Metamorphic and Polymorphic malware

Can you imagine that a piece of malware code, can change its shape and signature each time it appears, to make it extremely hard for signature based antivirus to detect them ?! This is called polymorphic malware and metamorphic malware.

In its annual threat report, security firm Sophos said that the majority of samples it observes are unique attacks associated with polymorphic and metamorphic malware.

Although the idea of mutating malware sounds quite scary, it’s actually been used by malicious hackers since the early 1990s but they are getting very advanced. Usually antivirus solutions use signatures to identify malware by comparing each file with their database of malware signatures. If the file under investigation has the a signature that looks like on of the signatures in their database, then it will detect the infection.

Crackers are getting smarter. When you visit a suspicious web site, you will get infected with a malware with a certain shape and signature. When another person visits the same site, he will get infected with the same malware but with different shape and signature. Each time someone downloads that malware, a new shape is generated for the same malware automatically. Actually refreshing that page will generate new shapes for the new malware !. This makes it so difficult for signature based antivirus solutions to handle.

Not only each download for the same malware will have different shape, the same malware on a certain machine will keep changing its shape to avoid detection. This is how sophisticatedΒ polymorphic and metamorphic malware can be

Β It is important to note that although the malware changed (“morphs”) its shape for each iteration and each download, the function that it performs remains the same (it is like it changes its appearance, but the bad code inside it still doing the same damage).

This is an example of malware (codenamed Shylock)Β that once appear with file name and description, and with time it appears as different file completely, changing by that its signature:

polymorphic or metamorphic malware

Metamorphic malware

This type of malware is completely rewritten with each iteration but still each version for each iteration functions the same way. The longer the malware stays in a computer, the more iterations and versions it will produce and the more sophisticated the iterations are.

The technologies used by metamorphic malware is so sophisticated and complex. Metamorphic malware is more difficult to detect than polymorphic malware. Some of the technologies used for such malware include register renaming, code permutation, code expansion, code shrinking and garbage code insertion.

Polymorphic malware

it is also a type of malware that changes its shape and signature. It has usually two parts, one of them changes its shape, while the other part remains the same, which makes it easier to detect than metamorphic malware.

Usually this type of malware consists of two parts :

  • Code that is used to decrypt and encrypt the other part (usually called VDR : virus decryption routine). This part does not change its shape.
  • The core malware code that changes its shape (usually called EVB : encrypted virus body).

When an infected application launches, the VDR decrypt the encrypted virus body (EVB) so it can execute and then re-encrypt it again. Usually the malware writer will use randomly generated encryption key to be used by the VDR so for each malware download, so that we will get completely different EVB encrypted virus body.

polymorphic or metamorphic malware 5