Select Page

Metamorphic malware and polymorphic malware

Metamorphic malware and polymorphic malware

Metamorphic and Polymorphic malware

Can you imagine that a piece of malware code, can change its shape and signature each time it appears, to make it extremely hard for signature based antivirus to detect them ?! This is called polymorphic malware and metamorphic malware.

In its annual threat report, security firm Sophos said that the majority of samples it observes are unique attacks associated with polymorphic and metamorphic malware.

Although the idea of mutating malware sounds quite scary, it’s actually been used by malicious hackers since the early 1990s but they are getting very advanced. Usually antivirus solutions use signatures to identify malware by comparing each file with their database of malware signatures. If the file under investigation has the a signature that looks like on of the signatures in their database, then it will detect the infection.

Crackers are getting smarter. When you visit a suspicious web site, you will get infected with a malware with a certain shape and signature. When another person visits the same site, he will get infected with the same malware but with different shape and signature. Each time someone downloads that malware, a new shape is generated for the same malware automatically. Actually refreshing that page will generate new shapes for the new malware !. This makes it so difficult for signature based antivirus solutions to handle.

Not only each download for the same malware will have different shape, the same malware on a certain machine will keep changing its shape to avoid detection. This is how sophisticated polymorphic and metamorphic malware can be

 It is important to note that although the malware changed (“morphs”) its shape for each iteration and each download, the function that it performs remains the same (it is like it changes its appearance, but the bad code inside it still doing the same damage).

This is an example of malware (codenamed Shylock) that once appear with file name and description, and with time it appears as different file completely, changing by that its signature:

polymorphic or metamorphic malware

Metamorphic malware

This type of malware is completely rewritten with each iteration but still each version for each iteration functions the same way. The longer the malware stays in a computer, the more iterations and versions it will produce and the more sophisticated the iterations are.

The technologies used by metamorphic malware is so sophisticated and complex. Metamorphic malware is more difficult to detect than polymorphic malware. Some of the technologies used for such malware include register renaming, code permutation, code expansion, code shrinking and garbage code insertion.

Polymorphic malware

it is also a type of malware that changes its shape and signature. It has usually two parts, one of them changes its shape, while the other part remains the same, which makes it easier to detect than metamorphic malware.

Usually this type of malware consists of two parts :

  • Code that is used to decrypt and encrypt the other part (usually called VDR : virus decryption routine). This part does not change its shape.
  • The core malware code that changes its shape (usually called EVB : encrypted virus body).

When an infected application launches, the VDR decrypt the encrypted virus body (EVB) so it can execute and then re-encrypt it again. Usually the malware writer will use randomly generated encryption key to be used by the VDR so for each malware download, so that we will get completely different EVB encrypted virus body.

polymorphic or metamorphic malware 5

About The Author

Ammar Hasayen

Ammar Hasayen is a trusted technology adviser and entrepreneur and has been in the software industry for over 10 years with a special focus on the security, Office 365, and cloud solutions. Ammar is an active blogger and is active speaker in many local tech communities where he talks about Azure and Office 365. A part from that, Ammar appears in many global tech events and conferences like Microsoft Teched and Ignite.

62 Comments

  1. RemoveYourMalware

    Reblogged this on Remove Your Malware and commented:
    An interesting and informative article about “Metamorphic” and “Polymorphic” Malware by Ammar Hasayen makes today’s reblog! If you want to see more articles like this, head to ammarhasayen.com! Or follow Remove Your Malware for similar posts!

    Reply
  2. google plus android

    This website was… how do I say it? Relevant!! Finally I have found something which helped me.
    Appreciate it!

    Reply
    • ammar hasayen

      Oh. Thanks man… ur sweat comment made my day:)

      Reply
  3. {dragonfable trainer download|dragonfable trainers|dragon fable Trainer|best dragonfable

    Hi would you mind sharing which blog platform you’re using?
    I’m planning to start my own blog in the near future but I’m having
    a tough time choosing between BlogEngine/Wordpress/B2evolution and Drupal.
    The reason I ask is because your design and style seems different then
    most blogs and I’m looking for something
    completely unique. P.S Apologies for being off-topic but I
    had to ask!

