Polymorphic Malware – CompTIA Security+ SY0-401: 3.1

Polymorphic malware is constantly changing, and this makes it difficult to identify and remove. In this video, you’ll learn about polymorphic malware and the methods that we’re using to control and eradicate this malicious software.

<< Previous Video: RansomwareNext: Armored Virus >>

Before we talk about polymorphic malware, let’s discuss the ways that we identify malware today. In many cases, the technologies that we’re using to find malware on our networks and on our computers is done using signatures. These are very static pieces of information. And we’re simply looking to see if we can match this information with what happens to be going across our network, or what happens to be executing in our systems.

If we identify a match with these signatures, we say that that is probably malware. And we remove it from executing on our computer. Or we remove it from the network. Many malware detection engines use signatures, but also use technologies called heuristics.

Heuristics are looking for a certain event to occur. They may be looking for a system file to be changed. And if that system file is changed, the heuristics may determine that this executable is malware. In these cases, you don’t even need a signature. You’re simply looking for a particular kind of event to happen.

As you may have guessed, heuristic-based detection requires a number of additional resources. You have to have something in memory or executing to be able to identify what’s happening on a system. And it has to be looking at many things all at the same time. In very large scale implementations and very high speed networks, this becomes almost impossible to do.

Polymorphic malware is designed to take advantage of the problems associated with signature-based malware detection. Polymorphic malware will change itself every time it is downloaded. So when one person goes to a website and downloads an executable, and then the second person goes to the same website and downloads the executable from the same link, they actually receive two different files.

Obviously, inside of the file is the attack code. And that didn’t change. But everything else around that attack code did change. This creates problems for those signature-based detection engines, because the signatures are looking for one particular kind of data.

Another method the malware authors use is to encrypt the attack code. And they use different keys every time. This means that the attack code on one system will have a completely different signature then the attack code on another system, even though it’s exactly the same attack code. Only after decrypting the attack code do we see that it is exactly the same on both systems.

With polymorphic malware, there is still going to be part of the executable that is exactly the same. And the signature detection engines are going to take advantage of this by trying to find exactly the piece of that malware that is the same, regardless of what changes around it. In this way, we’re able to create a single signature, but hopefully affect and identify many, many variants of exactly the same malware.

And, ultimately, the only way to identify some of this polymorphic malware is through the use of heuristics. But, again, that’s difficult to apply on a very wide scale. And it’s going to use more resources inside of our systems.