metamorphic and polymorphic malware

Metamorphic and polymorphic malware are two categories of malicious software programs (malware) that have the ability to change their code as they propagate.

Metamorphic malware is rewritten with each iteration so that each succeeding version of the code is different from the preceding one. The code changes makes it difficult for signature-based antivirus software programs to recognize that different iterations are the same malicious program.

In spite of the permanent changes to code, each iteration of metamorphic malware functions the same way. The longer the malware stays in a computer, the more iterations it produces and the more sophisticated the iterations are, making it increasingly hard for antivirus applications to detect, quarantine and disinfect.

Polymorphic malware also makes changes to code to avoid detection. It has two parts, but one part remains the same with each iteration, which makes the malware a little easier to identify.

For example, a polymorphic virus might have a virus decryption routine (VDR) and an encrypted virus program body (EVB). When an infected application launches, the VDR decrypts the encrypted virus body back to its original form so the virus can perform its intended function. Once executed, the virus is re-encrypted and added to another vulnerable host application. Because the virus body is not altered, it provides a kind of complex signature that can be detected by sophisticated antivirus programs.

In another example, a new key might be randomly generated with each copy to change the appearance of the encrypted virus body -- but the virus decryption routine woud remain constant. In either scenario, it is the static part of the code that makes it possible for an anti-virus program to identify the presence of malware.

Metamorphic malware is considered to be more difficult to write than polymorphic malware. The author may use may use multiple transformation techniques, including register renaming, code permutation, code expansion, code shrinking and garbage code insertion. Consequently, advanced techniques such as generic decryption scanning, negative heuristic analysis, emulation and access to virtualization technologies are required for detection.

See also: advanced evasion technique (AET)

This was last updated in October 2010

Dig Deeper on Threats and vulnerabilities