    Reply
    • ammar hasayen

      Hi and sorry for late reply.
      Well, i am using wordpress.com as it provides more professional platform for blogging.
      Regarding the blog theme, wordpress.com provides many free and payed themes that you can pick from. You have just to be created i guess 🙂

      Reply
  4. Mai Piu Acne Recensioni

    Hello, I enjoy reading through your article.
    I like to write a little comment to support you.

    Reply
  5. how Does carb nite work

    My spouse and I stumbled over here coming from a different web page
    and thought I might check things out. I like what I see so now i am following you.
    Look forward to looking over your web page yet again.

    Reply
  6. Adonis Golden Ratio System

    These are actually wonderfful ideas in about blogging. You have touched some fastidious points here.
    Any way keep uup wrinting.

    Reply
  7. plus.google.com

    For hottest information you have to pay a visit world wide
    web and on internet I found this site as a finest web page for latest
    updates.

    Reply
  8. plastic surgery

    Attractive section of content. I just stumbled upon your blog and in accession capital to assert
    that I get actually enjoyed account your blog posts.
    Anyway I will be subscribing to your feeds and even I achievement you access consistently quickly.

    Reply
  9. Carl

    I have been browsing online more than 3 hours today, yet I never found any interesting
    article like yours. It is pretty worth enough for me.
    In my view, if all web owners and bloggers made good content as you did, the
    web will be a lot more useful than ever before.

    Reply
  10. what Men secretly want

    Howdy! Someone in my Myspace group shared this site with us so I
    came to give it a look. I’m definitely enjoying the information.
    I’m book-marking and will be tweeting this to my followers!
    Terrific blog and brilliant design.

    Reply
  11. Jorge

    Hey! Someone in my Facebook group shared this site with
    us so I came to take a look. I’m definitely enjoying the
    information. I’m bookmarking and will be tweeting this to my followers!
    Fantastic blog and amazing design and style.

    Reply
  12. turbulence training routine plan

    What’s up to every one, it’s truly a fastidious for me to pay a quick visit this site,
    it includes helpful Information.

    Reply
  13. body types program

    I’d like to find out more? I’d care to find out more details.

    Reply
  14. bangaiza.bernsoft.Com

    I do believe all of the ideas you have introduced in your post.
    They’re very convincing and can certainly work. Still, the posts are
    very short for newbies. May you please extend
    them a bit from next time? Thank you for the post.

    Reply
  15. local mobile expert

    What’s up, I wish for to subscribe for this webpage to obtain most up-to-date updates, therefore where can i do
    it please help out.

    Reply
    • ammar hasayen

      thanks for your comment…you can find the (Follow) Icon on my blog to subscribe here:)

      Reply
  16. Stormy

    Hi! Quick question that’s entirely off topic. Do you know how to make your site mobile friendly?
    My website looks weird when browsing from my iphone 4.
    I’m trying to find a template or plugin that might be able to fix this problem.
    If you have any recommendations, please share.

    With thanks!

    Reply
    • ammar hasayen

      Hi, actually im using a host provider wordpress.com and i am using a theme called iTheme2, and it comes with a mobile friendly features and even a wordpress mobile app 🙂

      Reply
  17. local mobile expert

    Asking questions are actually pleasant thing
    if you are not understanding anything completely,
    however this piece of writing offers pleasant understanding even.

    Reply
  18. gold in ira

    I blog quite often and I truly appreciate your content.
    Your article has really peaked my interest. I am
    going to take a note of your blog and keep checking
    for new details about once a week. I subscribed to your RSS feed as well.

    Reply
  19. Javier

    Normally I don’t learn post on blogs, however I would like to say that this write-up very
    compelled me to check out and do it! Your writing style has been surprised me.
    Thank you, very great article.

    Reply
  20. Tepamine Hcl Fda Approved Diet Pills

    Hi there are using WordPress for your site platform?
    I’m new to the blog world but I’m trying to get started and create
    my own. Do you require any coding knowledge to make your own blog?
    Any help would be really appreciated!

