written by: Mark Muller•edited by: Bill Bunter•updated: 6/22/2010
Polymorphic viruses are viruses which insert dummy code and use encryption to avoid detection. Here’s all you want to know about obfuscation techniques used by polymorphic viruses. After reading this article you definitively understand the importance of behavior based virus detection.
slide 1 of 1
A computer virus is a piece of code which can replicate itself, for instance by attaching itself to other digital files. Apart from this self-replication, which can occur in a variety of ways, does a virus usually have a payload in the form of malicious code or bad jokes. The better a virus can avoid detection the more successful it can it be for the virus writer. Polymorphism is an obfuscation strategy virus writer applies to make detection more difficult.
Top anti-virus software combines heuristics, that is behavior based malware detection, with signature files containing “fingerprints" of known viruses. Those fingerprints are strings of code characteristic for a virus or a virus family. So as to make virus analysis and detection more difficult writers of malware are known to insert random code or encrypt their viruses for obfuscation. Inserting dummy code or employing different encryption schemes for obfuscation leads to a virus of a different form and fingerprint which, by definition is polymorphic virus (Greek: many forms).
Inserting dummy code in an unencrypted virus doesn’t achieve much obfuscation, and it won’t take much time either for vendors of antivirus software to update their signature database with a fingerprint of an encrypted virus. So adversaries change the form of a virus by encrypting the very same virus with different encryption algorithms, which produces polymorphic viruses. So for any virus code there can be many polymorphic viruses which have the same code but a differently encrypted executable.
Therefore, polymorphism makes detection more difficult by the numbers of encryption keys used. However, as encryption generates high entropy in data streams, encryption also automatically raises a flag. If you are interested in more information on entropy based malware detection check out Bright Hub’s review of Mandiant Red Curtain.
More sophisticated form of polymorphic viruses employ multiple encryption schemes and / or inserting random dummy code. Some writers of malicious software even use random number generators in their polymorphic viruses thereby crossing the bridge to mutation. In my opinion it is particularly because of polymorphic viruses that there are so many 0-day attacks in the wild, so as a best practice an anti-virus / antimalware strategy including backups is crucial. A good point to start is using a capable antivirus program such as Webroot AntiVirus with AntiSpyware.