What are Polymorphic Viruses?
A computer virus is a program or malicious code that spreads between computers and performs destructive activities on the system. It spreads by attaching a copy of itself to a program file. The viruses simply replicate, display messages, and others might deliver a portion of the malicious code to a program that has the ability to corrupt programs, delete files, format the hard drive, and destroy valuable information.
‘Poly’ refers to many and ‘morphic’ refers to forms. Therefore as the name suggests polymorphic virus is a complicated computer virus that changes its form as it propagates to avoid detection by antivirus. It is a self-encrypting virus that pairs a mutation engine along with a self-propagating program code.
A Polymorphic Virus Consists of:
- A decryption routine.
- An encrypted virus body.
- A mutation engine that generates randomized decryption routines.
- In polymorphic viruses, the mutation engine and virus body are encrypted.
- When an infected program is executed, the virus decryption routine gains control of the computer decrypts the virus body and mutation engine. The control is then transferred to the virus which locates a new program to infect.
- As the virus body is encrypted and the decryption routine also varies from infection to infection, the virus scanners cannot scan for a fixed signature or a fixed decryption routine making it difficult to detect.
Working of Polymorphic Virus:
Whenever a virus is detected by antivirus software, it gets blacklisted and any other virus with similar characteristics gets automatically blocked. In the case of the polymorphic virus, with each mutation, the basic function performed by the virus remains the same even though the signature or decryption routine changes. The antivirus software that uses traditional signature-based detection fails to find and block malicious code after the signature and decryption routine changes. So the virus makes a copy of itself and the mutation engine. Then the mutation engine is invoked and a new decryption routine having no resemblance to the previous decryption routine is generated. Next, the virus encrypts its body and mutation engine and appends the new decryption routine, encrypted virus, and mutation engine onto the new program.
How Polymorphic Code is Generated?
Polymorphic code uses a mutation engine along with the polymorphic code. The mutation engine produces a randomized decryption routine and changes the file name of the polymorphic code from infection to infection. The virus locates new programs to infect and attaches the copy of its body and mutation engine to the new program. This helps the polymorphic virus to spread and cause destruction to the system without getting detected and blocked by any antivirus based on the traditional signature detection approach.
Detection of Polymorphic Virus
Polymorphic viruses can easily fool the conventional antivirus software using signature-based detection. However, these viruses can be detected by new security technologies which use machine learning and behavior detection to identify any anomalous behavior in the system.
- Behavior-based detection: This technique analyses not only the code but also the behavior of the virus. This helps in detecting viruses with similar behavior.
- Heuristic Scanning: This technique looks for the components that different threats share instead of looking for an exact match to a threat. This helps in detecting new variation viruses.
Examples of Polymorphic Viruses
- Storm Worm
Prevention from Polymorphic Viruses:
- Not opening any links or attachments from suspicious sources.
- Not downloading any software from unauthorized sources.
- Keep your system and software up to date.
- Regularly updating the passwords.
- Using heuristic scanning
- Keeping data backups.
- Using advanced behavior-based detection techniques.