Polymorphic Malware

Polymorphic Malware

Polymorphic malware is a type of malware that constantly changes its identifiable features in order to evade detection. Many of the common forms of malware can be Polymorphic, including Viruses, Worms, Bots, Trojans, or Keyloggers. The malware is designed to be unrecognizable to detection methods. Commonly altered characteristics include the file’s Encryption Key, File Format, or simply its name.

The malware is widespread. According to research and study, 97% of malware infections use polymorphic techniques. While this isn’t a new trend – the tactic has been used since the 90s – recently new, highly aggressive waves of the malware have emerged.

One notorious example of polymorphic malware is CryptoWall, a type of strain that encrypts files on the victim’s computer and demands a ransom payment in exchange for their decryption. The polymorphic builder used in CryptoWall develops what is essentially a new variant for every potential victim. At its peak in 2016, the FBI estimated that, combined, victims lost a total of $18 million.

What is Polymorphism?

For all those who are not related to Computers or Programming field will have a question that what actually Polymorphism is?

The answer is:

Polymorphism is the ability of an object to take on many forms. The most common use of polymorphism in Object Oriented Programming occurs when a parent class reference is used to refer to a child class object. Any Java object that can pass more than one IS-A test is considered to be polymorphic.

How Polymorphic malware works?

Polymorphism is used to evade Pattern-Matching detection relied on by security solutions like signature-based antivirus software. While certain characteristics of polymorphic malware change, its functional purpose remains the same. For example, a polymorphic virus will continue to spread and infect devices even if its signature changes to avoid detection. By changing characteristics to generate a new variant, signature-based detection solutions will not recognise the file as malicious. Even if the new variant is identified and added to antivirus solutions’ signature database, polymorphic malware continues to evolve and carry out attacks without being detected.

For years, the conventional wisdom on malware protection has been to invest in preventative solutions like Antivirus, Firewalls and IPS. However, these solutions are ineffective against polymorphic malware. The fact that some polymorphic techniques are used in nearly all successful attacks today means that if organisations are relying just on these solutions, unfortunately they risk leaving themselves open to attack.

Best practices to protect against Polymorphic Malware:

At present, it is estimated that enterprise information security spend is 90% prevention and 10% detection. To deal with the threat of polymorphic malware this needs to change.

Here are a few best practices that businesses can implement:

1 .   Behaviour-based detection tools:

Because polymorphic malware is engineered to evade detection by traditional antivirus tools, the best solutions for this threat use advanced, Behaviour-based detection techniques. These methods offer the ability to track the way that data is accessed and used by employees over a specific period of time, flagging any suspicious activity. 

Behaviour-based detection solutions like endpoint detection and response or advanced threat protection can pinpoint threats in real time, before any data is compromised. Behaviour-based malware protection is more effective than traditional signature-based methods, which struggle to deal with polymorphic attacks.

2 .  Software Updates:

One straightforward way to help prevent malware infections is to keep the various applications and software tools a company uses as up to date as possible. Enterprise software manufacturers like Microsoft, Oracle, and Adobe regularly release software updates that contain critical security patches for known vulnerabilities. Running outdated software with security vulnerabilities leaves a company open to exploits that can lead to trouble.

All companies, no matter how small, need to adopt a “patch early, patch often” mantra. They also need to regularly review system settings and disable unnecessary services that could leave them vulnerable.

3 .  Employee awareness of Phishing Attacks:

Phishing Emails or other unsolicited electronic communications can contain malicious links or attachments used to spread malware. Educating end users on how to recognise suspicious links and attachments can help mitigate this common entry vector for malware attacks.

It can be assumed that threat actors and adversaries craft phishing attacks using links to sites on Google, DocuSign, or Outlook365, hoping that an unsuspecting or careless party will recognise these names and subsequently trust the content of the message. This is one of the more recent advancements in social engineering. Combining this with personalised messages results in a strong spear-phishing strategy. If employees aren’t wise to these tactics, there’s a high likelihood of being infected with any malware, not just polymorphic.

4 .  Strong Passwords:

Ensuring that accounts are protected with secure and unique passwords is another best practice for malware protection. Aim to educate end users on secure passwords, and use features like multi-factor authentication or secure password managers.

Even if employees pledge to change just one or two of their passwords each day, they will be improving their personal security. Businesses should also put policies in place to ensure that employees can’t use the same password for their personal and professional accounts. They must also ensure that these policies are easy to understand and easy to remember.

A multi-layered security approach which includes behavioural-based security and endpoint detection and response will provide a baseline barrier against polymorphic malware. Combine this with security training for employees, regular patching and strong passwords, and organisations should stay safe from this shape-shifting threat.