techtoniclogo

Metamorphic/polymorphic Malware

I have a profound appreciation for life science. The intricate workings of cells often draw parallels in my mind to the functionality of motherboards. The buses within cells, akin to the cytoplasm, facilitate the transfer of organic materials through chains of proteins, much like the buses on a motherboard transferring bits of information. The resemblance between biological and computer systems extends further. Polymorphic/metamorphic malware operates in a manner reminiscent of biological viruses. Similar to viruses undergoing mutations for DNA scrambling or adopting new features, metamorphic malware alters its code structure. Interestingly, both typically require a host to perform these functions — viruses for creating new strains and metamorphic malware for concealing itself amid anti-malware scans.

Anti-virus/anti-malware companies diligently identify new malware types, creating signatures based on code patterns stored in databases. When the antivirus (AV) encounters recognized malware, it evaluates and flags its signature before execution. Polymorphic and metamorphic malware, however, evade this process by altering code segments, rendering signature-based detection ineffective. This shift has elevated polymorphic/metamorphic malware as the new standard, with 90% of modern malware employing this technique. This transformation has significantly impacted malware detection, causing concerns for users and businesses relying on internet-based systems. Malware attacks result in an average of 16 days of downtime, leading to denial of service (DoS), data breaches, and financial losses. In the span of four years (2019-2023), ransomware, a type of malware encrypting user data and demanding a ransom, has seen a 100% increase in the decryption key's asking price. These challenges underscore the ongoing battle between hackers and cybersecurity professionals.

While polymorphic/metamorphic malware has existed for years, originating in 32-bit Windows operating systems, the techniques have become exponentially complex. Early on, malware used encryption to mask its code, a tactic thwarted by antivirus software focusing on decryptors. The advent of Oligomorphic malware, using polymorphic engines, marked a significant evolution. However, the engines had limitations, prompting antivirus solutions to adapt and block executions.

main polymorphic photo

The limitations of polymorphic engines became a significant hurdle for malware developers. Win32/Apparition broke away from reliance on these engines, a development highlighted by Microsoft security intelligence in late 2006. Subsequent techniques diverged, giving rise to malware families categorized as either polymorphic or metamorphic.

Polymorphic malware, less intricate than its metamorphic counterpart, is often successfully detected by antivirus software. Most of its code remains unchanged during the mutative process, as it alters only a specific portion using an encryption key. While manageable for antivirus software, metamorphic malware takes this process several steps further.

old computer

Metamorphic malware transforms its entire code body through various processes. Obfuscation, the act of changing/masking code to be unreadable by humans while maintaining program behavior, is a common method. Developers mitigating reverse engineering use obfuscation, a technique frequently employed by metamorphic malware. Dead code insertion, adding non-functional code blocks, is another common strategy. This deliberately adds complexity, making it challenging to comprehend the source code. The combination of obfuscation and dead code insertion renders reverse engineering nearly impossible.

Where do we go from here? Metamorphic malware has rendered standard signature-based detection methods ineffective. To address this, modern AV employs new methods, such as geometric detection, analyzing patterns within encrypted code. Another approach involves behavior detection, where malware's malicious activities are observed using sandboxing. However, some malware types can detect when they are within a sandbox or on a network-isolated system, preventing their spread. Cybersecurity professionals and malware developers engage in a perpetual battle. Developing innovative methods to identify these complex programs may provide security professionals with an advantage in today's cyber world.