A polymorphic virus is a harmful, destructive or intrusive type of malware that can change or "morph," making it difficult to detect with antimalware programs. Evolution of the malicious code can occur in a variety of ways such as filename changes, compression and encryption with variable keys.
How polymorphic viruses work
Although the appearance of the code in a polymorphic virus varies with each "mutation," the essential function usually remains the same. For example, a spyware program intended to act as a keylogger will continue to perform that function even though its signature changes. If the spyware program is discovered by an antimalware program and its signature is added to a downloadable database, the antimalware program will fail to detect the rogue code after the signature changes, just as if a new spyware program has emerged. In this way, malware creators gain an advantage over security vendors that use traditional signature-based detection to find and block malicious code.
How polymorphic code is generated
Polymorphic code typically uses a mutation engine that accompanies the underlying malicious code. The mutation engine doesn't change the underlying code; instead, the engine generates new decryption routines for the code. The mutation engine can also alter the file names of the polymorphic code. As a result, each time the code is installed on a new device or system, the mutation engine generates a brand new decryption routine.
A polymorphic virus includes an encrypted payload and a mutation engine. The encryption hides the malicious payload from scanners and threat detection software, which are left to identify the virus by its decryption routine. Once the virus is installed on a target, the payload is decrypted and it infects the system; the mutation engine randomly creates a new decryption routine so that when the virus moves to the next target, it appears to be a different file to scanners.
Examples of polymorphic viruses
While polymorphic viruses have become increasingly common in the 21st century as antimalware and threat detection technology has improved, they existed well before that. The first known polymorphic virus was called 1260, or V2PX, and it was created in 1990 as part of a research project. The author, computer researcher Mark Washburn, wanted to demonstrate the limitations of virus scanners at that time. Nonresearch polymorphic viruses began to emerge soon after Washburn's project. Two early examples -- the Tequila and Maltese Amoeba viruses -- were discovered in Europe in 1991.
More recent examples of polymorphic viruses and malware have demonstrated increased sophistication. The Storm Worm, which featured a backdoor Trojan, was first discovered in 2007. The worm spread via malicious email messages and, once the Trojan executed, it would turn systems or devices into bots. The Storm Worm featured a polymorphic packer, which is similar to a polymorphic engine; a packer can contain several different variants of malware in a single item such as an email attachment. The worm's polymorphic packer would change every 10 to 30 minutes, depending on the version, in order to avoid detection.
The Virlock ransomware family, which was first discovered in 2014, is considered the first instance of polymorphic ransomware. The virus's decryption codes were randomly generated each time the virus spread to and executed on a new file. The Virlock ransomware not only infects files, but also turns them into polymorphic file infectors; when an infected file is sent to or shared with another user, the Virlock ransomware executes and infects the new user's files. Once the infection is completed, the mutation engine changes the packer containing the malware body.
Detection and prevention
Most conventional antivirus and threat detection products rely on signature-based detection, which can be fooled by polymorphic viruses. However, newer security technologies employ machine learning and behavior-based analytics rather than signature detection. Machine learning algorithms focus on anomalous behavior of unknown programs as well as other static characteristics such as file names and API calls.
The best approach for defending against polymorphic viruses is to employ multiple and diverse layers of information security measure such as antimalware software and threat detection. These programs should be kept current and should be run as often as possible. Auto-protect features, if available, should also be enabled.