Polymorphic Malware — Real Life Transformers

Polymorphic Malware — Real Life Transformers

polymorphic malwarePolymorphic malware has been around since the early 1990s, but it’s still wreaking havoc in our computers and networks. SC Magazine recently reported on a particularly nasty strain of polymorphic malware that, according to the article, “is able to evade over 75 percent of antivirus engines tested.” That’s a very disturbing statistic.

What is Polymorphic Malware?

So, what is this strange type of malware that is so adept at evading detection, and why is it so dangerous? Polymorphic malware is so named because it morphs, or mutates, into many forms, and does so very quickly—constantly creating new variations of itself. Because polymorphic malware can change so rapidly, it is very difficult for conventional, signature-based anti-malware tools to detect it. Each new iteration of the malware alters its own attributes in some way. Changes include a different filename, new encryption keys, or a unique compression signature. These changes, or any change to the code, alter the malware’s signature, making it very difficult or even impossible for anti-malware tools that rely on signatures–and most do–to effectively detect advanced polymorphic malware.

Why Polymorphic Malware is Especially Dangerous

When writing polymorphic malware, cybercriminals typically take an existing malicious code base and apply polymorphism to it. The basic malicious functionality of the code usually remains the same. However, the packaging is different, so it generates an entirely different signature—one that anti-malware products have not yet blacklisted.

Because it’s relatively easy to modify an object’s packaging through polymorphism, malware authors can rapidly create new versions, typically automating the entire process. Cybercriminals are churning out new versions at an unbelievable pace. Lastline’s research indicates that most modern versions of polymorphic malware will transform within seconds. Often, and perhaps most of the time, cybercriminals release only a single instance of a particular malware version into the wild. The majority of these single-use malicious objects will never be seen by anti-malware researchers, and if they are, their signatures are already obsolete and useless.

Polymorphic malware has become so successful that most malware today employs at least some level of polymorphism.

Notable Examples of Polymorphic Malware

Here are some of the more significant and well-known polymorphic malware families.

Emotet Trojan: This is the polymorphic malware family referenced in the introduction that evaded 75% of anti-malware products. By the way, I’m happy to report that Lastline wasn’t among those that failed to detect this malicious malware.

Emotet is notable because recent versions have shown additional levels of polymorphism. Typically, malware authors will add polymorphism by simply changing the packaging of the distribution container or method (like moving from a Microsoft Word document to a PDF formatted document). However, in addition to rewrapping the documents used to distribute the malware, some recent Emotet strains continuously rewrap their packed executables as well. This makes it even more difficult for signature-based tools to detect the malware.

Storm Worm: Named from the portentous subject line, “230 dead as storm batters Europe,” Storm Worm surfaced in 2007. This malicious email attachment installed wincom32 service and a Trojan, effectively turning the victim’s computer into a bot. The compromised computer spewed out a new version of Storm Worm every 30 minutes. At the time, researchers deemed Storm Worm responsible for up to 8 percent of all global malware infections.

CryptoWall: As one of the most infamous ransomware families, CryptoWall has done a lot of damage. In 2015, researchers found more than 4,000 versions of the malware as it spread through phishing email campaigns. Reportedly, in 2015 alone CryptoWall 3.0 cost ransomware victims $325 million dollars paid in Bitcoin.

Virlock: Notable because its ransomware payload arrives encrypted, and the malware only decrypts a small portion of the payload at a time, and then immediately re-encrypts it using a different encryption key. The ongoing cycle of decryption and re-encryption means the malware in memory will constantly look different than the original version. This makes it extremely difficult and time-consuming for researchers to fully analyze the code.

Effective Protection from Polymorphic Malware

Since traditional signature-based antimalware tools are unable to reliably detect polymorphic malware, it’s obvious that organizations require more advanced detection techniques.

Behavior analysis and Deep Content Inspection are proven methods for detecting polymorphic malware and organizations are encouraged to augment their signature-based antimalware tools with these advanced products.

It’s important to point out that not all sandboxes or behavior-based antimalware products are the same. Some are significantly more effective than others at detecting polymorphic and other types of advanced malware. To learn more about different sandbox technologies, read Limited Visibility of a Conventional Sandbox.


To learn more about how Lastline detects polymorphic and other forms of advanced malware, see Lastline Products.