Which type of virus tries to avoid detection by modifying parts of the system?

Polymorphic viruses are complex file infectors that can create modified versions of itself to avoid detection yet retain the same basic routines after every infection. To vary their physical file makeup during each infection, polymorphic viruses encrypt their codes and use different encryption keys every time.

Polymorphic viruses rely on mutation engines to alter their decryption routines every time they infect a machine. This way, traditional security solutions may not easily catch them because they do not use a static, unchanging code. The use of complex mutation engines that generate billions of decryption routines make them even more difficult to detect.

Polymorphic viruses are usually distributed via spam, infected sites, or through the use of other malware. URSNIF, VIRLOCK, VOBFUS, and BAGLE or UPolyX are some of the most notorious polymorphic viruses in existence. When combined with other malicious routines, polymorphic viruses pose even greater risk to its victims. In March 2015, researchers found that VIRLOCK evolved to include ransomware routines, making it a challenge to detect and remove.

Stealth viruses: These types of viruses use different kind of techniques to avoid detection. They either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing. For example, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory.

What is Polymorphic Malware? A Definition and Best Practices for Defending Against Polymorphic Malware

by Nate Lord on Friday July 17, 2020

Contact UsFree DemoChat

Learn about polymorphic malware and how to protect against this threat in Data Protection 101, our series on the fundamentals of information security.

Definition of Polymorphic Malware

Polymorphic malware is a type of malware that constantly changes its identifiable features in order to evade detection. Many of the common forms of malware can be polymorphic, including viruses, worms, bots, trojans, or keyloggers. Polymorphic techniques involve frequently changing identifiable characteristics like file names and types or encryption keys to make the malware unrecognizable to many detection techniques.

Polymorphism is used to evade pattern-matching detection relied on by security solutions like antivirus software. While certain characteristics of polymorphic malware change, its functional purpose remains the same. For example, a polymorphic virus will continue to spread and infect devices even if its signature changes to avoid detection. By changing characteristics to generate a new signature, signature-based detection solutions will not recognize the file as malicious. Even if the new signature is identified and added to antivirus solutions’ signature database, polymorphic malware can continue to change signatures and carry out attacks without being detected.

Examples of Polymorphic Malware

Webroot researchers have found that 97% of malware infections employ polymorphic techniques. While some of these tactics have been around since the 1990s, a new wave of aggressive polymorphic malware has emerged over the past decade. Some high profile examples of polymorphic malware include:

• Storm Worm Email: The infamous spam email sent in 2007 with the subject “230 dead as storm batters Europe” was, at one point, responsible for as much as 8% of all global malware infections. When the message’s attachment is opened, the malware installs wincom32 service and a trojan onto the recipient’s computer, transforming it into a bot. One of the reasons the storm worm was so hard to detect with traditional antivirus software was the malicious code used morphed every 30 minutes or so.
• CryptoWall Ransomware: CryptoWall is a polymorphic ransomware strain that encrypts files on the victim’s computer and demands a ransom payment for their decryption. The polymorphic builder used in Cryptowall is used to develop what is essentially a new variant for every potential victim.

The Threat Posed by Polymorphic Malware

Many malware strains now have polymorphic capabilities, rendering traditional antivirus solutions ineffective at detecting and stopping the malware prior to compromise. For years, the conventional wisdom on malware protection has been to invest in preventative solutions like antivirus, firewalls and IPS. However, these solutions do not work against polymorphic malware. The fact that some polymorphic techniques are used in nearly all successful attacks today means that if your company is relying on these solutions then you are leaving yourself open to attack.

At present, Gartner estimates that enterprise infosec spend is 90% prevention and 10% detection. However, there are certain limitations with this prevention-centered approach and, especially in the case of polymorphic malware, many prevention controls are failing to stop malicious activities.

Best Practices for Protecting Against Polymorphic Malware

Protecting against polymorphic malware requires a layered approach to enterprise security combining people, processes, and technology. There are a number of best practices companies should follow for polymorphic malware protection, ranging from general best practices for malware protection to specialty solutions for behavior-based detection. Here are a few key tips for protecting against polymorphic malware:

What type of virus can hide itself to avoid detection?

Which of the following virus attempts to avoid detection by modifying parts of the system that could be used to detect it Armored source code tunneling stealth?

Which of these virus uses techniques to avoid detection?

Which virus can change its code to avoid detection?