Imagine having a key that changes shape to fit any lock you might encounter. That’s pretty much what malware creators have at their disposal with advanced polymorphic malware, and it’s a real headache for MSPs tasked with stopping it or, better yet, preventing it from infecting customers’ networks in the first place. After all, polymorphic malware can damage registries or act as a Trojan that transforms a computer into a bot.
Polymorphic viruses, viruses that can change their signature to evade antivirus programs, have been around since 1990 when the 1260 virus appeared on the scene. It used a rudimentary technique of inserting “garbage” code, which the made the file’s size deceptive and able to avoid detection.
Polymorphic viruses have been mutating and “improving” ever since. Now, we are in the era of “advanced polymorphic viruses” or, as some call it, “aggressive polymorphism.” The viruses can often be impossible to detect until they’ve inflicted their damage or unleashed their payload.
Smarter MSP caught up with some of the top advanced polymorphic experts about the structure and future of polymorphic viruses.
Moving beyond random mutation
Dr. Kevin Hamlen is an associate professor of computer science at the University of Texas-Dallas. Hamlen has researched and written papers about polymorphic viruses.
Polymorphism, itself, Hamlen says is actually relatively common, an assertion backed up by Webroot, which estimates that 97 percent of viruses now employ elements of polymorphism.
“What distinguishes advanced polymorphic threats from non-advanced ones is the level of sophistication of the polymorphism. Most malware polymorphism is pretty rudimentary. It just randomly mutates in hopes of evading detection,” Hamlen says.
But more advanced polymorphic malware is quite different.
“It intelligently learns how a targeted defense detects polymorphism and then automatically crafts a self-mutation specifically designed to defeat that defense,” Hamlen explains. He says such malware is extremely difficult to combat because as the defense gets smarter, the malware actually gets smarter too.
Hamlen recommends MSPs adopt multi-layered defenses that combine static malware detection with behavioral anomaly detection. Hamlen says the multi-layered defenses conservatively assume that some advanced threats will likely penetrate the outer defense layers and breach the network. Still, sensors inside the network can potentially detect usage anomalies “indicative of beaconing, secret exfiltration, lateral movements, etc., to catch and contain the threat after penetration,” Hamlen says.
Less than effective antivirus programs
Dr. Vijay Naidu a professor at the Auckland University of Technology in New Zealand has studied advanced polymorphic malware and finds interesting parallels between malware viruses and biological processes that they mimic. Naidu shared some of his findings and thoughts with Smarter MSP. He said that many of the most popular and most recent antivirus programs aren’t completely effective at stopping and weeding out advanced polymorphics. This leads to situations where the malware infections must occur first in order for solutions to be found.
“Our investigations from previous work illustrate that the modern state-of-the-art antiviruses (AVSs), such as Microsoft, ESET, Symantec, Bitdefender, etc., cannot successfully and totally identify the known existing variants of three well-known polymorphic viruses, not to mention the unknown future (new) variants,” Naidu says, and the viruses that they tested them on were all five to 11 years old. So, security companies are going to have to continue the cat-and-mouse game with malware makers to stay a step ahead. Right now, they’re a step behind.
Metamorphic malware
Dr. Naidu’s shared some other thoughts and findings with Smarter MSP:
What is advanced polymorphic malware?
“Advanced polymorphic malware is basically metamorphic malware. That is, metamorphic malware is an advanced variant of polymorphic malware, where the internal structure of the body or payload is transformed. Metamorphic malware is occasionally referred to as ‘body polymorphic’ because the body looks different after decryption from previous variants. For instance, registers, variable names, and instructions can be changed. For well-structured metamorphic malware, encryption isn’t essential, or even necessary.”
Are antiviral programs on the market now effective against advanced polymorphics?
“One of the main problems for AVSs is that polymorphic techniques that change the order of the malware code can evade signatures that assume a constant left-to-right ordering in malware code variants…. Some very old and well-known viruses still evade modern AVSs because their variants adopt simple code sequence changes that cannot be identified by the latest signatures.”
Are algorithms the answer?
“A key development in syntactic approaches has been adoption of string-based algorithms in bioinformatics for identifying structural matches in malware code. Such algorithms do not just look for the presence or absence of characters in specific positions but also manipulate the strings to allow for insertion of characters to expand the number of matching characters. Importantly, the results of such string manipulation are a set of equal length strings from an initial set of variable length strings.”
Are there parallels between the virtual polymorphic viruses and real ones?
“There has been a similar malware that adopts biological processes and is known as Transcriptase. Biological sequences (amino acid/nucleotide) transform from one form to another through mutation. In biology, material metamorphosis does occur. For example, shape memory polymers have the potential to metamorphose back to their parent structure when heated. Metamorphic computer malware (that is advanced polymorphic malware), on the other hand, have the potential to alter their structure by itself from one variant to another, but typically avoid producing variants that are very similar to their parent structure. In line with our research work, a similar assumption is made between metamorphic malware altering their code/structure with transformations/mutations in the hex dump sequences (malware body) and biological sequences.”
So, the key takeaway from this is that more work needs to be done to adapt to aggressive polymorphism. The shape of what’s to come isn’t clear because the shape is constantly changing — literally — and that presents a challenge for MSPs.
Photo: Kateryna Kon/Shutterstock.com
Hello Kevin,
I found your all of your posts very useful and I was wondering if there is a way for us to share it on our blog?
I would cite it accordingly and give you and the SmarterMSP the credit.
Please, let me know if there are any restrictions for us to publish it on our website.
Thank you,
Ana
Hi Anastasiia,
We’re glad to hear you’re finding Kevin’s posts so useful! Unfortunately, search engines are likely to penalize both sites if you republish the article on your website because they would view it as duplicate content. If you have an email newsletter for your customers, a better option would be to include a short summary of the article in the newsletter with a link to the article on Smarter MSP. Hope that’s helpful! (And I know Kevin appreciates your kind words!)