    Reply
    • ammar hasayen

      Yes im just using wordpress.com with free theme called iTheme2. No knowledge at all is required;)

      Reply
  21. Andy Jenkins Traffic Genesis

    Grrat blog here! Also your web site loadrs up fast! What host
    are you using? Can I get youir affiliate link to your host?
    I wish my site loaded up as quickly as yours lol

    Reply
    • ammar hasayen

      Hiii and thanks for your feedback. Im using wordpress.com public blog 🙂

      Reply
  22. carb backloading For women

    I’ve read some good stuff here. Certainly price bookmarking for revisiting.
    I wonder how much effort you place to make this sort of
    great informative site.

    Reply
    • ammar hasayen

      Thanks alot for your kind comment… ya it is long experience from the field and I like to write. So glad you liked it :))))

      Reply
  23. Pearly papules treatment

    Nice blog! Is your theme custom made or did you download it from somewhere?
    A design like yours with a few simple adjustements would really make my blog stand out.
    Please let me know where you got your theme. Many thanks

    Reply
    • ammar hasayen

      im using the public wordpress blog platform with a free theme called ITheme2.
      Thanks for your feedback:)

      Reply
  24. go2album.com

    Oh my goodness! Incredible article dude! Thank you so much, However I am
    encountering problems with your RSS. I don’t understand why I can’t join it.
    Is there anyone else having the same RSS problems?
    Anybody who knows the answer can you kindly respond? Thanx!!

    Reply
    • ammar hasayen

      Thanks man indeed. Yes it took me sometime to write this article 🙂 im sad to hear that RSS is not working 🙁 im using public provider for my blog and cannot even troubleshoot 🙁

      Reply
  25. penus pump

    Great post. I used to be checking continuously this blog and I’m inspired!
    Extremely useful information particularly the final part :
    ) I handle such info a lot. I was looking for this particular info for a very lengthy time.
    Thanks and good luck.

    Reply
  26. www.ayuvision.com

    I have been browsing on-line more than 3 hours these days,
    yet I by no means discovered any attention-grabbing article like
    yours. It is beautiful worth sufficient for me.
    In my view, if all site owners and bloggers made just right content material
    as you did, the internet will likely be a lot more useful than ever before.

    Reply
    • ammar hasayen

      So blessed to hear such wonderful feedback. I feel the same when browsing the internet that is why im giving my time and effort to write something worth reading

      Reply
  27. Leonora

    I couldn’t refrain from commenting. Well written!

    Reply
  28. web designer portfolio

    It’s actually a nice and helpful piece of information. I’m
    happy that you just shared this useful information with
    us. Please stay us informed like this. Thank you for sharing.

    Reply
  29. turbulence training exercises

    We’re a group of volunteers and starting a new scheme in our community.
    Your website provided us with helpful info to work on. You have performed a formidable process and our whole group will be
    grateful to you.

    Reply
  30. herpe protocol

    Hi just wanted to give you a quick heads up and let you know a few of the
    images aren’t loading properly. I’m not sure why but I
    think its a linking issue. I’ve tried it in two
    different web browsers and both show the same results.

    Reply
  31. ref=tophd

    I go to see each day some web sites and websites
    to read articles, however this weblog offers quality based posts.

    Reply
  32. Sybil

    I blog quite often and I really thank you for your content.

    The article has really peaked my interest. I am going to bookmark your website and keep checking
    for new details about once a week. I subscribed to your Feed too.

    Reply
  33. Freddie

    I’m very happy to find this website. I wanted to thank you for ones time
    for this fantastic read!! I definitely liked every bit
    of it and i also have you book marked to look at new information on your
    web site.

    Reply
  34. Jenny

    Hey very nice web site!! Man .. Beautiful ..
    Superb .. I’ll bookmark your site and take the feeds additionally?
    I am happy to search out a lot of helpful information here
    within the post, we want develop more strategies in this regard,
    thank you for sharing. . . . . .

    Reply
  35. ammar hasayen

    Oh sad to hear that..im using hosted blog engine so I have no big control about this… but I wil contact the wordpress support and open a ticket for that.

    Reply
  36. Wilmer

    Hi there, You’ve done an incredible job. I’ll definitely digg it and personally recommend to my friends.
    I am confident they’ll be benefited from this website.

    Reply

Trackbacks/Pingbacks

  1. Sandbox for malware detection – Azure Mechanics - […] are using new and sophisticated ways to encrypt their malware or to make them change their shape and signature…

Leave a reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest