In fact, the core function of most polymorphic malware will almost never change, even though their code or structure might. A working example of this is a keylogging virus which records the keystrokes of a user attempting to authenticate or gain authorization into a private system. The virus’ file name, signature and blocks of code may be noticeably different (usually upon rebooting), but the keylogger itself is still a keylogger. Its line of attack is to listen for keystrokes; changing to avoid detection enables it to better carry out its function.
How Polymorphic Malware Works
Programming 101 emphasizes that software is nothing more than a written set of instructions. When executed on a computer or device, these rules carry out the same procedures time and again. To generate polymorphic code, a mutation engine (MtE) must accompany the software program. The purpose for this is usually malicious as new routines can be created and hidden with encryption protocols.
This ability to conceal their whereabouts is perhaps where polymorphic malware and stealth viruses meet. As previously mentioned, most endpoint antivirus (AV) apps are known to check program signatures against the entries in their definition databases, marking files as malware when they pose a threat. But anything hidden can be found. The ability to change (and to do so often) enables polymorphic malware to keep functioning at the expense of the host device.
Once installed, calls to the device’s assembler code is made and the mutation engine randomly creates a decryption protocol so that the virus can begin spreading across the host environment. The virus is then invoked, and its payload is decrypted to carry out its malicious intent.
Detection and Mitigation
While polymorphism certainly complicates the virus scanning process, keeping an up-to-date antivirus running on your computer is the first step in mitigating adaptive and polymorphic malware. The heuristics of these products makes use of past data which increases its sophistication in threat detection. This is the foundation of artificial intelligence and machine learning. Though signatures may change, those that have been flagged will be kept at bay to keep them from replicating and inflicting damage.
Also, Runtime Malware Defense (RMD) programs can be used instead of traditional antivirus programs. Rather than examining the signatures of executable files, the core of these programs function at run time, monitoring system activity and flagging those processes which appear to be autonomous and not user-generated. RMDs analyze common behavior exhibited by malware programs, like keylogging, polymorphism and memory consumption.