A metamorphic virus is a type of malware that is capable of changing its code and signature patterns with each iteration.
Metamorphic viruses are considered to be more advanced threats than typical malware or even polymorphic viruses. Metamorphic virus authors use techniques to disguise their malicious code in order to avoid detection from antimalware and antivirus programs, as well as make attribution of the malware more difficult.
How metamorphic viruses work
Malware typically contains an encrypted executable or payload that has a virus decryption routine (VDR). When the infected application executes, the VDR decrypts the payload or encrypted virus body (EVB), and the virus carries out its intended function. In the propagation phase, the virus gets re-encrypted and attached to another host application. Each copy generates a new key, but the VDR remains the same. This is how antivirus software applications can identify malware programs.
A polymorphic virus adds an additional component to the encrypted code -- a mutation engine (ME) that changes the VDR with each iteration by using obfuscation techniques, such as inserting junk code, reordering instructions and using mathematical contrapositives. This type of malware can still be recognized by antivirus software, however, because the decrypted virus body remains the same.
Metamorphic malware takes virus mutation to the next level. It uses the polymorphic malware's ME to change both the VDR and the EVB. The ME disassembles the code and represents it with a meta-language that characterizes the code's function but disregards how the code achieves this function. The end result is new code that bears no resemblance to its original syntax but is functionally the same.
Types of metamorphic viruses
Notable examples of metamorphic viruses include Zmist, which was discovered in the early 2000s. Zmist, created by a Russian malware author called Z0mbie, was the first known use of a technique called code integration; Z0mbie's Mistfall malware engine essentially merged the separate code sections of the Zmist virus and the target application. The engine could decompile executable files into small, 32 MB portions and then move those portions into the code of the application, helping Zmist avoid detection.
In 2016, a ransomware variant called Virlock was discovered to have a built-in metamorphic code generator that generates a unique algorithm for each individual copy of the virus. While the underlying functions of Virlock don't change, the code generator produces different lines of instructions and varying numbers of bytes of instructions. These changes make it extremely difficult for security vendors to create a constant malware signature for Virlock; such signatures are used by a variety of security products to quickly identity and block potential threats.
Detecting metamorphic viruses
Metamorphic viruses are more difficult for antivirus software to recognize, but it's not impossible. The weakness of metamorphic software is that the ME needs to analyze the code in order to disassemble it, and if the ME can analyze the code, so can vendors that detect malware. To prevent metamorphic viruses from infecting computers on a network, administrators should use a multilayered approach to blended threat management, including:
- a well-defined and effective set of security policies;
- remote access restrictions;
- antivirus software that is updated frequently;
- compliance monitoring at the server and end-user levels;
- network and personal firewalls with unused service ports shut down; and
- email content filtering and file scanning at the server level.