say’
[2] Webroot Threat Report, 2017
