Ask the Expert

What are polymorphic viruses?

I've been hearing about a rise in polymorphic viruses. How do these threats work, and how dangerous are they? What can I do to prevent them?

    Requires Free Membership to View

Polymorphic code is actually a pretty simple idea, but a nasty one. Think of the word "polymorphic" in its piece parts: "poly" means "many," and "morphic" means "form." So, polymorphic refers to two or more pieces of code that have exactly the same functionality, but different code.

Two snippets of code could do exactly the same thing when they run, for example, but they might have entirely different sets of instructions. These pieces are "polymorphs" of each other.

Why would someone implement such code? To dodge strict signature-based detection, a major function of most antivirus and antispyware tools today.

Strict signature detection technologies match an exact sequence of bits on the hard drive or in memory. By self-morphing for each newly infected system, polymorphic code can create a new version that dodges the latest signatures. And, taken to the extreme, code could morph whenever it runs, each time creating a new version of itself that still performs the same function.

But, here's the good news. Most major antivirus tools today employ heuristic checks. Think of these like "fuzzy" signatures; instead of matching the exact contents of a file in the file system or in memory, heuristic technologies only require certain crucial piece parts of code to match. And, because the bad guys so frequently utilize key parts of their old code when creating new evil specimens, the heuristics catch a lot of the nastiness. There are often still enough patterns left even in polymorphic code for an antivirus tool to detect it.

So what preventative measures can you take? Make sure you have up-to-date antivirus and antispyware signatures and that you are using an AV/spyware tool that supports heuristics. Most of the antivirus tools have this type of functionality, but not all of the antispyware tools do. Check with your vendor if you really want to know for sure.

As always though, things are in flux. The bad guys are starting to experiment with radically polymorphic code that thwarts heuristic controls by removing as many patterns from the original code as possible. The vendors, in turn, are working to improve the intelligence of their heuristics. Other antimalware vendors are starting to move toward behavior-based detection. Such techniques monitor the behavior of malware rather than look for any pattern in the actual code. If a piece of malware, for example, alters some critical files, the antimalware product can detect such behavior and kill the infection.

I happen to like a blend of both heuristic and behavior-based defenses myself, but be aware that some vendors are devoted to one side or the other.

More information:

  • Learn about Warezov and its many variations.
  • Defend your mobile devices from viruses and other malware.
  • This was first published in March 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: